|
|
**首先说明,离职的脚本比较复杂,大概三百多行,各位如果理解起来有困难,可以根据注释,分段研究!切勿直接复制,毕竟离职的操作影响还是蛮大的**
脚本工作流程如下,各位在使用时保存成ps1,然后放到任务计划里就可以啦:
#定义管理凭据
$pwd = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000035bf6730bcdda4eb12ed62660d5faed0000000002000000000003660000c0000000100000003ded59f253f488bd909320e6e53a89f30000000004800000a000000010000000709d6c5a15f7068c51c8a353ee79debb200000002cf42d5be95b64cc1c34489e330dc9a08f55d2e06474cadafa78c73c31e29c3d140000005ce706d435eb1d445cac9d1fc9ebe0ded07fbe75"
$Password = ConvertTo-SecureString -String $pwd
$Credential = New-Object System.Management.Automation.PSCredential("domain\admin",$Password)
#导入AD\SharePoint的管理单元和模块
Import-Module ActiveDirectory
Add-PSSnapin Microsoft.SharePoint.PowerShell
#加载SharePoint用户配置文件管理服务
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Office.Server")
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Office.Server.UserProfiles")
$contextWeb = New-Object Microsoft.SharePoint.SPSite("http://sharepoint:41843")
$ServerContext = [Microsoft.Office.Server.ServerContext]::GetContext($contextWeb)
$UserProfileManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($ServerContext)
$Profiles = $UserProfileManager.GetEnumerator()
#建立Ex\Lync隐式会话
$ExSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://mail.domain.cn/PowerShell/ -Credential $Credential -Authentication Kerberos
Import-PSSession $ExSession
$LyncSession = New-PSSession -ConnectionUri https://sip.domain.cn/OcsPowerShell -Credential $Credential
Import-PSSession $LyncSession
#定义报表头
$ReportPath = "C:\Scripts\AutoDismission\";
$DeleteName = "AutoDelete_$(Get-Date -Format MMddhhmm).html";
$ReportName = "AutoDismission_$(Get-Date -Format MMddhhmm).html";
$ServiceReport = $ReportPath + $ReportName
$DeleteReport = $ReportPath + $DeleteName
$RedColor = "#FF0000"
$WhiteColor = "#FFFFFF"
$Header = "
Service Report
离职处理状态
"
Add-Content $ServiceReport $Header
Add-Content $DeleteReport $Header
$TableHeader = "
账户
应用
状态
"
Add-Content $ServiceReport $TableHeader
Add-Content $DeleteReport $TableHeader
#查询SharePoint入职开通应用中的Item信息
$SPWeb = Get-SPWeb -Identity http://sp.domain.cn
$SPList = $SPWeb.GetList("/Lists/List7")
#定义邮件通知函数
Function Send-Message ($Creater,$ServiceReport)
{
$SmtpClient = New-Object System.Net.Mail.SmtpClient
$SmtpClient.UseDefaultCredentials = $False
$SmtpClient.Credentials = New-Object System.Net.NetworkCredential("admin@domain.cn","P@ssw0rd")
$SmtpClient.Host = "mail.domain.cn"
$MailMessage = New-Object System.Net.Mail.MailMessage
$MailMessage.From = "admin@domain.cn"
$MailMessage.To.Add("Liuzw@domain.cn")
$Mailmessage.CC.Add($Creater)
$MailMessage.Subject = "离职处理报告"
$MailMessage.IsBodyHtml = $True
$MailMessage.Body = Get-Content $ServiceReport
$SmtpClient.Send($MailMessage)
}
Function Send-AdminMessage
{
$SmtpClient = New-Object System.Net.Mail.SmtpClient
$SmtpClient.UseDefaultCredentials = $False
$SmtpClient.Credentials = New-Object System.Net.NetworkCredential("admin@domain.cn","P@ssw0rd")
$SmtpClient.Host = "mail.domain.cn"
$MailMessage = New-Object System.Net.Mail.MailMessage
$MailMessage.From = "admin@domain.cn"
$MailMessage.To.Add("Liuzw@domain.cn")
$MailMessage.Subject = "账户删除报告"
$MailMessage.IsBodyHtml = $True
$MailMessage.Body = Get-Content $DeleteReport
$SmtpClient.Send($MailMessage)
}
#定义空数组用于存储禁用状态
$FormatEnumerationLimit = -1
$UserReport = @()
$Recipients = @()
$DeleteResult = @()
#遍历SharePoint入职开通页面上的所有Item
Foreach($UserInfo in $SPList.Items)
{
#$UserInfo.GetFormattedValue("员工账号") -match "sip='(?[\w\W]*)'> #$Account = $Matches.Account.Split("@")[0]
$DisplayName = $UserInfo["员工账号"].Split("#")[1]
$Account = (Get-ADUser -Filter {DisplayName -eq $DisplayName}).SamAccountName
$User = @()
$User +=[PSCustomObject]@{
Account = $Account
DismDate = $UserInfo["离职日期"]
Company = $UserInfo["公司"]
Approve = $UserInfo.Workflows.StatusText
Disabled = $UserInfo["禁用状态"]
Deleted = $UserInfo["删除状态"]
Creater = $UserInfo["创建者"].Split("#")[1]
}
if($User.Approve -eq "已批准" -and $User.Disabled -eq $False -and (Get-Date) -ge $User.DismDate -and (Get-Date) -lt $User.DismDate.AddDays(30))
{
$Creater = $User.Creater
$Recipients += (Get-ADUser -Filter {DisplayName -eq $Creater } -Properties EmailAddress ).EmailAddress
Try
{
Get-ADUser -Identity $User.Account -Properties * | fl |Out-File -FilePath "C:\Scripts\AutoDismission\$($User.Account)-$(Get-Date -Format "yyyyMMdd").Txt"
Disable-ADAccount -Identity $User.Account -ErrorAction Stop
Switch($User.Company)
{"A"{$OU = "OU=_Disabled,OU=A,DC=domain,DC=cn"}
"B"{$OU = "OU=_Disabled,OU=B,DC=domain,DC=cn"}}
Move-ADObject -Identity $(Get-ADUser $User.Account) -TargetPath $OU
$UserReport += [PSCustomObject]@{
账户= $User.Account
应用 = "AD账号"
状态 = "已停用"
}
#移除部门组
$Group = (Get-ADUser -Identity $User.Account -Properties MemberOf ).MemberOf | Get-ADGroup
$Group | Remove-ADGroupMember -Members $User.Account -Confirm:$False
#尝试隐藏邮箱
Try{
Set-Mailbox -Identity $User.Account -HiddenFromAddressListsEnabled $True
$UserReport += [PSCustomObject]@{
账户= $User.Account
应用 = "Exchange邮箱"
状态 = "已停用"
}
}
Catch{
$UserReport += [PSCustomObject]@{
账户= $User.Account
应用 = "Exchange邮箱"
状态 = "禁用失败"
}
}
#尝试禁用Lync
Try{
Disable-CsUser -Identity $User.Account -Confirm:$False -ErrorAction Stop
$UserReport += [PSCustomObject]@{
账户= $User.Account
应用 = "Lync账号"
状态 = "已停用"
}
}
Catch{
$UserReport += [PSCustomObject]@{
账户= $User.Account
应用 = "Lync账号"
状态 = "禁用失败"
}
}
#更新禁用信息
$UserInfo["禁用状态"] = $True
$UserInfo.Update()
}
Catch
{
$UserReport += [PSCustomObject]@{
账户= $User.Account
应用 = "AD账号"
状态 = "禁用失败,请检查账户信息"
}
}
}
elseif($User.Approve -eq "已批准" -and $User.Disabled -eq $True -and $User.Deleted -eq $False -and (Get-Date) -ge $User.DismDate.AddDays("30"))
{
$Profiles = $UserProfileManager.GetEnumerator()
$DismUserProfile = $Profiles | Where-Object {$_.MultiloginAccounts -eq "domain\$($User.Account)"}
#删除SharePoint个人站点
if($DismUserProfile.PersonalSite -ne $Null)
{
Try {
$DismUserProfile.PersonalSite.Delete()
$DeleteResult +=[PSCustomObject]@{
账户 = $User.Account
应用 = "SharePoint个人站点"
状态 = $True
}
}
Catch
{
$DeleteResult +=[PSCustomObject]@{
账户 = $User.Account
应用 = "SharePoint个人站点"
状态 = $False
}
}
}
#删除SharePoint用户配置文件
if($DismUserProfile -ne $Null)
{
Try
{
$UserProfileManager.RemoveUserProfile("domain\$($User.Account)")
$DeleteResult +=[PSCustomObject]@{
账户 = $User.Account
应用 = "SP配置文件"
状态 = $True
}
}
Catch
{
$DeleteResult +=[PSCustomObject]@{
账户 = $User.Account
应用 = "SP配置文件"
状态 = $False
}
}
}
#删除SP账户
Try{
#$DisplayName = Get-ADUser -Identity $User.Account -Properties DisplayName
$SPUser = Get-SPUser -Web "http://sp.domain.cn" | Where-Object {$_.DisplayName -eq $DisplayName}
Remove-SPUser -Web "http://sp.domain.cn" -Identity $SPUser -ErrorAction Stop -Confirm:$false
$DeleteResult +=[PSCustomObject]@{
账户 = $User.Account
应用 = "SharePoint账号"
状态 = $True
}
}
Catch
{
$DeleteResult +=[PSCustomObject]@{
账户 = $User.Account
应用 = "SharePoint账号"
状态 = $False
}
}
#删除AD账户
Try
{
Get-ADUser $User.Account | Remove-ADObject -Recursive -Confirm:$False -ErrorAction Stop
$DeleteResult +=[PSCustomObject]@{
账户 = $User.Account
应用 = "AD账号"
状态 = $True
}
}
Catch
{
$DeleteResult +=[PSCustomObject]@{
账户 = $User.Account
应用 = "AD账号"
状态 = $False
}
}
#更新禁用信息
$UserInfo["删除状态"] = $True
$UserInfo.Update()
}
}
$DeleteResult | ForEach-Object {
if($_.状态 -ne $True)
{
$color = $redColor
}
else
{
$color = $whiteColor
}
$DataRow = "
$($_.账户)
$($_.应用)
$($_.状态)
"
Add-Content $DeleteReport $DataRow;
}
Add-Content $DeleteReport ""
if($DeleteResult -ne $Null)
{
Send-AdminMessage
}
#添加开通状态到报表内容
$UserReport | ForEach-Object {
if($_.状态 -ne "已停用")
{
$color = $redColor
}
else
{
$color = $whiteColor
}
$DataRow = "
$($_.账户)
$($_.应用)
$($_.状态)
"
Add-Content $ServiceReport $DataRow;
}
Add-Content $ServiceReport ""
#发送报表
If($UserReport -ne $Null)
{
Send-Message -Creater $Recipients -ServiceReport $ServiceReport
}
#移除会话和文件
Remove-PSSession $ExSession
Remove-PSSession $LyncSession
Remove-Item $ServiceReport
Remove-Item $DeleteReport
差点忘了举例子:
禁用完成是这个样子的邮件
删除成功是这个样子的邮件
嗯,整套入离职到此就完整结束了,希望可以减轻各位IT管理员的负担,至于部门变更的流程么,由于公司小,暂时不涉及,所以需要各位大神们自己动手了。
|
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-9-1 11:31:11
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡