I'm having an issue with a script I've been working on. The script should first load a number of modules, then load some stored creds and connect to the Office 365/Exchange Online environment.
It then pulls a list of non disabled users from a specified OU and gives an Exchange Online mailbox Full Access rights to those user's mailboxes. Once that's done it uses the MessageOps Exchange Migrator to export the contents of the mailbox to a specified location. The output from the Exchange Migrator includes several lines of data which can be checked. If the Result from the Exchange Migrator is "Successful" then it should proceed with disabling the AD account and taking it's group memberships and putting them in the Notes field for the account and then removing the account from those groups. If it outputs something other than "Successful" for results it should write the entire output to a log file.
So far everything is working fine except for the part where the group memberships are removed. I seem to have gotten the looping wrong somewhere. It tries to remove the user from it's groups 3 times. Everything works the first time, but the following 2 times it proceeds to vomit up errors saying it's not in that group, for obvious reasons. I'm at a loss as to why it would attempt to remove the user from those groups multiple times and could use some help cleaning this up.
Any assistance would be appreciated.
#Declare export path
$ExportFolder = "\\on-fs-01\users\TerminatedUsers"
$ExportLogs = "\\on-fs-01\users\TerminatedUsers\Exportlogs\log.txt"
function clean-disabledOU
{
Disable-ADAccount -identity $user.SAMAccountName
# Copy group memberships to Notes field and remove group memberships
if ($user.memberof -ne $null)
{
$notes= [string]$user.memberof
set-qaduser $user.SamAccountName -notes $notes
$groups= $user.memberof
foreach ($group in $groups) {$user.memberof | remove-adgroupmember -Members $user.SAMAccountName -confirm$false}
}
}
#Load required modules
Add-PSSnapin Quest.ActiveRoles.ADManagement
Import-Module ActiveDirectory
import-module Messageops-Migrator
import-module msonline
#Admin Credentials
$powerUser = "Account Username"
$powerPass = "Account Password"
$password = ConvertTo-SecureString $powerPass -AsPlainText -Force
$creds = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $powerUser,$password
#Get Remote Powershell Connection
if ((Get-PSSession | Where-Object {$_.ConfigurationName -eq "Microsoft.Exchange"}) -eq $null){
$psCred = $creds
$rpRemotePowershell = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -credential $psCred -Authentication Basic -AllowRedirection
$importresults = Import-PSSession $rpRemotePowershell
}
#Create an array of users who are in a specific OU that are NOT disabled.
$users= get-aduser -searchbase "OU=Autodisable Test,DC=medspring,DC=local" -Filter * -Properties memberof | where {$_.enabled -eq $true}
#Apply full access rights to the mailboxes to be exported to
foreach ($user in $users) {add-mailboxpermission $user.userprincipalname -user service.account@medspring.com -accessrights fullaccess -confirm$false}
foreach ($user in $users)
{
$results = Export-MessageOps.ToPST -DestinationDirectory $ExportFolder -SourceMailbox $user.userprincipalname -Credential $creds -Mailbox
echo "Export of $user.userprincipalname","$results.result"
if ($results.result -like "Successful") {clean-disabledou}
elseif ($results.result -notlike "Successful") {out-file $exportlogs -append}
}
remove-pssession $rpremotepowershell