PSAutomator – PowerShell Module

This PowerShell Module is new approach to onboarding, offboarding and business as usual processes running in companies infrastructure. Usually each company has different rules, different approaches on how processes should look like. This module at this moment can do following things:

💡 Active Directory Actions

  • Add/Remove account to/from a specific group
  • Disable/Enable Account
  • Hide/Show account in GAL
  • Remove All Groups
  • Remove All Distribution or Security Groups
  • Remove All Local, Global or Universal Groups
  • Make snapshot/backup of account configuration
  • Add/Remove Text from Account Fields
  • Rename Account

💡 Overview

PSAutomator takes an easy approach that's similar to what you can find in services like IFTTT or Microsoft Flow. Those services work in known schema such as Services, Triggers, Ingredients and Applets. I've taken similar approach which is described below. Basically when you want to make an automation you can use up to 5 different blocks.

  • Service – is kind of a wrapper for other blocks above. It has also ability to load configuration from file for extended capabilities.
  • Trigger – is first block in Service. Before an Action can be executed it needs a Trigger. Trigger can be membership in Group, Organizational Unit etc
  • Ignore – But Trigger can also have things that need to be ignored. For example lack of email address field.
  • Condition – It can also be conditioned for example Last User Modification Date should be more then 30 days.
  • Action – are essentially Tasks that are about to be executed. This can be adding a user to a group, disabling user etc. This is also final step to close Service

Keep in mind that when you  define a Service you have to keep into a pattern. There can only be:

  • One Trigger
  • Multiple Ignores
  • Multiple Conditions
  • Multiple Actions

As a safety feature all Actions have implemented –WhatIf switch which allows you to build service and then see what would it be like if it executed and which accounts were affected.

💡 Note worthy features

  • Heavily configurable
  • Visual confirmation
  • File logging
  • No license needed. Free to use.
  • Open source

💡 Useful links

💡 What this module can do?

As you could see on the introduction screen the concept is simple. In below screen you can see offboarding procedure. Define Service, define trigger, use some condition (for now it's not working), ignore accounts that have EmailAddress empty or null and finally do 5 actions.

  • Make user snapshot (backup)
  • Disable AD Account
  • Hide User in GAL
  • Remove all security groups
  • Rename account by adding offboarded text.
Clear-Host
Import-Module PSAutomator -Force #-Verbose
Import-Module PSSharedGoods -Force

Service -Name 'Active Directory Offboarding' -ConfigurationPath 'C:\Support\GitHub\PSAutomator\Examples\MyConfiguration.xml' {
    Trigger -Name 'OU Offboarded Users' -User OrganizationalUnit -Value 'OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz' |
        Condition -Name 'No conditions' |
        Ignore -Name 'Ignore Windows Email Address if Empty or null' -Ignore MatchingEmptyOrNull -Value EmailAddress |
        Action -Name 'Make User Snapshot' -ActiveDirectory AccountSnapshot -Value 'C:\Users\pklys\Desktop\MyExport' -Whatif |
        Action -Name 'Disable AD Account' -ActiveDirectory AccountDisable -WhatIf |
        Action -Name 'Hide account in GAL' -ActiveDirectory AccountHideInGAL -WhatIf  |
        Action -Name 'Remove all security groups' -ActiveDirectory AccountRemoveGroupsSecurity -WhatIf |
        Action -Name 'Rename Account' -ActiveDirectory AccountRename -Value @{ Action = 'AddText'; Where = 'After'; Fields = 'DisplayName', 'Name'; Text = ' (offboarded)'; } -WhatIf
}

Similarly code below reverses this actions

Clear-Host
Import-Module PSAutomator -Force #-Verbose
Import-Module PSSharedGoods -Force

Service -Name 'Active Directory Enable Users in OU' {
    Trigger -Name 'Find Offboarded Users' -User OrganizationalUnit -Value 'OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz' |
        Ignore |
        Action -Name 'Enable Offboarded Users' -ActiveDirectory AccountEnable -WhatIf |
        Action -Name 'Add to group GDS-TestGroup5' -ActiveDirectory AccountAddGroupsSpecific -Value 'GDS-TestGroup5' -WhatIf |
        Action -Name 'Add to group GDS-TestGroup4' -ActiveDirectory AccountAddGroupsSpecific -Value 'GDS-TestGroup4' -Whatif |
        Action -Name 'Remove Offboarded Tag' -ActiveDirectory AccountRename -Value @{ Action = 'RemoveText'; Fields = 'DisplayName', 'Name' ; Text = ' (offboarded)'; } -WhatIf
}

As you could see in off-boarding process only 2 users were disabled and actions were taken. In reversing this process script found 6 users but still did actions only on those that were impacted by off-boarding process. If you will run script twice or more it will execute but it won't do anything.

Keep in mind that in perfect world for optimum speed one would define a process that would not end up with accounts being found by the script over and over. Also keep in mind this script is very early alpha and heavily work in progress. It's not yet production ready. It's meant to give you idea of what it will be able to do. However… it does work. Feel free to voice your needs, opinions on GitHub.

💡 Required prerequisites

Before you can use this script, you need to do a few manual steps. Since this script is published as a module, it's quite easy to set this up. Just execute the command below (accept warnings) and you can test it out. Keep in mind that this version is very much a concept phase so things may change without notice. I encourage you to voice your feedback on GitHub.

Install-Module PSAutomator
Install-Module PSSharedGoods # Shared data between all my modules

#Update-Module PSAutomator
#Update-Module PSSharedGoods

You can of course install everything manually from GitHub (as everything is published there) but it will be far easier to just use Install-Module.

💡 Quick fixes / helpful tips