<#  
.SYNOPSIS  
   	Automates the active directory termination process.

.DESCRIPTION  
    Performs the necessary steps to terminate an Active Directory account and prints log of the steps performed.

.NOTES  
    Version      			: 1.2
    Changes					: 
								: Added the following verification checks for AD
									: When resetting AD password
									: Setting account to expire
									: Removing email address
									: Phone Number has been removed
									: Manager has been removed
									: Account has been disabled
systems procedures    										
												: Active Directory

    Rights Required		: Elevated permission access to 
							: Active Directory

    Sched Task Req'd		: No
    Author       		: Jeff Stein
    Year Written		: 2016
    Disclaimer   		: 
    Resources used 		: 
    				: http://www.ehloworld.com/152
				: http://occasionalutility.blogspot.com/2013/10/everyday-powershell-part-5-terminating.html
					

.EXAMPLE
	.\Run-Term.ps1

.INPUTS
	None. You cannot pipe objects to this script.
#>
#Requires -Version 4.0
param(
#	[parameter(ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, Mandatory=$false)] 
	[string] $strFilenameTranscript = "AD_termination" + " {0:yyyy-MM-dd hh-mmtt}.log" -f (Get-Date),
	[string] $opt = "None"
)
$ErrorActionPreference = "silentlycontinue" #Suppresses errors generated during account termination procedures.
$WarningPreference = "silentlycontinue" #Suppresses warnings generated during account termination procedures.
$cred = Get-Credential
Start-Transcript -path .\$strFilenameTranscript | Out-Null
$error.clear()
Clear-Host
Pushd
write-host
"
        **********************************
	  Employee Termination Procedure
	**********************************
	"
#---------------------------------------------------------- 
# LOAD ASSEMBLIES AND MODULES 
#---------------------------------------------------------- 
Import-Module ActiveDirectory #Loads Active Directory module into powershell script
do {$termname= read-host "Please enter the Active Directory username of the user you wish to terminate"}
until (dsquery user -samid $termname)
""
if (dsquery user -samid $termname) {"Found user"}
""
$termnameFullName= Get-ADUser $termname -Properties Name | select -expandProperty Name
$managersearch= Get-ADUser $termname -Properties manager | select -expandProperty manager
$managername= Get-ADUser $managersearch -Properties SamAccountName | select -ExpandProperty SamAccountName
if ($managername -eq $NULL) {$managername= read-host "Please enter the username of the user's manager"}
else {write-host "Found manager for user: "$managername} 	
""	
do {$termticket= read-host "Please enter the termination ticket for the account you wish to terminate"}
until ($termticket -ne $NULL)		
$ADusername= Get-ADUser -Identity $termname | select -expandproperty Name #Gets the full name of the user out of Active Directory
$ADdatetime = get-date
$ConfirmPreference="none"
write-host
"
        *********************************************************
	                       Termination Options
	*********************************************************
	
	User actively being terminated:" 
write-host "       "$termname
"
	 " 
[string] $menu = @'	
	Please select an option from the list below. 
	
	1) Terminate Active Directory account
	
	99) Exit

Select an option.. [1-99]?
'@

## Active Directory Functions
# Termination Functions
function Set-ADexpiredate{
    # Verify AD account is set to expire and if not set it to expire to yesterday
    $ADexpiredate = Get-ADUser -Identity $termname -Properties 'AccountExpirationDate' | select -expandProperty AccountExpirationDate
	if ($ADexpiredate -eq $NULL){(Set-ADAccountExpiration $termname -DateTime $ADdatetime) + (write-host "1. Setting account to expiration on:"$ADdatetime)}
else {write-host "1. Account had already been set to expiration on "$ADexpiredate}
	$ADexpiredate2 = Get-ADUser -Identity $termname -Properties 'AccountExpirationDate' | select -expandProperty AccountExpirationDate
	if ($ADexpiredate2 -ne $NULL){write-host "... Account has been set to expire"}
else {write-host "...Unable to set the account to expire via powershell. Please use ADUC to manually set the account to expire" -ForegroundColor Red}
} # end Set-ADexpiredate

function Set-ADemail{
    # Removes email address from the account.
    $ADemailcheck = Get-ADUser $termname -Properties EmailAddress | select -expandProperty EmailAddress
	if ($ADemailcheck -eq $Null){write-host "2. This account did not contain an email address"}
else {(write-host "2. Removing email address") + (Set-ADUser $termname -EmailAddress $NULL)}
    $ADemailcheck2 = Get-ADUser $termname -Properties EmailAddress | select -expandProperty EmailAddress
	if ($ADemailcheck2 -eq $NULL){write-host "...Email address has been removed"}
else {write-host "...Unable to remove the email address via powershell. Please use ADUC to manually remove the email address" -ForegroundColor Red}
} # end Set-ADemail

function Set-ADphone{
    # Verify Phone Number has been removed from the account.
    $ADphonecheck = Get-ADUser $termname -Properties OfficePhone | select -expandProperty OfficePhone
	if ($ADphonecheck -eq $Null){write-host "3. This account did not contain a phone number"}
else {(write-host "3. Removing phone number") + (Set-ADUser $termname -OfficePhone $NULL)}
    $ADphonecheck2 = Get-ADUser $termname -Properties OfficePhone | select -expandProperty OfficePhone
	if ($ADphonecheck2 -eq $NULL){write-host "...Phone number has been removed"}
else {write-host "...Unable to remove the phone number via powershell. Please use ADUC to manually remove the phone number" -ForegroundColor Red}
} # end Set-ADphone

function Set-ADmanager{
    # Verify manager has been removed from the account.
    $ADmanager = Get-ADUser $termname -Properties Manager | select -expandProperty Manager
	if ($ADmanager -eq $Null){write-host "4. This account did not contain a manager assignment"}
else {(write-host "4. Removing Manager...") + (Set-ADUser $termname -Manager $NULL)}
    $ADmanager2 = Get-ADUser $termname -Properties Manager | select -expandProperty Manager
	if ($ADmanager2 -eq $NULL){write-host "...Manager has been removed"}
else {write-host "...Unable to remove the manager via powershell. Please use ADUC to manually remove the manager" -ForegroundColor Red}
} # end Set-ADmanager

function Set-Disabled_Users_group{
    # Removes all groups.
    $ADmemberoflist = Get-ADuser $termname -Properties memberof | select -ExpandProperty memberof
	$ADmemberoflist | Remove-ADGroupMember -members $termname
	Remove-ADGroupMember -Identity "Domain Users" -Members $termname
	Write-Host "5. All groups have been removed from the user account"
} # end Set-Disabled_Users_group

function Set-ADpassreset{
    # Resets the account password to a random password. Uses the Get-RandomString.ps1 script found on each user folder on the vms.
	$randompass = .\Get-RandomString.ps1 -Length 32 -LowerCase $true -UpperCase $true -Numbers $true
	Set-ADAccountPassword -Identity $termname -Reset -NewPassword (ConvertTo-SecureString -AsPlainText $randompass -Force)
	$ADpasscheck = Get-ADUser -Identity $termname -Property PasswordLastSet | select -ExpandProperty PasswordLastSet
	write-host "6. Account password has been reset on"$ADpasscheck
} # end Set-ADpassreset

function Set-ADdisable{
    # Disables the AD account.
	Disable-ADAccount $termname
	$ADdisablecheck = Get-ADUser -Identity $termname -Properties Enabled | select -ExpandProperty Enabled
	if ($ADdisablecheck -eq $False){write-host "7. Account has been disabled"}
else {write-host "7. Unable to disable account via powershell. Please use ADUC to manually disable the account" -ForegroundColor Red}	
} # end Set-ADdisable

function Set-ADdescription{
    # Verify description contains termination ticket.
    $ADdescription = Get-ADUser $termname -Properties Description | select -expandProperty Description
	Set-ADUser $termname -Description "$ADdescription; Disabled per $termticket"
	write-host "8. Noted termination ticket in account description field"
} # end Set-ADdescription

Do { 	 	
	$opt = Read-Host $menu

	switch ($opt)    {
		1 { # Active Directory termination steps
			 ""
			Write-host "Active Directory Termination Option"
			 ""
			Write-Host "Beginning termination..."
			 ""
			 ""
			Set-ADexpiredate
			 ""
			Set-ADemail
			 ""
			Set-ADphone
			 ""
			Set-ADmanager
			 ""
			Set-Disabled_Users_group
			 ""
			Set-ADpassreset
			 ""
			Set-ADdisable
			 ""
			Set-ADdescription
			 ""
			Write-Host "Active Directory termination complete"
			 ""
			 ""
			Write-Host "Termination complete" 
			 "" 
			 ""
			Write-Host "Exiting..."
			 ""
			 ""
			Stop-Transcript
		}
		99 { # Exit
			if (($WasInstalled -eq $false) -and (Get-Module BitsTransfer)){
				Write-Host "BitsTransfer: Removing..." -NoNewLine
				Remove-Module BitsTransfer
				Write-Host "`b`b`b`b`b`b`b`b`b`b`bremoved!   " -ForegroundColor Green
			}
			popd
			Write-Host ""
			Write-Host "Exiting..."
			 ""
			Stop-Transcript
		}
		default {Write-Host "You haven't selected any of the available options. "}
	}
} while ($opt -le 1)