User Termination PowerShell Steps
Change FLast to match the terminated user’s username and disabledOU to where you want to move the account to
$Username = Get-ADObject -Filter {SamAccountName -eq "FLast"}
$disabledOU = "OU=Disabled Accounts,DC=company,DC=local"Get a list of the user’s groups, list them, then remove them from all groups
$groups = Get-ADPrincipalGroupMembership -Identity $Username | Where-Object -Property "Name" -ne "Domain Users"
$groups | Select-Object @{Name=$Username.Name;Expression={$_.Name}}
ForEach($group in $groups) {Remove-ADPrincipalGroupMembership -Identity $Username -MemberOf $group.Sid -Confirm:$False}Clear the user’s manager field
Set-ADUser -Identity $Username -Manager $NullHide the user from any Address lists
Set-ADObject -Identity $Username -replace @{msExchHideFromAddressLists=$true;}Set on-prem as a remote shared mailbox
Set-ADObject -Identity $Username -replace @{msExchRecipientDisplayType=-2147483642;}
Set-ADObject -Identity $Username -replace @{msExchRecipientTypeDetails=34359738368;}
Set-ADObject -Identity $Username -replace @{msExchRemoteRecipientType=100;}Set the description to the disabled date
Set-ADObject -Identity $Username -Description "Disabled $(get-date -Format 'yyyy/MM/dd')"Generate a random 20-character string and set the user’s password to it:
$Password = -join ((33..126) | Get-Random -Count 20 | ForEach-Object {[char]$_})
$Password
Set-ADAccountPassword -Identity $Username -Reset -NewPassword (ConvertTo-SecureString -AsPlainText -String $Password -Force)Disable the user’s AD account
Disable-ADAccount -Identity $UsernameMove the user to the disabled OU specified above
Move-ADObject -Identity $Username -TargetPath $disabledOU