Public/Update-Employees.ps1

function Update-Employees
{
    [CmdletBinding(PositionalBinding = $true)]
    param
    (
        [Parameter(Mandatory = $true)][object[]]$AdUsers,
        [Parameter(Mandatory = $true)][object[]]$SyncHrEmployees,
        [Parameter(Mandatory = $false)][string[]]$ExemptOu
    )

    $employees = $SyncHrEmployees | ? {
        $_.empNo.Length -gt 3
    }
    

    $validAdUsers = $AdUsers | ? {
        $_.SamAccountName -notmatch '^da\.|^svc\.'
    }
    

    $progressObj = @{
        count     = $employees.Count
        countDown = $employees.Count
        countUp   = 0
    }

    $returnObj = New-Object -TypeName psobject -Property @{
        updates      = @()
        terminations = @()
        newHires     = @()
    }
    

    try
    {
        foreach ($emp in $employees)
        {

            Write-Progress -Activity "Processing SHR User: $($emp.fname) $($emp.lname)" -Status "$(($progressObj).countDown) Users Remaining.."  `
                -PercentComplete (($($progressObj.countUp) / $($progressObj.count)) * 100) -ErrorAction Ignore

            $progressObj.countDown--
            $progressObj.countUp++

            $userEmployeeNumber = Convert-SyncHrEmpNo -SyncHrEmpNo $emp.empNo
            
            if ($userEmployeeNumber -notmatch '\d+')
            {
                continue
            }

            $adUser = $null
            $adUser = $validAdUsers | ? { $_.EmployeeNumber -eq $userEmployeeNumber }
        
            if (!$adUser)
            {
                if ($emp.emplStatusDescription -eq 'Active Employee') 
                {
                    # new hire!
                    
                    $newAdUser = New-AdUserFromSyncHr -SyncHrNewHire $emp

                    $returnObj.newHires += New-Object psobject -Property @{
                        FirstName      = $emp.fname
                        LastName       = $emp.lname
                        LoginName      = $newAdUser.SamAccountName
                        Password       = $newAdUser.newPassword
                        Title          = $emp.positionTitle
                        Manager        = $newAdUser.maangerName
                        Office         = $newAdUser.Office
                        HireDate       = $emp.emplHireDate
                        EmployeeNumber = $newAdUser.EmployeeNumber
                        Action         = 'NewUser'
                        Result         = $newAdUser.Result

                    } | select FirstName, LastName, LoginName, Password, Title, Manager, Office, HireDate, EmployeeNumber, Action, Result
                }
                
                continue
            }

            if ($adUser.Count -gt 1)
            {
                Write-Log -LogText "MULTIPLE MATCHES in AD >> $($emp.fName) $($emp.lName) $($emp.empNo) ($($userEmployeeNumber))" -LogType warning
                continue
            }

            if ($emp.emplStatusDescription.Length -lt 1) 
            {
                Write-Log "Skipping user with invalid emplStatusDescription: $($emp.fName) $($emp.lName) $($emp.empNo) ($($adUser.EmployeeNumber)) >> emplStatusDescription: ""$($emp.emplStatusDescription)""" -LogType: warning
                continue
            }

            # check to see if user is in exempt ou
            $userOU = ($adUser.DistinguishedName -split ",", 2)[1]
            $ouMatch = $null
            $ouMatch = $ExemptOu | ? { $_ -eq $userOU } | select -First 1

            if ($ouMatch) 
            {
                Write-Log "Skipping user in exempt OU: $($emp.fName) $($emp.lName) $($emp.empNo) ($($adUser.EmployeeNumber)) >> $($adUser.DistinguishedName) in OU: ""$($ouMatch)""" -LogType: warning
                continue
            }

            if ($adUser.Enabled -eq $false)
            {
                continue
            }

            
            $changeObj = New-Object psobject -Property @{
                FirstName   = $adUser.GivenName
                LastName    = $adUser.Surname
                LoginName   = $adUser.SamAccountName

                SHR_EmpNo   = $emp.empNo
                SHR_Status  = $emp.emplStatusDescription

                Enabled_old = $null
                Enabled_new = $null

                Manager_old = $null
                Manager_new = $null

                Title_old   = $null
                Title_new   = $null

                Office_old  = $null
                Office_new  = $null

                Address_old = $null
                Address_new = $null

                Action      = $null
                Result      = $null
            }

            $selectOrder = @(
                'FirstName'
                'LastName'
                'LoginName'
                'SHR_EmpNo'
                'SHR_Status'
                'Enabled_old'
                'Enabled_new'
                'Manager_old'
                'Manager_new'
                'Title_old'
                'Title_new'
                'Office_old'
                'Office_new'
                'Address_old'
                'Address_new'
                'Action'
                'Result'
            )

            $changeObj = $changeObj | select $selectOrder

            $changes = @{}

            # enabled
            if ($emp.emplStatusDescription -notmatch 'Active Employee|On Leave') 
            {
                Write-Log "Disabling employee: $($emp.fName) $($emp.lName) $($emp.empNo) ($($adUser.EmployeeNumber)) >> emplStatusDescription: ""$($emp.emplStatusDescription)"""

                $changes += @{
                    Enabled = $false
                    Description = "Disabled by SyncHR Script $((Get-Date).ToString('yyyy-MM-dd hh:mm tt')) :: SHR Status: $($emp.emplStatusDescription)"
                }

                $changeObj.Enabled_old = $adUser.enabled
                $changeObj.Enabled_new = $false

            }
            else
            {

                # manager
                if ($emp.manager_empNo.Length -gt 3)
                {
                    $managerEmployeeNumber = Convert-SyncHrEmpNo -SyncHrEmpNo $emp.manager_empNo

                    $adManager = $null
                    $adManager = $validAdUsers | ? { $_.EmployeeNumber -eq $managerEmployeeNumber }

                    if ($adManager -and ($adUser.Manager -ne $adManager.DistinguishedName))
                    {
                        if ($adManager.SamAccountName -eq 'ACCOBCM') 
                        {
                            Write-Log "Skipping manager update for someone reporting to due to known issue." -LogType: warning
                        }
                        else 
                        {
                            Write-Log "Manager update: $($emp.fName) $($emp.lName) $($emp.empNo) ($($adUser.EmployeeNumber)) >> Old Manager: ""$($adUser.Manager)"" >> New Manager: ""$($adManager.DistinguishedName)"""

                            $changes += @{Manager = $adManager.DistinguishedName }
    
                            $changeObj.Manager_old = "$($adUser.GivenName) $($adUser.Surname)"
                            $changeObj.Manager_new = "$($adManager.GivenName) $($adManager.Surname)"
                        }

                    }

                }


                # title
                if ($adUser.Title -ne $emp.positionTitle)
                {
                    Write-Log "Title update: $($emp.fName) $($emp.lName) $($emp.empNo) ($($adUser.EmployeeNumber)) >> Old Title: ""$($adUser.Title)"" >> New Title: ""$($emp.positionTitle)"""
                
                    $changes += @{Title = $emp.positionTitle }

                    $changeObj.Title_old = $adUser.Title
                    $changeObj.Title_new = $emp.positionTitle

                }

                # office
                if ($adUser.Office -ne $emp.location_name)
                {
                    Write-Log "Office update: $($emp.fName) $($emp.lName) $($emp.empNo) ($($adUser.EmployeeNumber)) >> Old Office: ""$($adUser.Office)"" >> New Office: ""$($emp.location_name)"""
                
                    $changes += @{Office = $emp.location_name }

                    $changeObj.Office_old = $adUser.Office
                    $changeObj.Office_new = $emp.location_name
                }

                # address
                if (
                    $adUser.StreetAddress -ne $emp.location_street -or 
                    $adUser.City -ne $emp.location_city -or 
                    $adUser.State -ne $emp.location_state -or 
                    $adUser.PostalCode -ne $emp.location_zip)
                {

                    $changeObj.Address_old = @($adUser.StreetAddress, $adUser.City, $adUser.State, $adUser.PostalCode) -join " "
                    $changeObj.Address_new = @($emp.location_street, $emp.location_city, $emp.location_state, $emp.location_zip) -join " "


                    Write-Log "Address update: $($emp.fName) $($emp.lName) $($emp.empNo) ($($adUser.EmployeeNumber)) >> Old Address: ""$($changeObj.Address_old)"" >> New Address: ""$($changeObj.Address_new)"""
                
                    $changes += @{
                        StreetAddress = $emp.location_street
                        City          = $emp.location_city
                        State         = $emp.location_state
                        PostalCode    = $emp.location_zip
                    }


                }

            }



            # perform changes if there are any
            if ($changes.Count -gt 0)
            {

                $changes += @{Identity = $adUser.ObjectGUID.GUID }

                try
                {
                    Set-ADUser @changes -ErrorAction: Stop -Verbose
                    $changeObj.Result = 'OK'
                }
                catch
                {
                    Write-Log "Error performing Set-AdUser on user: $($emp.fName) $($emp.lName) $($emp.empNo) ($($adUser.EmployeeNumber)). Changes: $($changes | ConvertTo-Json -Compress)"  -LogType: error -ErrorObject $_
                    $changeObj.Result = "ERROR: $($_.Exception.Message)"
                }

                if ($changes.Enabled -eq $false)
                {
                    $changeObj.Action = 'Termination'
                    $returnObj.terminations += $changeObj | select FirstName, LastName, LoginName, SHR_EmpNo, SHR_Status, Action, Result
                }
                else
                {
                    $changeObj.Action = 'Update'
                    $returnObj.updates += $changeObj
                }

            }

            

        }
    }
    catch
    {
        Write-Log "Unhandled exception" -LogType: error -ErrorObject $_
        return
    }

    Write-Progress -Activity "Complete"  -Completed: $true

    $returnObj.updates = $returnObj.updates | Sort-Object Title_new, Manager_new, Enabled_new, Office_new, Address_new

    return $returnObj
    


}