This PowerShell Module is new approach to onboarding, offboarding and business as usual processes running in companies infrastructure. Usually each company has different rules, different approaches on how processes should look like. This module at this moment can do following things:
PSAutomator takes an easy approach that's similar to what you can find in services like IFTTT or Microsoft Flow. Those services work in known schema such as Services, Triggers, Ingredients and Applets. I've taken similar approach which is described below. Basically when you want to make an automation you can use up to 5 different blocks.
Keep in mind that when you define a Service you have to keep into a pattern. There can only be:
As a safety feature all Actions have implemented –WhatIf switch which allows you to build service and then see what would it be like if it executed and which accounts were affected.
As you could see on the introduction screen the concept is simple. In below screen you can see offboarding procedure. Define Service, define trigger, use some condition (for now it's not working), ignore accounts that have EmailAddress empty or null and finally do 5 actions.
Clear-Host
Import-Module PSAutomator -Force #-Verbose
Import-Module PSSharedGoods -Force
Service -Name 'Active Directory Offboarding' -ConfigurationPath 'C:\Support\GitHub\PSAutomator\Examples\MyConfiguration.xml' {
Trigger -Name 'OU Offboarded Users' -User OrganizationalUnit -Value 'OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz' |
Condition -Name 'No conditions' |
Ignore -Name 'Ignore Windows Email Address if Empty or null' -Ignore MatchingEmptyOrNull -Value EmailAddress |
Action -Name 'Make User Snapshot' -ActiveDirectory AccountSnapshot -Value 'C:\Users\pklys\Desktop\MyExport' -Whatif |
Action -Name 'Disable AD Account' -ActiveDirectory AccountDisable -WhatIf |
Action -Name 'Hide account in GAL' -ActiveDirectory AccountHideInGAL -WhatIf |
Action -Name 'Remove all security groups' -ActiveDirectory AccountRemoveGroupsSecurity -WhatIf |
Action -Name 'Rename Account' -ActiveDirectory AccountRename -Value @{ Action = 'AddText'; Where = 'After'; Fields = 'DisplayName', 'Name'; Text = ' (offboarded)'; } -WhatIf
}Similarly code below reverses this actions
Clear-Host
Import-Module PSAutomator -Force #-Verbose
Import-Module PSSharedGoods -Force
Service -Name 'Active Directory Enable Users in OU' {
Trigger -Name 'Find Offboarded Users' -User OrganizationalUnit -Value 'OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz' |
Ignore |
Action -Name 'Enable Offboarded Users' -ActiveDirectory AccountEnable -WhatIf |
Action -Name 'Add to group GDS-TestGroup5' -ActiveDirectory AccountAddGroupsSpecific -Value 'GDS-TestGroup5' -WhatIf |
Action -Name 'Add to group GDS-TestGroup4' -ActiveDirectory AccountAddGroupsSpecific -Value 'GDS-TestGroup4' -Whatif |
Action -Name 'Remove Offboarded Tag' -ActiveDirectory AccountRename -Value @{ Action = 'RemoveText'; Fields = 'DisplayName', 'Name' ; Text = ' (offboarded)'; } -WhatIf
}As you could see in off-boarding process only 2 users were disabled and actions were taken. In reversing this process script found 6 users but still did actions only on those that were impacted by off-boarding process. If you will run script twice or more it will execute but it won't do anything.
Keep in mind that in perfect world for optimum speed one would define a process that would not end up with accounts being found by the script over and over. Also keep in mind this script is very early alpha and heavily work in progress. It's not yet production ready. It's meant to give you idea of what it will be able to do. However… it does work. Feel free to voice your needs, opinions on GitHub.
Before you can use this script, you need to do a few manual steps. Since this script is published as a module, it's quite easy to set this up. Just execute the command below (accept warnings) and you can test it out. Keep in mind that this version is very much a concept phase so things may change without notice. I encourage you to voice your feedback on GitHub.
Install-Module PSAutomator Install-Module PSSharedGoods # Shared data between all my modules #Update-Module PSAutomator #Update-Module PSSharedGoods
You can of course install everything manually from GitHub (as everything is published there) but it will be far easier to just use Install-Module.
