Employee Termination Process - AD accounts, Exchange, etc

In an effort to automate as much as possible, I’m beginning to script user account deactivation, similar to what I’ve done for user account creation.

Here’s my typical process before automating:

  1. Reset User’s Password
  2. Deactivate User’s account
  3. Document all groups user was a member of
  4. Check if the user had access to any other user’s mailbox/calendar/etc.
  5. Remove user from all groups
  6. Remove permissions the user may have had
  7. Set autoreply to something generic “this individual is no longer receiving email at this address”
  8. Archive mailbox to PST
  9. Copy PST & user documents to backup folder and remove from network fileshare
  10. Archive backup folder to MDisc (yeah… but better than just deleting)
  11. Grant manager full access to mailbox and offer a copy of user files
  12. Wait a month
  13. Delete mailbox

As of now, I have a script that will:

  1. Document groups a user is a member of (to a log file and to the clipboard if I want to add it to my OneNote document)
  2. Remove the user from those groups
  3. Reset the user’s password (just in case… I don’t know why I do this, more habit than anything)
  4. Disable the user’s account
  5. Archive mailbox to PST

Am I missing something obvious?

I’m also tempted to create another script that will check to see if the archive exists where it is expected and if it the archive is 30 days old. In the event it is, the user is not a member of any groups, and the user account is disabled, then Remove the mailbox so the user account gets deleted.


Just trying to make this simple so I can repeat it accurately (not so much for the time savings, although that is nice).

I’d love to take a look at your script, that’s basically what we do just all manually. Sometimes I wonder why I bother making a PST nobody has ever needed old emails from a user here after their mailbox has been deleted. Better safe than sorry I guess.

Here’s what I have, but it is likely a terrible (but convenient) way to do this, so you should probably improve on it or never use it. :slight_smile:

Write-Host "This tool will copy a user's existing groups to the clipboard, then disable their accounts and remove them from all groups".
$log_path = "l:\scripts\logs\"

$identity = Read-Host -Prompt 'Identity for who you would like to prep for deletion (blank to cancel)'

if(!$identity) {

$filename = "$log_path$identity - deactivation - $(get-date -f yyyy-MM-dd).txt"

Get-ADPrincipalGroupMembership -Identity $identity | foreach { $_.Name } | out-string | clip
Get-ADPrincipalGroupMembership -Identity $identity | select name | export-csv -path $filename

Write-Host "A list of Groups $user is a member of has been copied to the clipboard and saved to $filename."

$user = Get-ADUser -Identity $identity -Properties MemberOf

Add-Content $filename "nnRemoving from all groups except domain users"

foreach($group in ($user | Select-Object -ExpandProperty MemberOf))
Add-Content $filename "Removing $identity from $group"
Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
Add-Content $filename "`nDone removing $identity from their group(s)"
Write-Host "Done removing $identity from their groups"

Disable-ADAccount -Identity $identity

Write-Host "nn=====nUser account for $identity has been dsabledn=====`n"

Set-ADAccountPassword -Identity $identity -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "thisisnotwhatIreallyuse!" -Force)

ADD-Content $filename "nn==nPassword for $identity has been resetn==`n"
Write-Host "Password for $identity has been reset"

New-MailboxExportRequest -Mailbox $identity -Filepath \path\to\backups\mailboxes\$identity.pst

Obviously, there is a lot to change before using it. Most notably the password and file paths. I don’t know why I change the password, but it feels more secure to me for some reason.

(edited because “preformatted text” doesn’t add newlines like I expected, switched to blockquote)

I too complete many of these steps manually but it looks like you have pretty much everything covered as far as your IT exit strategy.
What thing that has bitten me a few times when people transition off of staff is iPhone users lose their contacts and notes if they chose to sync them with Exchange when they setup their email account on their device. When I disable their license in the 0365 portal, their contacts and notes are gone.
I had to enable their AD account, re-assign their license, then export their contacts and notes to a .csv file and email it their personal email for them to import.

I’ll have to revisit all of this when we go O365 for Exchange.

the New-MailboxExportRequest generates a PST file that I can open in Outlook in order to export to CSV.

Based on this thread, it looks like you can grant an admin access to exporting a mailbox in O365:

I have also run into this issue @abaker. Another one that has popped up recently is the OneDrive files from the previous employee. If these are not copied somewhere else they will be deleted in 30 days.

Nice script!
You could easily apply this to o365 by importing the modules. Also, you might consider using native PowerShell, or SetACL, to remove folder permissions so that you aren’t left with ghost sid’s after you completely delete the account.

Hey Jesse,
Thanks for that information on OneDrive. That’ one more question to add to the HR exit interview. :slight_smile:
Not to mention and SharePoint groups they might be members of and have collaborated and saved documents on those individual group pages.
Sounds like I need to revamp my IT exit processes as well!

Sharepoint content will remain because they don’t “own” it, the site does.

Thanks James! Good to know. One last thing to worry about.