Security in Obscurity

A script by Jeff Stein

Run-Term.ps1

Automates the active directory user termination process, July 2016

The script entitled "Run-Term" will perform the necessary steps to terminate Active Directory and prints log of the steps performed. The script is designed for the Microsoft Windows operating system, leveraging PowerShell 4.0 and above.

DISCLAIMER

This script is offered 'as is' with no warranty. While it has been tested and verified to work in my environment, it is recommended that you test this script in a test environment before utilizing in your own production environment.

Installation

To get started download the files listed in the resource section and save the Run-Term.txt and Get-RandomString.txt as .ps1 files. They should be extracted to the desktop of the Windows machine where the script will run from. The Active Directory module should be installed on the machine for the script to run properly. Once extracted, the Run-Term.ps1 file can be right-clicked and "Run with PowerShell" can be selected. It is recommended that this is an account that has administrator privileges. Alternatively, PowerShell can be manually opened on the system and the terminal navigated to the appropriate directory where the script is located and executed from there. With either option, it is recommended the action to run the script is done with an account that has administrator privileges.

Overview

The script will run through the Active Directory account of a terminated user and remove common objects in the account which should be removed as a part of a termination. The script will generate a log of each step performed that can be used to validate that actions performed. You can see an sample of the code below:

Load Assemblies And Modules

Import-Module ActiveDirectory
do {$termname= read-host "Please enter the Active Directory username of the user you wish to terminate"}
until (dsquery user -samid $termname)
""
if (dsquery user -samid $termname) {"Found user"}
""
$termnameFullName= Get-ADUser $termname -Properties Name | select -expandProperty Name
$managersearch= Get-ADUser $termname -Properties manager | select -expandProperty manager
$managername= Get-ADUser $managersearch -Properties SamAccountName | select -ExpandProperty SamAccountName
if ($managername -eq $NULL) {$managername= read-host "Please enter the username of the user's manager"}
else {write-host "Found manager for user: "$managername}
""
do {$termticket= read-host "Please enter the termination ticket for the account you wish to terminate"}
until ($termticket -ne $NULL)
$ADusername= Get-ADUser -Identity $termname | select -expandproperty Name
$ADdatetime = get-date
$ConfirmPreference="none"
write-host
"

After information on the terminated user has been gathered the termination functions will run to terminate the AD account. The steps that will be taken are:

  1. Set account to expire
  2. Remove email address from the account
  3. Remove phone number from the account
  4. Disassociate manager from account
  5. Remove all groups from account
  6. Reset the account password to a random password
  7. Disable the account
  8. Modify account description to contain termination ticket
You can see the sample code to do this below:

Termination Functions

function Set-ADexpiredate{
  $ADexpiredate = Get-ADUser -Identity $termname -Properties 'AccountExpirationDate' | select -expandProperty AccountExpirationDate
  if ($ADexpiredate -eq $NULL){(Set-ADAccountExpiration $termname -DateTime $ADdatetime) + (write-host "1. Setting account to expiration on:"$ADdatetime)}
else {write-host "1. Account had already been set to expiration on "$ADexpiredate}
  $ADexpiredate2 = Get-ADUser -Identity $termname -Properties 'AccountExpirationDate' | select -expandProperty AccountExpirationDate
  if ($ADexpiredate2 -ne $NULL){write-host "... Account has been set to expire"}
else {write-host "...Unable to set the account to expire via powershell. Please use ADUC to manually set the account to expire" -ForegroundColor Red}
}
function Set-ADemail{
  $ADemailcheck = Get-ADUser $termname -Properties EmailAddress | select -expandProperty EmailAddress
  if ($ADemailcheck -eq $Null){write-host "2. This account did not contain an email address"}
else {(write-host "2. Removing email address") + (Set-ADUser $termname -EmailAddress $NULL)}
  $ADemailcheck2 = Get-ADUser $termname -Properties EmailAddress | select -expandProperty EmailAddress
  if ($ADemailcheck2 -eq $NULL){write-host "...Email address has been removed"}
else {write-host "...Unable to remove the email address via powershell. Please use ADUC to manually remove the email address" -ForegroundColor Red}
}
function Set-ADdisable{
   Disable-ADAccount $termname
   $ADdisablecheck = Get-ADUser -Identity $termname -Properties Enabled | select -ExpandProperty Enabled
   if ($ADdisablecheck -eq $False){write-host "9. Account has been disabled"}
else {write-host "9. Unable to disable account via powershell. Please use ADUC to manually disable the account" -ForegroundColor Red}
}

function Set-ADdescription{
   $ADdescription = Get-ADUser $termname -Properties Description | select -expandProperty Description
   Set-ADUser $termname -Description "$ADdescription; Disabled per $termticket"
   write-host "10. Noted termination ticket in account description field"
}

Once the functions have been read the next step is to execute on the functions. A sample of the code is below:

Execute Functions

Do {
   $opt = Read-Host $menu

   switch ($opt) {
   1 {
   ""
   Write-host "Active Directory Termination Option"
   ""
   Write-Host "Beginning termination..."
   ""
   Set-ADexpiredate
   ""
   Set-ADemail
   ""
   Set-ADphone
   ""
   Set-ADmanager
   ""
   Set-Disabled_Users_group
   ""
   Set-ADpassreset
   ""
   Set-ADdisable
   ""
   Set-ADdescription
   ""
   Write-Host "Active Directory termination complete"
   ""
   ""
   }
}

Resources

VIEW NEXT >>

Tags

Security Vulnerabilities IDS/IPS Malware Policies PowerShell Python Splunk Cloud Script PKI

Topics