私は PowerShell を学んでおり、サービス デスク アプリケーションから送信された Webhook を介して AD アカウントの無効化を自動化したいと考えていますがattribute1、同じEmployeeID.
エラーは発生しないが、アカウントがOUを無効化/移動しない、または一致しないエラーが発生するため、配列の結果をパイプに渡すのに苦労しています。
param
(
[Parameter(Mandatory=$false)]
[object] $WebhookData
)
Import-Module ActiveDirectory
#define useful constants
$date = Get-Date -UFormat "%d.%m.%y"
$monthyear = get-date -UFormat "%Y-%m"
$exactdate = Get-Date -UFormat "%d.%m.%y @ %H.%M.%S"
$year = get-date -UFormat "%Y"
#$scriptdir = Split-Path -Parent -Path $MyInvocation.MyCommand.Definition
$errorlog = "D:\errors $exactdate .txt"
$shortdomains = "domain1","domain2","domain3"
$domain1disabledou = "OU=$monthyear,OU=$year,OU=Disabled,DC=domain1,DC=com"
$domain2disabledou = "OU,$monthyear,OU=$year,OU=Disabled,DC=domain2,DC=com"
$domain3disabledou = "OU=$monthyear,OU=$year,OU=Disabled,DC=domain3,DC=com"
$domain1server = "dc1.domain1.com"
$domain2server = "dc2.domain2.com"
$domain3server = "dc3.domain3.com"
#pull user from POST request body
$user = ($webhookdata.RequestBody | ConvertFrom-Json).Workflow.RequestedBy
$dn = $user.Ext_AcfUserDistinguishedNameTf #this is the distinguishedname of the account sent via webhook
$dn1 = $user.attribute1 #this is the employeeid supplied by webhook
#getting the accounts
$array = @()
$dcs = "dc1.domain1.com","dc2.domain2.com","dc3.domain3.com"
foreach ($dc in $dcs){
$array += get-aduser -filter {Employeeid -eq "$dn1" -or Extensionattribute1 -eq "$dn1" } -
Properties Distinguishedname -server $dc }
$array = $array | select distinguishedname
switch -Regex ($array.distinguishedname)
{
'DC=dc1,DC=domain1,DC=com$'
{
#setup for domain1 users
$targetou = $domain1disabledou
$server = $domain1server
$cred = Get-AutomationPSCredential -Name "domain1cred"
break
}
'DC=dc2,DC=domain2,DC=com$'
{
#setup for domain2 users
$targetou = $domain2disabledou
$server = $domain2server
$cred = Get-AutomationPSCredential -Name "domain2cred"
break
}
'DC=dc3,DC=domain3,DC=com'
{
#setup for domain3 users
$targetou = $domain3disabledou
$server = $domain3server
$cred = Get-AutomationPSCredential -Name "domain3cred"
break
}
default
{
write-output "No match"
exit
}
}
$array = @()
$dcs = "dc1.domain1.com","dc2.domain2.com","dc3.domain3.com"
foreach ($dc in $dcs){
$array += get-aduser -filter {Employeeid -eq "$dn1" -or Extensionattribute1 -eq "$dn1" } -Properties * -server $dc }
$aduser = get-aduser -identity $array.samaccountname -server $server -credential $cred -properties *
$ou = $aduser.CanonicalName -split '/'
$ou = $ou[0..($ou.Count – 2)] -join '/'
foreach ($user in $aduser) set-aduser -identity $user.samaccountname -server $server -credential $cred -Enabled $false -Replace @{info="Former OU - $ou"}
if($ou -notlike "*Disabled*")
{
$aduser | Move-ADObject -TargetPath $targetou -Server $server -Credential $cred
}
else
{
#payload
$payload = @{
"text" = "user already in disabled OU"
"username" = "$dn"
"employeeID" = "$dn1"}
}
{
Invoke-WebRequest -UseBasicParsing `
-Body (ConvertTo-Json -Compress -InputObject $payload) `
-Method Post `
-Uri "https://return webhook url
}
aduserを使用して無効にする方が簡単だと思うので、2 番目の配列を追加して ID を変更する必要がありましsamaccountnameた。