We clean the tails of Microsoft Exchange Server 2016 using Powershell

Working for six months with Microsoft Exchange Server 2016 in a company where more than 500 employees use corporate email, I was faced with the problem of fully deleting information about users disabled in Active Directory .

Tasks that we want to automate after disabling user account in AD:

• Export all letters from the main and archive mailbox to a .pst file;
• Complete mailbox blocking after exporting letters;
• Clearing all mailing lists from dead users (not automatically cleared);
• Update Global Address List and Offline Address Book so that active users do not see disconnected.

Feeling utter dislike for manual work, it was decided to maximally automate all these tasks using PowerShell .
')

Training:

Connecting the Exchange Management PowerShell library:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; 

We get a list of all users disabled in Active Directory and exclude some service records:

 $DisableUsers = get-user -Filter {(UserAccountControl -eq 'AccountDisabled, NormalAccount') -and (RecipientType -eq 'UserMailbox')} | ? {($_.SamAccountName -ne 'krbtgt') -and ($_.SamAccountName -ne 'SM_2013a5b0c2bd4ca2a') -and ($_.SamAccountName -ne 'testvc')} 

We declare variables:

 #        . $BatchName = 'MassRequest' #     $CMounth = (Get-Date).month $CYear = (Get-Date).year $CurrentDate = "$CYear.$CMounth" #      . $MainDir = "\\% %" $ExportPath = $MainDir + $CurrentDate + "\" 

Treatment:

To make it easier to find the .pst archive of the dismissed user, it was decided to create a folder of the Year.Mescent type. So, all dismissed users in April 2017 will fall into the folder 2017.4, dismissed in May into the folder 2017.5 and so on.

 # ,     .,  ,  . if ((Test-Path $ExportPath -PathType Container) -eq $false){ New-Item -Path $MainDir -Name $CurrentDate -ItemType "directory" } 

In the cycle of disabled users, we unload their mail into the .pst file from the main and archive mailboxes and save it in the Year.Month folder.

Using the -BatchName parameter, we combine requests under one name, to be able to track the status of the entire upload at once, rather than each request separately.

 foreach($User in $DisableUsers){ $PrimaryPath = $ExportPath + $User.SamAccountName + ".pst" $ArhivePath = $ExportPath + $User.SamAccountName + "_Archive.pst" New-MailboxExportRequest -Mailbox $User.SamAccountName -BatchName $BatchName -FilePath $PrimaryPath New-MailboxExportRequest -Mailbox $User.SamAccountName -BatchName $BatchName -FilePath $ArhivePath -IsArchive } 

We are waiting for the script to finish. It is necessary to wait, because then we translate the boxes into Disable status and want to be sure that the mail unloading is over.

 # ,     $i=1; while ((Get-MailboxExportRequest -BatchName $BatchName | Where {($_.Status -eq “Queued”) -or ($_.Status -eq “InProgress”)})) { sleep 60 Write-Host "  $i .  .." $i=$i+1 } 

After the export is completed, we delete all requests that received the status Completed.

 #       Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest -Confirm:$false 

The first part is done, we begin to clean the mailing lists. First we get an array of all the lists:

 #    .     . $DistribList = Get-DistributionGroup 

In the cycle we go over all mailing lists and delete the disabled users:

 #         foreach($List in $DistribList){ foreach($User in $DisableUsers){ Remove-DistributionGroupMember -Identity $List -Member $User -Confirm:$false -ErrorAction Ignore } } 

The penultimate stage: disable mailboxes. E-mail disappears from the user's account in AD, and the mailbox itself is deleted. Now it can only be restored for some time using standard Exchange tools.

 #    ,        foreach($User in $DisableUsers){ Disable-Mailbox -Identity $User.SamAccountName -Archive -Confirm:$false Disable-Mailbox -Identity $User.SamAccountName -Confirm:$false } 

We update GAL and OAB so that users can see the changes as quickly as possible.

 #  Global Adress List,        Get-GlobalAddressList | Update-GlobalAddressList Get-OfflineAddressBook | Update-OfflineAddressBook Get-AddressList | Update-AddressList 

A small comment:

In our company, we attached this processing to a custom button in 1C. The personnel department in the employee profile assigns him the status “Fired” and the script starts working.

Thus, it is almost impossible to see disconnected users in the address book, and a dismissed employee immediately loses access to mail. (If you only turn off accounting in Active Directory , then an employee can still go into the mail, which is unacceptable under our corporate policy).

I hope someone script will be useful. Thank!