As part of our company policy, all employees who have left the company keep their active directory accounts, which are disabled and moved to a specific OU. There are several parts to this process which need to be automated, but a significant part is unchecking the "Unix Enabled" property from the ADUC MMC and clearing all Unix attributes. These actions are not always performed, so I am tasked with cleaning it up. I am fairly new to Powershell, but have a reasonable enough understanding of it to work out a solution. I believe the scipt below should do it (formatted for better visibility):
Get-ADUser -SearchBase "OU=Disabled Accounts,OU=AnotherOU,DC=mycompany,DC=com"
-Filter {(Enabled -eq $false)} -Properties SamAccountName | ForEach-Object {
Clear-QasUnixUser $_.SamAccountName
Disable-QasUnixUser $_.SamAccountName
}
It may not be the most elegantly written script, but it seems to work as intended. Of course, it will be run in a test environment prior to production.
My dilemma:
I need to return all of the attributes that will be cleared by these commands before I run them (for the purposes of backing out) and I don't believe Get-QasUnixUser alone does this. Can anyone give me an idea of how to approach returning all of this information, and perhaps some professional insight as to how to sort it based on user? I know that links are not considered appropriate answers, but I also understand the scope of the question I am asking, so any assistance would be greatly appreciated.
Looking at the docs for QAS, it looks like they use the out of the box schema for their purposes. Newer versions appear to use the altSecurityIdentities attribute while older versions appear to consume the various SFU attributes that come with Windows. You might try using ldifde to take a snapshot of a user, enable them for QAS, take another LDIF snapshot, and diff the files as one approach to seeing what all QAS changes.
You can use the Properties parameter of Get-ADUser to provide a list of attributes you want back. It will be natively sorted by user, but, the Sort-Object cmdlet gives you the ability to tweak that order.