Mark A Z P Garza

Automating export of Exchange mailboxes and deletion of Active Directory User Accounts

Automating export of Exchange mailboxes and deletion of Active Directory User Accounts

In a march forward to process refinement, I had wanted to automate a manual process. The process had started at the end of employee termination after an AD account becomes disabled. With that in mind, I had outlined the objectives for the automated scheduled task.

  1. Export Exchange mailboxes from an OU to PST.
  2. Export a list of users from an OU with the last logon date of a 30 day interval.
  3. Delete a list of users from an OU with the last logon date of a 30 day interval.

Prerequisites:

  • A Windows 7 system added to your domain (i.e. garzafx.lcl)
  • Install  Microsoft Office 2010 or Office 2013.
  • Exclude Windows 7 system from automatic windows updates. The reason for the exclusion, periodically an Office update breaks the export process from client export from Exchange.
  • Install Exchange Management Tools matching the version number on the Exchange server.
  • Download and install “Remote Server Administration Tools” on Win 7 [KB958830: http://www.microsoft.com/download/en/details.aspx?id=7887]
  1. Create a folder named C:\psts.
  2. Create a powershell file labeled export-mail.ps1 inside C:\psts
  3. Copy and paste the below, then into export-mail.ps1

#Adding Exchange Snap In to execute Exchange CmdLets in this script

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin

# Get mailboxes for disabled users, add rights for service account

Get-mailbox -OrganizationalUnit “Disabled Users” | Add-MailboxPermission -User “garza\powershell” -AccessRight FullAccess -InheritanceType all

# Export mailboxes with no confirmation to directory setting a limit for corrupt items to 10,000

Get-mailbox –OrganizationalUnit “Disabled Users” | Export-Mailbox –PSTFolderPath “C:\PSTs\” -Confirm:$false -BadItemLimit 10000

# Enable Active Directory Powershell then, get AD Users over 30 days old from Disabled Users OU, export to file with date stamp, then delete

Import-Module ActiveDirectory

get-aduser -Searchbase “OU=Disabled Users,DC=lkm,DC=sungardps,DC=lcl” -filter * | where { $_.lastLogonDate -lt (get-date).adddays(-30) } | export-csv c:\psts\delete_ad_users_lkm_$((Get-Date).ToString(‘MM-dd-yyyy_hh-mm’)).csv

get-aduser -Searchbase “OU=Disabled Users,DC=lkm,DC=sungardps,DC=lcl” -filter * | where { $_.lastLogonDate -lt (get-date).adddays(-30) } | remove-aduser

4. Create a service account with the appropriate rights for powershell@garzafx.lcl (i.e. Domain Admins and Exchange Organizational Admins).

5. Create or relabel an OU for DISABLED USERS in the root of Active Directory. This can be whatever you want, just modify the script as necessary.

6. Create a scheduled task labeled: export-mail.

7. Run under service account (i.e. powershell@garzafx.lcl).

8. Select option to,”Run whether user is logged on or not.”

9. Choose, “Run with highest privileges enabled.”

10. Select trigger options (i.e. every day, 7am) and verify status, enabled.

11. Under Actions tab, select,”Start a Program.”

12. For Program/script enter: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

13. Under Add-arguments,”-file -Command “& ‘C:\psts\export-mail.ps1′”

14. Click OK and enter credentials when prompted.

The key objectives for the task were to provide daily routine to export mailboxes, write a copy of the expiring accounts to csv and then delete 30 day old accounts. The process had served as a primer for other tasks. The main change here was adding the Exchange permissions and the time stamp on the daily csv file.

ps

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s