CoaOnlineModule.psm1
#Require -Version 5.1 using namespace System; using namespace System.Text; using namespace System.Diagnostics; using namespace System.Linq; using namespace System.Collections.Generic; Import-Module ActiveDirectory; Import-Module CoaLoggingModule; #region: Variables <# .Synopsis Use this cmdlet to set new variables over the default ones. .Description Sets the script variables that are in common use across the functions #> function Set-CoaVariables { [CmdletBinding()] Param ( # Default -120. The number of days backward (negative) in time to gather new accounts and ensure they are in-policy. [Parameter()] [int] $NumberOfDays = -120, [string]$RoleAssignmentPolicy = "COA Default Role Assignment Policy", [string]$ClientAccessPolicyName = "COAOWAMailboxPolicy", [int]$LitigationHoldDuration = 730, [string]$ExchangeOnlineAdminAccount = "COA Administrator", [string]$authOrig = "CN=O365 Administrator,OU=Admin,OU=Generics,OU=O365,DC=alexgov,DC=net", [string]$RetentionPolicyE3 = "COA Policy", [string]$RetentionPolicyK1 = "COA F1 Policy", [string]$RetentionPolicyTermOfficial = "Termination Retention Policy", [string]$RetentionPolicyDeptHead = "COA Department Head Policy", [string]$CoaSkuInformationWorkers = "ALEXANDRIAVA1:ENTERPRISEPACK_GOV", [string]$CoaSkuFirstlineWorkers = "ALEXANDRIAVA1:DESKLESSPACK_GOV", [string[]]$CoaSkuFirstlineWorkersDisabledPlans, [string[]]$CoaSkuInformationWorkersDisabledPlans = "RMS_S_ENTERPRISE_GOV", [string]$CoaSkuExoArchive = "ALEXANDRIAVA1:EXCHANGEARCHIVE_ADDON_GOV", [string]$CoaSkuExoAtp = "ALEXANDRIAVA1:ATP_ENTERPRISE_GOV", [string]$CoaSkuEms = "ALEXANDRIAVA1:EMS", [string]$standardLicenseName = "emailStandard_createAlexID", [string]$basicLicenseName = "emailBasic_createAlexID", [string]$Domain = "alexandriava.gov" ) $Script:NumberOfDays = $NumberOfDays; $Script:RoleAssignmentPolicy = $RoleAssignmentPolicy $Script:ClientAccessPolicyName = $ClientAccessPolicyName $Script:LitigationHoldDuration = $LitigationHoldDuration $Script:ExchangeOnlineAdminAccount = $ExchangeOnlineAdminAccount $Script:authOrig = $authOrig $Script:RetentionPolicyE3 = $RetentionPolicyE3 $Script:RetentionPolicyK1 = $RetentionPolicyK1 $Script:RetentionPolicyTermOfficial = $RetentionPolicyTermOfficial $Script:RetentionPolicyDeptHead = $RetentionPolicyDeptHead $Script:CoaSkuInformationWorkers = $CoaSkuInformationWorkers $Script:CoaSkuFirstlineWorkers = $CoaSkuFirstlineWorkers $Script:CoaSkuFirstlineWorkersDisabledPlans = $CoaSkuFirstlineWorkersDisabledPlans $Script:CoaSkuInformationWorkersDisabledPlans = $CoaSkuInformationWorkersDisabledPlans $Script:CoaSkuExoArchive = $CoaSkuExoArchive $Script:CoaSkuExoAtp = $CoaSkuExoAtp $Script:CoaSkuEms = $CoaSkuEms $Script:StandardLicenseName = $standardLicenseName $Script:BasicLicenseName = $basicLicenseName $Script:Domain = $Domain } <# .Synopsis Use this cmdlet to view new variables over the default ones. .Description View the script variables that are in common use across the functions #> function Get-CoaVariables { [CmdletBinding()] $Private:CoaVariables = [ordered]@{ NumberOfDays = $Script:NumberOfDays; RoleAssignmentPolicy = $Script:RoleAssignmentPolicy; ClientAccessPolicyName = $Script:ClientAccessPolicyName; LitigationHoldDuration = $Script:LitigationHoldDuration; ExchangeOnlineAdminAccount = $Script:ExchangeOnlineAdminAccount; authOrig = $Script:authOrig RetentionPolicyE3 = $Script:RetentionPolicyE3; RetentionPolicyK1 = $Script:RetentionPolicyK1; RetentionPolicyTermOfficial = $Script:RetentionPolicyTermOfficial; RetentionPolicyDeptHead = $Script:RetentionPolicyDeptHead; CoaSkuInformationWorkers = $Script:CoaSkuInformationWorkers; CoaSkuFirstlineWorkers = $Script:CoaSkuFirstlineWorkers; CoaSkuInformationWorkersDisabledPlans = $Script:CoaSkuInformationWorkersDisabledPlans CoaSkuFirstlineWorkersDisabledPlans = $Script:CoaSkuFirstlineWorkersDisabledPlans CoaSkuExoArchive = $Script:CoaSkuExoArchive; CoaSkuExoAtp = $Script:CoaSkuExoAtp; CoaSkuEms = $Script:CoaSkuEms standardLicenseName = $Script:StandardLicenseName; basicLicenseName = $Script:BasicLicenseName; Domain = $Script:Domain; } Write-Output $Private:CoaVariables } #endregion #region: Mailbox Configuration function Set-CoaMailboxConfiguration { [CmdletBinding()] Param ( # Default -120. The number of days backward (negative) in time to gather new accounts and ensure they are in-policy. [Parameter()][int]$NumberOfDays = $Script:NumberOfDays, [string]$FileName = "MailboxConfiguration", [string]$RoleAssignmentPolicy = $Script:RoleAssignmentPolicy, [string]$ClientAccessPolicyName = $Script:ClientAccessPolicyName, [int]$LitigationHoldDuration = $Script:LitigationHoldDUration, [string]$ExchangeOnlineAdminAccount = $Script:ExchangeOnlineAdminAccount, [string]$RetentionPolicyE3 = $Script:RetentionPolicyE3, [string]$RetentionPolicyK1 = $Script:RetentionPolicyK1, [string]$CoaSkuInformationWorkers = $Script:CoaSkuInformationWorkers, [string]$CoaSkuFirstlineWorkers = $Script:CoaSkuFirstlineWorkers ) $logCode = "Start" $writeTo = "Starting Mailbox Configuration Script" Add-CoaWriteToLog -writeTo $writeTo -logCode $logCode -FileName $FileName $UserList = @() Clear-Variable UserList $Global:ErrorActionPreference = "Stop" $UserList = Get-Mailbox -ResultSize unlimited -Filter {(ArchiveStatus -eq $None)} | Where-Object {$_.WhenCreated -gt (get-date).AddDays($NumberOfDays)} | Select-Object -ExpandProperty userPrincipalName Write-Output "User count found: " + $UserList.Count $logCode = "Get" $writeTo = "User count found: " + $UserList.Count foreach ($upn in $UserList) { try { Add-MailboxPermission -identity $upn -User $ExchangeOnlineAdminAccount -AccessRights fullaccess -InheritanceType all -AutoMapping $false $writeTo = "Add-MailboxPermission: Successfully added $upn mailbox permission for $ExchangeOnlineAdminAccount" $logCode = "Success" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message $writeTo = "Add-MailboxPermission: FAILED added $upn mailbox permission for COA Admin" $logCode = "Error" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } try { Set-Clutter -Identity $upn -Enable $false $writeTo = "Set-Clutter: Successfully set mailbox $upn clutter to false" $logCode = "Success" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message $writeTo = "Set-Clutter: FAILED set mailbox $upn clutter to false" $logCode = "Error" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } $RecipientTypeDetails = (Get-Mailbox -Identity $upn).RecipientTypeDetails if ($RecipientTypeDetails -eq "UserMailbox") { try { Enable-Mailbox -identity $upn -Archive $writeTo = "Enable-Mailbox: identity $upn Archive" $logCode = "Success" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message $writeTo = "Enable-Mailbox: identity $upn Archive" $logCode = "Error" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } try { Set-Mailbox -identity $upn -LitigationHoldEnabled $True -LitigationHoldDuration $LitigationHoldDuration -RoleAssignmentPolicy $RoleAssignmentPolicy $writeTo = "Set-Mailbox: Successfully set mailbox $upn litigation hold and assignment policy" $logCode = "Success" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message $writeTo = "Set-Mailbox: FAILED set mailbox $upn litigation hold and assignment policy" $logCode = "Error" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } try { Set-CASMailbox -Identity $upn -OWAMailboxPolicy $ClientAccessPolicyName Set-CASMailbox -Identity $upn -PopEnabled $false Set-CASMailbox -Identity $upn -ImapEnabled $false $writeTo = "Set-CASMailbox: Successfully set mailbox $upn client access permissions" $logCode = "Success" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message $writeTo = "Set-CASMailbox: FAILED set mailbox $upn client access permissions" $logCode = "Error" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } try { $upn = (Get-MsolUser -SearchString $upn).UserPrincipalName $LicenseLineItem = (Get-MSOLUser -UserPrincipalName $upn).Licenses.AccountSkuId } catch { Write-Output $_.Exception.Message $writeTo = "Get-MSOLUser -UserPrincipalName $upn FAILED" $logCode = "Error" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode Continue } # E3 if ($LicenseLineItem -contains $CoaSkuInformationWorkers) { try { Set-Mailbox -Identity $upn -RetentionPolicy $RetentionPolicyE3 $writeTo = "Set-Mailbox: Successfully set mailbox $upn policy to $RetentionPolicyE3" $logCode = "Success" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message $writeTo = "Set-Mailbox: FAILED set mailbox $upn policy to $RetentionPolicyE3" $logCode = "Error" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } } # K1 if ($LicenseLineItem -contains $CoaSkuFirstlineWorkers) { try { Set-Mailbox -Identity $upn -RetentionPolicy $RetentionPolicyK1 $writeTo = "Set-Mailbox: Successfully set mailbox $upn policy to $RetentionPolicyK1" $logCode = "Success" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message $writeTo = "Set-Mailbox: FAILED set mailbox $upn policy to $RetentionPolicyK1" $logCode = "Error" Add-CoaWriteToLog -FileName $FileName -writeTo $writeTo -logCode $logCode } } Clear-Variable LicenseLineItem } Clear-Variable upn } Clear-Variable UserList $Global:ErrorActionPreference = "Continue" <# .Synopsis Post-creation Exchange Online mailbox configuration for new accounts. .Description These configuration modifications put the mailbox in-policy for COA business needs. .Parameter NumberOfDays Default -120. The number of days backward (negative!) in time to gather new accounts and ensure they are in-policy. .Example # Runs the configuration for the new mailboxes created in the past 120 days. Set-CoaMailboxConfiguration .Example # Runs the configuration for the new mailboxes created in the past 30 days. Set-CoaMailboxConfiguration -NumberOfDays 30 #> } #endregion #region: Sets Active Directory attributes for Exchange Online function OpenLog { $logCode = "Start" $writeTo = "Starting New User script" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode Return; } function QueryAdToValidateUsers { param ([string]$samAccountName) $Global:ErrorActionPreference = "Stop" try { $mail = Get-ADUser $samAccountName -Properties mail | Select-Object mail -ExpandProperty mail if (!$mail) {$mail = "None set" } $department = Get-ADUser $samAccountName -Properties department | Select-Object department -ExpandProperty department $userAccountControl = Get-ADUser $samAccountName -Properties userAccountControl | Select-Object userAccountControl -ExpandProperty userAccountControl if ($userAccountControl -eq 514) { $userAccountControl = "User Disabled" } elseif ($userAccountControl -eq 512) { $userAccountControl = "Active" } elseif ($userAccountControl -eq 66048) { $userAccountControl = "Has a non-expiring password" } else { $problemUsers += $samAccountName $writeTo = "Get-ADUser: $samAccountName`t$userAccountControl" $logCode = "Error" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode Write-Output "Get-ADUser: samAccountName cannot be found for $samAccountName" } $writeTo = "$samAccountName`t$userAccountControl`t$mail`t$department"; $logCode = "Start" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } catch { $problemUsers.Add($samAccountName); if ($samAccountName.Length -gt 20) { Write-Output $_.Exception.Message Write-Output "The user name $samAccountName is more than 20 characters" $writeTo = "The user name $samAccountName is more than 20 characters" $logCode = "Error" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } else { Write-Output $_.Exception.Message $writeTo = "Get-ADUser: samAccountName cannot be found for $samAccountName" $logCode = "Error" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } } $Global:ErrorActionPreference = "continue" Return; } #endregion #region: Sets the mail and SMTP attributes, if needed #region: Private functions for AD function SetMailAndSmtpAttributes { param([string]$user) $mail = Get-ADUser $user -Properties mail | Select-Object mail -ExpandProperty mail if (!$mail) { try { Set-ADUser -Identity $user -EmailAddress "$user@$Script:Domain" -ErrorAction Stop $writeTo = "Set-ADUser: Successfully added email address to $user@$Script:Domain" $logCode = "Success" } catch { Write-Output $_.Exception.Message $logCode = "Error" "Set-ADUser: $user Error: $_" | Tee-Object -Variable writeTo } $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } Start-Sleep -Seconds 5 $mail = Get-ADUser $user -Properties mail | Select-Object mail -ExpandProperty mail $SMTP = Get-ADUser -Identity $user -Properties proxyaddresses | Select-Object proxyaddresses -ExpandProperty proxyaddresses if (!$SMTP) { try { Set-ADUser -Identity $user -Add @{Proxyaddresses = "SMTP:" + $mail } -ErrorAction Stop Set-ADUser -Identity $user -Add @{targetAddress = "SMTP:" + $mail } -ErrorAction Stop Set-ADUser -Identity $user -Replace @{mailNickname = $user} $writeTo = "Set-ADUser: Successfully set SMTP address to SMTP:$mail" $logCode = "Success" } catch { Write-Output $_.Exception.Message $logCode = "Error" "Set-ADUser: $user Error: $_" | Tee-Object -Variable writeTo } $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } Return; } function SetLicenseAttributeE3 { param([string]$user) $extensionAttribute13 = Get-ADUser -Identity $user -Properties extensionAttribute13 | Select-Object -ExpandProperty extensionAttribute13 if (!$extensionAttribute13) { try { Set-ADUser -Identity $user -Add @{extensionAttribute13 = "E3"} -ErrorAction Stop $writeTo = "Set-ADUser`t$user`tSet extensionAttribute13 = E3" $logCode = "Success" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message "Set-ADUser: $user Error: $_" | Tee-Object -Variable writeTo $logCode = "Error" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } } else { try { Set-ADUser -Identity $user -Replace @{extensionAttribute13 = "E3"} -ErrorAction Stop $writeTo = "Set-ADUser`t$user`tSet extensionAttribute13 = E3" $logCode = "Success" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message "Set-ADUser: $user Error: $_" | Tee-Object -Variable writeTo $logCode = "Error" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } } } function SetLicenseAttributeK1 { param([string]$user) $extensionAttribute13 = Get-ADUser -Identity $user -Properties extensionAttribute13 | Select-Object -ExpandProperty extensionAttribute13 if (!$extensionAttribute13) { try { Set-ADUser -Identity $user -Add @{extensionAttribute13 = "K1"} -ErrorAction Stop $writeTo = "Set-ADUser`t$user`tSet extensionAttribute13 = K1" $logCode = "Success" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message "Set-ADUser: $user Error: $_" | Tee-Object -Variable writeTo $logCode = "Error" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } } else { try { Set-ADUser -Identity $user -Replace @{extensionAttribute13 = "K1"} -ErrorAction Stop $writeTo = "Set-ADUser`t$user`tSet extensionAttribute13 = K1" $logCode = "Success" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message "Set-ADUser: $user Error: $_" | Tee-Object -Variable writeTo $logCode = "Error" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } } } #endregion function Set-CoaExchangeAttributes { <# .Synopsis Sets new mailbox accounts up with the standard policies of COA .Description Sets new mailbox accounts up with: email address, customAttribute13, smtp, targetAddress .Example # Sets Exchange attributes of given single samAccountName with E3 New-CoaUser joe.crockett | Set-CoaExchangeAttributes .Example # Sets Exchange attributes of given single samAccountName with K1 New-CoaUser joe.crockett -Firstline | Set-CoaExchangeAttributes .Example # Sets Exchange attributes of prepopulated New-CoaUser New-CoaUser joe.crockett New-CoaUser heladio.martinez -Firstline Set-CoaExchangeAttributes #> [CmdletBinding()] Param ( [parameter( Position = 0, ValueFromPipeline = $false)] [System.Collections.Generic.List[UserObject]] $UserList = $Global:CoaUsersToWorkThrough, [parameter( Position = 1, ValueFromPipeline = $true)] [UserObject] $SingleUser ) $problemUsers = [System.Collections.Generic.List[System.Object]]::new(); OpenLog if ($SingleUser) { QueryAdToValidateUsers -samAccountName $SingleUser.samAccountName # Remove problem users SetMailAndSmtpAttributes -user $SingleUser.samAccountName if ($SingleUser.License -eq $Script:BasicLicenseName) { SetLicenseAttributeK1 -user $SingleUser.samAccountName } else { SetLicenseAttributeE3 -user $SingleUser.samAccountName } return $SingleUser } else { foreach ($samAccountName in $UserList ) { QueryAdToValidateUsers -samAccountName $samAccountName.samAccountName } foreach ($problemUser in $problemUsers) { $foundProblemUser = $UserList.Find( {param($u) $u.samAccountName -match $problemUser}) $UserList.Remove($foundProblemUser); } foreach ($user in $UserList) { SetMailAndSmtpAttributes -user $user.samAccountName } foreach ($user in $UserList) { if ($user.License -eq $Script:BasicLicenseName) { SetLicenseAttributeK1 -user $user.samAccountName } else { SetLicenseAttributeE3 -user $user.samAccountName } } } } #endregion #region: Sets ExO Attributes #region: Private functions for ExO function basicLicensePack { $O365License = New-MsolLicenseOptions -AccountSkuId $Script:CoaSkuFirstlineWorkers -DisabledPlans $Script:CoaSkuFirstlineWorkersDisabledPlans Return $O365License; } function standardLicensePack { $O365License = New-MsolLicenseOptions -AccountSkuId $Script:CoaSkuInformationWorkers -DisabledPlans $Script:CoaSkuInformationWorkersDisabledPlans Return $O365License; } function Set-ValidateUsersUpn { param([UserObject]$SingleUser); $user = $SingleUser.samAccountName; $arrayFromGet = @() $arrayFromGet += Get-MsolUser -SearchString $user | Select-Object UserPrincipalName -ExpandProperty UserPrincipalName if ($arrayFromGet.Count -eq 1) { $upn = $arrayFromGet[0] $writeTo = "Get-MsolUser`t$user`tSearchString returned: $upn" $logCode = "Get" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } else { if ($arrayFromGet.Count -gt 1) { $errMsg = "Either the samAccountName was empty, or the search returned more than one value." } else { $errMsg = "The user $user cannot be found in MSOL, and has been removed from processing." } $writeTo = $errMsg $logCode = "Else" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode Write-Output $errMsg } if ($upn -like "*onmicrosoft*") { try { Set-MsolUserPrincipalName -UserPrincipalName $upn -NewUserPrincipalName "$user@$Script:Domain" -ErrorAction Stop $writeTo = "Set-MsolUserPrincipalName: Successfully set upn to $user@$Script:Domain" $logCode = "Success" } catch { Write-Output $_.Exception.Message $logCode = "Error" "Set-MsolUserPrincipalName: $upn Error: $_" | Tee-Object -Variable writeTo } $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode $upn = Get-MsolUser -UserPrincipalName "$user@$Script:Domain" | Select-Object UserPrincipalName -ExpandProperty UserPrincipalName $script:upnArray.Add($SingleUser) Return; } elseif ($upn -like "*$Script:Domain") { $script:upnArray.Add($SingleUser) $writeTo = "Get-MsolUserPrincipalName: UPN need not be set" $logCode = "Get" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode Return; } else { $writeTo = "The user $user cannot be found in MSOL, and has been removed from processing." $logCode = "Error" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode Write-Output $writeTo Exit; } } function SetLicense { param([string]$upn, [string]$Licenses, [System.Object]$O365License, [string]$sys_created_by, [string]$licenseDisplayName); $Location = (Get-MSOLUser -UserPrincipalName $upn).UsageLocation if (!$Location) { try { Set-MsolUser -UserPrincipalName $upn -UsageLocation "US" -ErrorAction Stop $writeTo = "Set-MsolUser: Successfully set location for $upn" $logCode = "Success" } catch { Write-Output $_.Exception.Message $logCode = "Error" "Set-MsolUser: $upn Error: $_" | Tee-Object -Variable writeTo } $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } $LicenseLineItem = @() $LicenseLineItem = (Get-MSOLUser -UserPrincipalName $upn).Licenses.AccountSkuId if ($LicenseLineItem -contains $Script:CoaSkuInformationWorkers -or $LicenseLineItem -contains $Script:CoaSkuFirstlineWorkers) { $writeTo = "Get-MsolUserLicense: $upn already contains: $LicenseLineItem" $logCode = "Get" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } else { try { Set-MsolUserLicense -UserPrincipalName $upn -AddLicenses $Licenses -LicenseOptions $O365License -ErrorAction Stop $LicenseLineItem = (Get-MSOLUser -UserPrincipalName $upn).Licenses.AccountSkuId Write-Output "An Office 365 account has been created for $upn. The account has been assigned a $licenseDisplayName license." $writeTo = "Set-MsolUserLicense: Successfully added $LicenseLineItem to $upn" $logCode = "Success" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message $logCode = "Error" "Set-MsolUserLicense: $upn Error: $_" | Tee-Object -Variable writeTo $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } if ($LicenseLineItem -contains $Script:CoaSkuFirstlineWorkers ) { try { Set-MsolUserLicense -UserPrincipalName $upn -AddLicenses $Script:CoaSkuExoArchive -ErrorAction Stop $writeTo = "Set-MsolUserLicense: identity $upn Archive" $logCode = "Success" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message $logCode = "Error" "Set-Mailbox: FAILED adding Archive license TO $UPN" | Tee-Object -Variable writeTo $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } } try { Set-MsolUserLicense -UserPrincipalName $upn -AddLicenses $Script:CoaSkuEms -ErrorAction Stop $writeTo = "Set-MsolUserLicense: Successfully added EMS to $upn" $logCode = "Success" $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } catch { $logCode = "Error" "Set-Mailbox: FAILED adding EMS license TO $UPN" | Tee-Object -Variable writeTo $CurrentFileName = "NewUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } } } #endregion <# .SYNOPSIS Sets the Exchange Online Attributes after a sync .DESCRIPTION Once a new user object has been created, and a sync has been performed, this cmdlet will add the attributes needed in Exchange Online .PARAMETER UserList Uses the NewCoaUser objects that were created prior to running the cmdlet; .PARAMETER SingleUser Uses the NewCoaUser objects that were created with the pipeline cmdlet; .EXAMPLE Set-CoaExoAttributes -UserList $CoaUsersToWorkThrough .EXAMPLE New-CoaUser test.user | Set-CoaExchangeAttributes | Set-CoaExoAttributes #> function Set-CoaExoAttributes { [CmdletBinding()] Param ( [parameter( Position = 0, ValueFromPipeline = $false)] [System.Collections.Generic.List[UserObject]] $UserList = $Global:CoaUsersToWorkThrough, [parameter( Position = 1, ValueFromPipeline = $true)] [UserObject] $SingleUser ) $script:upnArray = [System.Collections.Generic.List[UserObject]]::new(); $script:standardUsers = [System.Collections.Generic.List[System.Object]]::new(); $script:basicUsers = [System.Collections.Generic.List[System.Object]]::new(); [System.Object]$O365License; OpenLog if ($SingleUser) { Set-ValidateUsersUpn -SingleUser $SingleUser $upn = $SingleUser.samAccountName.ToString() $upn += "@" $upn += $Script:Domain $local:baseUpn = $SingleUser.samAccountName.ToString() Add-CoaWriteToLog -writeTo "$local:baseUpn`t$upn" -logCode "Info" -FileName "NewUser" if ($SingleUser.License -eq $Script:BasicLicenseName) { $licenseDisplayName = "Basic" $pack = basicLicensePack $license = $Script:CoaSkuFirstlineWorkers SetLicense -upn $upn -Licenses $license -O365License $pack -sys_created_by $sys_created_by -licenseDisplayName $licenseDisplayName $Global:CoaUsersToWorkThrough.Remove($SingleUser); } else { $licenseDisplayName = "Standard" $pack = standardLicensePack $license = $Script:CoaSkuInformationWorkers SetLicense -upn $upn -Licenses $license -O365License $pack -sys_created_by $sys_created_by -licenseDisplayName $licenseDisplayName $Global:CoaUsersToWorkThrough.Remove($SingleUser); } } else { foreach ($user in $UserList) { Set-ValidateUsersUpn -SingleUser $user if ($user.license -eq $Script:StandardLicenseName) { $script:standardUsers.Add($user); } if ($user.license -eq $Script:BasicLicenseName) { $script:basicUsers.Add($user); } } foreach ($upnFO in $script:upnArray) { $upn = $upnFO.samAccountName.ToString() $upn += "@" $upn += $Script:Domain $local:baseUpn = $upnFO.samAccountName.ToString() Add-CoaWriteToLog -writeTo "$local:baseUpn`t$upn" -logCode "Info" -FileName "NewUser" :outer foreach ($user in $script:standardUsers) { $samAccountName = $user.samAccountName.ToString() $sys_created_by = $env:USERNAME.ToString() if ($samAccountName -eq $local:baseUpn) { $licenseDisplayName = "Standard" $pack = standardLicensePack $license = $Script:CoaSkuInformationWorkers SetLicense -upn $upn -Licenses $license -O365License $pack -sys_created_by $sys_created_by -licenseDisplayName $licenseDisplayName $Global:CoaUsersToWorkThrough.Remove($upnFO); break :outer } } foreach ($user in $script:basicUsers) { $samAccountName = $user.samAccountName.ToString() $sys_created_by = $env:USERNAME.ToString(); if ($samAccountName -eq $local:baseUpn) { $licenseDisplayName = "Basic" $pack = basicLicensePack $license = $Script:CoaSkuFirstlineWorkers SetLicense -upn $upn -Licenses $license -O365License $pack -sys_created_by $sys_created_by -licenseDisplayName $licenseDisplayName $Global:CoaUsersToWorkThrough.Remove($upnFO); break :outer } } } $Global:CoaUsersToWorkThrough.Clear() } } #endregion #region: Private Remove-CoaUser functions function Remove-CoaUserActiveDirectory { param ( # User to update attributes in active directory [Parameter(Mandatory = $true)] [string] $SamAccountName ) try { Set-ADUser $SamAccountName -Replace @{authOrig = $Script:authOrig} -ErrorAction Stop $writeTo = "Set-ADUser`t$SamAccountName`tReplace authOrig" $logCode = "Success" $CurrentFileName = "RemoveUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message $writeTo = "Set-ADUser`t$SamAccountName`tCould not replace authOrig`t${$_.Exception.Message}" $logCode = "Error" $CurrentFileName = "RemoveUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } try { Set-ADUser $SamAccountName -Replace @{msExchHideFromAddressLists = "TRUE"} -ErrorAction Stop $writeTo = "Set-ADUser`t$SamAccountName`tReplace msExchHideFromAddressLists" $logCode = "Success" $CurrentFileName = "RemoveUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message $writeTo = "Set-ADUser`t$SamAccountName`tCould not replace msExchHideFromAddressLists`t${$_.Exception.Message}" $logCode = "Error" $CurrentFileName = "RemoveUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } try { Get-ADPrincipalGroupMembership -Identity $SamAccountName | Select-Object samAccountName -ExpandProperty samAccountName | ForEach-Object { $groupName = $_ if ($groupName -ne "Domain Users") { try { Remove-ADPrincipalGroupMembership -Identity $SamAccountName -MemberOf $groupName -Confirm:$false -ErrorAction Stop $writeTo = "Remove-ADPrincipalGroupMembership:`t$SamAccountName`t$groupName" $logCode = "Success" $CurrentFileName = "RemoveUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } catch { Write-Output $_.Exception.Message $writeTo = "Remove-ADPrincipalGroupMembership:`t$SamAccountName`t$groupName" $logCode = "Error" $CurrentFileName = "RemoveUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } } } } catch { Write-Output $_.Exception.Message $writeTo = "Set-ADUser`t$SamAccountName`tCould not find for Group Membership`t${$_.Exception.Message}" $logCode = "Error" $CurrentFileName = "RemoveUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } } function Remove-CoaUserMsol { param ( # User to update attributes in Microsoft Online [Parameter(Mandatory = $true)] [string] $SamAccountName ) [string]$upn = "" $arrayFromGet = @() $arrayFromGet += Get-MsolUser -SearchString $SamAccountName | Select-Object UserPrincipalName -ExpandProperty UserPrincipalName if ($arrayFromGet.Count -eq 1) { $upn = $arrayFromGet[0] $writeTo = "Get-MsolUser`t$SamAccountName`tSearchString returned: $upn" $logCode = "Get" $CurrentFileName = "RemoveUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode } else { if ($arrayFromGet.Count -gt 1) { $errMsg = "Either the samAccountName was empty, or the search returned more than one value." } else { $errMsg = "The user $SamAccountName cannot be found in MSOL, and has been removed from processing." } $writeTo = $errMsg $logCode = "Else" $CurrentFileName = "RemoveUser" Add-CoaWriteToLog -FileName $CurrentFileName -writeTo $writeTo -logCode $logCode Write-Output $errMsg # Need to skip to the next iteration break } $LicenseLineItem $LicenseLineItem = (Get-MSOLUser -UserPrincipalName $upn).Licenses.AccountSkuId Add-CoaWriteToLog -writeTo "Get-MsolUser`t$upn`t$LicenseLineItem" -logCode "Success" -FileName "RemoveUser" try { Set-MsolUserLicense -UserPrincipalName $upn -RemoveLicenses $LicenseLineItem -ErrorAction Stop -ErrorVariable err Add-CoaWriteToLog -writeTo "Set-MsolUserLicense`tRemove`t$upn`t$LicenseLineItem" -logCode "Success" -FileName "RemoveUser" } catch { Write-Output $_.Exception.Message Add-CoaWriteToLog -writeTo "Set-MsolUserLicense`tRemove`t$upn`t$licenses`t${$_.Exception.Message}" -logCode "Error" -FileName "RemoveUser" } } function Set-CoaUserRetentionPolicy { param ( # User to update attributes in Exchange Online [Parameter(Mandatory = $true)] [string] $SamAccountName ) try { # Get Mailbox and turn the retention, type, ProhibitSendReceiveQuota, ProhibitSendQuota, IssueWarningQuota Set-Mailbox -identity $SamAccountName -RetentionPolicy $Script:RetentionPolicyTermOfficial -ErrorAction Stop Add-CoaWriteToLog -writeTo "Set-Mailbox`t$SamAccountName`t$Script:RetentionPolicyTermOfficial" -logCode "Success" -FileName "RemoveUser" } catch { Write-Output $_.Exception.Message Add-CoaWriteToLog -writeTo "Set-Mailbox`t$SamAccountName`t$Script:RetentionPolicyTermOfficial`t${$_.Exception.Message}" -logCode "Error" -FileName "RemoveUser" } } #endregion #region: New-CoaUser class UserObject { [string]$samAccountName [string]$License } $Global:CoaUsersToWorkThrough = [System.Collections.Generic.List[UserObject]]::new(); <# .SYNOPSIS Creates the new user object that can be used by other cmdlets to complete the attributes needed for new user creation. .DESCRIPTION A new user consists of the SamAccountName and which license you will assign. This cmdlet preps those two things, and can hand them off to Set-CoaExchangeAttributes, Set-CoaExoAttributes to complete the attributes needed for new user creation .PARAMETER SamAccountName Specifies the samAccountName for the user .PARAMETER Firstline Switch used to make the user a Firstline worker; default is Enterprise worker .EXAMPLE New-CoaUser joe.crockett .EXAMPLE New-CoaUser joe.crockett -Firstline #> function New-CoaUser { [CmdletBinding()] Param ( [parameter(Mandatory = $true, Position = 0)] [string]$SamAccountName, [switch]$Firstline ) $user = $null $user = [UserObject]::new() if ($Firstline) { $user.License = $Script:BasicLicenseName } else { $user.License = $Script:StandardLicenseName } $user.samAccountName = $samAccountName $Global:CoaUsersToWorkThrough.Add($user) if ($Global:CoaUsersToWorkThrough.Count -eq 1) { return $user } else { Write-Output $Global:CoaUsersToWorkThrough } } <# .SYNOPSIS Clears that variable CoaUsersToWorkThrough .DESCRIPTION When you use the New-CoaUser, it stores the users in a global variable called CoaUsersToWorkThrough. .EXAMPLE Clear-CoaUser #> function Clear-CoaUser { $Global:CoaUsersToWorkThrough.Clear() } #endregion #region: Remove-CoaUser <# .SYNOPSIS Removes the user's license & user groups, and updates the attributes on the AD object. .DESCRIPTION Removes the user's license and updates the following attributes: authOrig, msExchHideFromAddressLists; also removes the groups the user is a member of. .PARAMETER SamAccountName Specifies the samAccountName for the user .PARAMETER CommaSeparatedSamAccountNames A comma separated list of samAccountNames to work through .EXAMPLE # Removes the user license, groups, and updates the attributes for one account Remove-CoaUser -SamAccountName test.user .EXAMPLE # Removes the user license, groups, and updates the attributes for a comma separated list of users Remove-CoaUser -CommaSeparatedSamAccountNames "test.user1","test.user2","test.user3" #> function Remove-CoaUser { [CmdletBinding(, DefaultParameterSetName = "SingleUser")] param( [parameter(Position = 0, Mandatory = $true, ParameterSetName = "SingleUser")] [string]$SamAccountName, # Parameter for taking comma separated samAccountNames [Parameter(Position = 0, Mandatory = $true, ParameterSetName = "MultipleUsers")] [string[]] $CommaSeparatedSamAccountNames ) if ($PSCmdlet.ParameterSetName -eq "SingleUser") { Remove-CoaUserActiveDirectory -SamAccountName $SamAccountName Remove-CoaUserMsol -SamAccountName $SamAccountName Set-CoaUserRetentionPolicy -SamAccountName $SamAccountName } else { foreach ($IndividualUser in $CommaSeparatedSamAccountNames) { Write-Output $IndividualUser Remove-CoaUserActiveDirectory -SamAccountName $IndividualUser Remove-CoaUserMsol -SamAccountName $IndividualUser Set-CoaUserRetentionPolicy -SamAccountName $IndividualUser } } } #endregion Set-CoaVariables Export-ModuleMember -Function Set-CoaMailboxConfiguration, Set-CoaExchangeAttributes, Set-CoaExoAttributes, New-CoaUser, Get-CoaVariables, Set-CoaVariables, Clear-CoaUser, Remove-CoaUser |