PowerShell - Off-boarding Script
-
I have been working on automating some of the off-boarding process. I have come up with this script that works, with the exception of carrying over the password variable from the beginning and using it in the Office 365 section. The password that I enter is 16 characters and should conform to the Office 365 password policy. Is it possible to carry that variable ($SecurePW) into the Office 365 side?
Import-Module ActiveDirectory $sAMAccountName = Read-Host -Prompt "Enter sAMAccountName" $SecurePW = Read-Host -Prompt "Enter a RESET Password" -AsSecureString # Set AD attributes to hide user's O365 mailbox from address lists and change password Set-ADUser $sAMAccountName -Replace @{msExchHideFromAddressLists = $true} Set-ADUser $sAMAccountName -Replace @{MailNickName = "$sAMAccountName"} Set-ADAccountPassword $sAMAccountName -Reset -NewPassword $SecurePW # Connect to O365 and convert user's mailbox to shared $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session -DisableNameChecking Set-Mailbox [email protected] -type Shared Connect-MsolService -Credential $UserCredential Set-MsolUserPassword –UserPrincipalName [email protected] –NewPassword $SecurePW -ForceChangePassword $False Remove-PSSession $Session # Remove AD user from local groups Get-ADUser -Identity $sAMAccountName -Properties MemberOf | ForEach-Object { $_.MemberOf | Remove-ADGroupMember -Members $_.DistinguishedName -Confirm:$false } Disable-ADAccount -Identity $sAMAccountNameThe error I get is-
Set-MsolUserPassword : The password is invalid. Choose another password that contains 8 to 16 characters, a combination of letters, and at least one number or symbol. At \\FP02\it\Scripts\Offboarding\OffboardingV1.ps1:13 char:1 + Set-MsolUserPassword –UserPrincipalName [email protected] ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (:) [Set-MsolUserPassword], MicrosoftOnlineException + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InvalidPasswordException,Microsoft.Online.Administration.Automation.SetUserPassword -
It wants a string and your giving it a SecureString
-
@flaxking said in PowerShell - Off-boarding Script:
It wants a string and your giving it a SecureString
OK. How can you tell that?
-
@wrx7m said in PowerShell - Off-boarding Script:
@flaxking said in PowerShell - Off-boarding Script:
It wants a string and your giving it a SecureString
OK. How can you tell that?
On your read-host you have -AsSecureString to convert it.
Set-ADAccountPassword documentation shows it takes a SecureString for the password
Set-MsolUserPassword documentation shows it takes just a string for the password
If you run GetType() on your variable it should tell you it is a secure string
-
@flaxking said in PowerShell - Off-boarding Script:
@wrx7m said in PowerShell - Off-boarding Script:
@flaxking said in PowerShell - Off-boarding Script:
It wants a string and your giving it a SecureString
OK. How can you tell that?
On your read-host you have -AsSecureString to convert it.
Set-ADAccountPassword documentation shows it takes a SecureString for the password
Set-MsolUserPassword documentation shows it takes just a string for the password
If you run GetType() on your variable it should tell you it is a secure string
Oh, I see. The error didn't say that, you had to do some digging.
-
I wonder if I can convert it to a string. If not, I might have to start with the office side and convert it to a secure string for AD. hmm
-
You can!
I forget where I found this tidbit, but it is helpful. I would suggest not storing the plain text of the password in a variable for any longer than you need it.
function ConvertFrom-SecureToPlain { param( [Parameter(Mandatory=$true)][System.Security.SecureString] $SecurePassword) # Create a "password pointer" $PasswordPointer = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword) # Get the plain text version of the password $PlainTextPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto($PasswordPointer) # Free the pointer [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($PasswordPointer) # Return the plain text password return $PlainTextPassword } write-host "Enter your new password:" $SecurePW=read-host -AsSecureString $plainText=ConvertFrom-SecureToPlain -SecurePassword $SecurePW write-host "Plain Text Says: $plainText" -
@dafyre I think I found where you got it - https://www.powershelladmin.com/wiki/Powershell_prompt_for_password_convert_securestring_to_plain_text
Anyway, I am not sure where, in my script, I should place that function.
-
@wrx7m said in PowerShell - Off-boarding Script:
@dafyre I think I found where you got it - https://www.powershelladmin.com/wiki/Powershell_prompt_for_password_convert_securestring_to_plain_text
Anyway, I am not sure where, in my script, I should place that function.
You could dot source the function. You can define the function before you use it.
-
@wrx7m said in PowerShell - Off-boarding Script:
@dafyre I think I found where you got it - https://www.powershelladmin.com/wiki/Powershell_prompt_for_password_convert_securestring_to_plain_text
Anyway, I am not sure where, in my script, I should place that function.
You'd put the actual function at the top of your script, and then just
$myPassword=convertFrom-SecureToPlain -securepassword $MySecurePasswordWherever you need the password in plain text form.
-
@dafyre said in PowerShell - Off-boarding Script:
@wrx7m said in PowerShell - Off-boarding Script:
@dafyre I think I found where you got it - https://www.powershelladmin.com/wiki/Powershell_prompt_for_password_convert_securestring_to_plain_text
Anyway, I am not sure where, in my script, I should place that function.
You'd put the actual function at the top of your script, and then just
$myPassword=convertFrom-SecureToPlain -securepassword $MySecurePasswordWherever you need the password in plain text form.
Thanks. It mostly works. The only problem is that it isn't actually using the password I specify at the top. It is somehow generating its own and then writing it at the end. I put in
write-host "Plain Text Says: $plainText"and it shows the password that I typed in for the secure variable at the beginning, followed by the one that it generated.
Plain Text Says: $#@%4#@177 Jof91348 -
@wrx7m said in PowerShell - Off-boarding Script:
@dafyre said in PowerShell - Off-boarding Script:
@wrx7m said in PowerShell - Off-boarding Script:
@dafyre I think I found where you got it - https://www.powershelladmin.com/wiki/Powershell_prompt_for_password_convert_securestring_to_plain_text
Anyway, I am not sure where, in my script, I should place that function.
You'd put the actual function at the top of your script, and then just
$myPassword=convertFrom-SecureToPlain -securepassword $MySecurePasswordWherever you need the password in plain text form.
Thanks. It mostly works. The only problem is that it isn't actually using the password I specify at the top. It is somehow generating its own and then writing it at the end. I put in
write-host "Plain Text Says: $plainText"and it shows the password that I typed in for the secure variable at the beginning, followed by the one that it generated.
Plain Text Says: $#@%4#@177 Jof91348Works fine for me here.... Check and make sure you don't have an extra write-host or anything somewhere.
