Just wanted to follow up on this and provide the finalized scripts I'm using for our deprovision command. Since we have both ActiveSync devices and a heavily terminal-server / Citrix environment, these might help other people. (I love that you guys have a support forum that is searchable, it helps give me new ideas of ways to use Adaxes.)
If the User has an Exchange mailbox then:
Modify mailbox settings for the User: set Hide from Exchange address lists to 'True'
Run powershell script 'wipe activesync devices' for the User:
$exchangeServer = "companydag1.companyname.local" #TODO: fix this for your domain!
# TODO/INFO: Depending on your load balancer (for a DAG environment), using your public CNAME (mail.company.com) may not work here. We use a Kemp LB and it automatically redirects http to https, which then fails because the Exchange default SSL certificate used for the /powershell directory doesn't match the hostname you are referencing (mail.company.com). The DAG virtual name/IP doesn't go through a load balancer, so using this is a safe bet in most environments. If you don't have a DAG, the internal hostname of your Exchange server is probably best.
#Exchange 2013 here...
$session = New-PSSession -connectionURI "http://$exchangeServer/powershell" -ConfigurationName Microsoft.Exchange
Import-PSSession -session $session -AllowClobber -DisableNameChecking
$Target = "%username%"
Get-MobileDeviceStatistics -Mailbox $Target | foreach { Clear-MobileDevice $_.Identity -Confirm:$false }
Remove-PSSession -Session $session
Always
Modify the User: Disable the account
Modify the User: set Description to 'deprovisioned on %datetime% by %initiator%. %description%'
Always
Run powershell script 'delete TSProfile' for the User:
# Get Remote Desktop Services profile path (TSProfile)
$rdsProfilePath = $Context.TargetObject.TerminalServicesProfilePath
if($rdsProfilePath -eq $NULL)
{
return
}
# Test the Remote Desktop Services profile path
if(Test-Path -Path $rdsProfilePath)
{
# Delete Remote Desktop Services profile
Remove-Item -Path $rdsProfilePath -Force -Recurse
}
Else {
$Context.LogMessage("Couldn't find TS profile path: $rdsProfilePath", "Warning")
}
# Test for V2 Profile - Server 2008+ will have "username.V2" profiles along with "username"
if(test-path -path "$rdsProfilePath.v2")
{
Remove-Item -Path "$rdsProfilePath.V2" -Force -Recurse
}
Else {
$Context.LogMessage("Couldn't find 2008R2 TS profile path: $rdsProfilePath.V2", "Warning")
}
If the 'Home Directory' property is not empty then
Run powershell script 'clean & move H: drive' for the User:
$rootDirectoryPath = "\\ourfile1\users\!disabled" #TODO: modify for your environment, if you save Home folders
$uhome = $context.TargetObject.HomeDirectory
# Clean a few things before move...
# Usage: $Context.LogMessage("Message", "Error/Warning/Information")
if (Test-Path "$uhome\desktop.ini")
{
# This keeps your "disabled" folder from being full of things called "My Documents" in an Explorer view.
$context.LogMessage("Cleaning out desktop.ini so the folder name isn't `"My Documents`"...", "Information")
remove-item "$uhome\desktop.ini" -force
}
#TODO: we keep Cookies in Home drive so they aren't copied back and forth during logon/logoff in tsprofile. You may not need this section.
if (test-path "$uhome\Cookies")
{
$context.LogMessage("Removing Cookies folder (this can take a while)...","Information")
remove-item "$uhome\Cookies" -recurse -force
}
#TODO: We also redirect the OutlookTemp folder outside of the normal profile so users don't get a random "access denied" when they try to save a file they were previewing in Outlook. You may not need this either.
if (test-path "$uhome\OutlookTemp")
{
$context.LogMessage("Removing OutlookTemp folder...","Information")
remove-item "$uhome\OutlookTemp" -recurse -force
}
#TODO: this is a line-of-business app we redirect as well, but it's temp data and can be wiped.
if (Test-Path "$uhome\Allscripts")
{
$context.LogMessage("Found probable Allscripts Cache, removing it...","Information")
Remove-Item "$uhome\Allscripts" -recurse -force
}
# Build path to a folder with the current date, check whether it exists
$date = (Get-Date).ToString("yyyy-MM-dd")
$path = "$rootDirectoryPath\$date"
if (!(Test-Path -Path $path))
{
# The folder doesn't exist, create it
New-Item -ItemType Directory -Path $path
}
# Build new home directory path for the user under dated folder
$path = "$path\%sAMAccountName%"
if(test-path -path $path)
{
$context.LogMessage("Found a folder matching `"$path`" already? Going to clobber it...", "Information")
}
# Finally, move the home directory
$Context.TargetObject.MoveHomeDirectory($path, $NULL)
Always
Run powershell script 'move to today's Disabled OU' for the User:
$disabledUsersOuDN = "OU=Disabled Accounts,DC=ourcompany,DC=local" # TODO: change for your domain!
# Build path to the OU for users disabled today
$date = (Get-Date).ToString("yyyy-MM-dd")
$ouDN = "OU=$date," + $disabledUsersOuDN
try
{
# Bind to the OU for users disabled today
$ou = $Context.BindToObjectByDN($ouDN)
}
catch
{
# The OU doesn't exist, create it
$disabledUsersOU = $Context.BindToObjectByDN($disabledUsersOuDN)
$ou = $disabledUsersOU.Create("organizationalUnit", "OU=$date")
$ou.Put("description", "Users Deprovisioned on $date")
$ou.SetInfo()
}
# Move the target user
$ou.MoveHere($Context.TargetObject.AdsPath, $NULL)