I'm having an issue with a script I've been working on. The script should first load a number of modules, then load some stored creds and connect to the Office 365/Exchange Online environment.
It then pulls a list of non disabled users from a specified OU and gives an Exchange Online mailbox Full Access rights to those user's mailboxes. Once that's done it uses the MessageOps Exchange Migrator to export the contents of the mailbox to a specified location. The output from the Exchange Migrator includes several lines of data which can be checked. If the Result from the Exchange Migrator is "Successful" then it should proceed with disabling the AD account and taking it's group memberships and putting them in the Notes field for the account and then removing the account from those groups. If it outputs something other than "Successful" for results it should write the entire output to a log file.
So far everything is working fine except for the part where the group memberships are removed. I seem to have gotten the looping wrong somewhere. It tries to remove the user from it's groups 3 times. Everything works the first time, but the following 2 times it proceeds to vomit up errors saying it's not in that group, for obvious reasons. I'm at a loss as to why it would attempt to remove the user from those groups multiple times and could use some help cleaning this up.
Any assistance would be appreciated.
#Declare export path $ExportFolder = "\\on-fs-01\users\TerminatedUsers" $ExportLogs = "\\on-fs-01\users\TerminatedUsers\Exportlogs\log.txt" function clean-disabledOU { Disable-ADAccount -identity $user.SAMAccountName # Copy group memberships to Notes field and remove group memberships if ($user.memberof -ne $null) { $notes= [string]$user.memberof set-qaduser $user.SamAccountName -notes $notes $groups= $user.memberof foreach ($group in $groups) {$user.memberof | remove-adgroupmember -Members $user.SAMAccountName -confirm$false} } } #Load required modules Add-PSSnapin Quest.ActiveRoles.ADManagement Import-Module ActiveDirectory import-module Messageops-Migrator import-module msonline #Admin Credentials $powerUser = "Account Username" $powerPass = "Account Password" $password = ConvertTo-SecureString $powerPass -AsPlainText -Force $creds = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $powerUser,$password #Get Remote Powershell Connection if ((Get-PSSession | Where-Object {$_.ConfigurationName -eq "Microsoft.Exchange"}) -eq $null){ $psCred = $creds $rpRemotePowershell = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https:// -credential $psCred -Authentication Basic -AllowRedirection $importresults = Import-PSSession $rpRemotePowershell } #Create an array of users who are in a specific OU that are NOT disabled. $users= get-aduser -searchbase "OU=Autodisable Test,DC=medspring,DC=local" -Filter * -Properties memberof | where {$_.enabled -eq $true} #Apply full access rights to the mailboxes to be exported to foreach ($user in $users) {add-mailboxpermission $user.userprincipalname -user service.account@medspring.com -accessrights fullaccess -confirm$false} foreach ($user in $users) { $results = Export-MessageOps.ToPST -DestinationDirectory $ExportFolder -SourceMailbox $user.userprincipalname -Credential $creds -Mailbox echo "Export of $user.userprincipalname","$results.result" if ($results.result -like "Successful") {clean-disabledou} elseif ($results.result -notlike "Successful") {out-file $exportlogs -append} } remove-pssession $rpremotepowershellps.outlook.com/ powershell