# Update-StaffAD.ps1
# Reads Staff_Extract.csv and updates AD email addresses and account status.
# Matches users by sAMAccountName (PAYROLL_REC_NO column).
# If duplicate entries exist, ACTV takes priority over INAC/LEFT.
# Applies changes automatically and appends results to a log file.

# --- Configuration ---
$CsvPath = "C:\Scripts\Staff_Extract.csv"
$LogFile = "C:\Scripts\Logs\StaffAD_Changes.log"

# --- Setup ---
if (-not (Test-Path $CsvPath)) {
    Write-Error "CSV not found: $CsvPath"
    exit 1
}

$LogDir = Split-Path $LogFile
if (-not (Test-Path $LogDir)) {
    New-Item -ItemType Directory -Path $LogDir | Out-Null
}

$Staff = Import-Csv -Path $CsvPath
$DisableStatuses = @("INAC", "LEFT")
$RunHeader = "=" * 60
$Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"

function Write-Log {
    param([string]$Message, [string]$Color = "White")
    Write-Host $Message -ForegroundColor $Color
    Add-Content -Path $LogFile -Value $Message
}

# --- Deduplicate: ACTV wins over INAC/LEFT ---
$Deduped = @{}
foreach ($entry in $Staff) {
    $key = $entry.PAYROLL_REC_NO.Trim()
    if (-not $Deduped.ContainsKey($key)) {
        $Deduped[$key] = $entry
    } elseif ($entry.STAFF_STATUS.Trim() -eq "ACTV") {
        # ACTV always overrides whatever was stored
        $Deduped[$key] = $entry
    }
}

# --- Run Header ---
Write-Log ""
Write-Log $RunHeader
Write-Log "  RUN: $Timestamp"
Write-Log $RunHeader

$emailUpdates = 0
$disables     = 0
$noChanges    = 0
$notFound     = 0

foreach ($entry in $Deduped.Values) {
    $samAccount = $entry.PAYROLL_REC_NO.Trim()
    $status     = $entry.STAFF_STATUS.Trim()
    $email      = $entry.E_MAIL.Trim()

    # Find user in AD by sAMAccountName
    try {
        $adUser = Get-ADUser -Identity $samAccount `
                             -Properties EmailAddress, Enabled, DisplayName `
                             -ErrorAction Stop
    } catch {
        $notFound++
        continue
    }

    $willDisable     = ($status -in $DisableStatuses) -and $adUser.Enabled
    $willUpdateEmail = ($adUser.EmailAddress -ne $email)

    if (-not $willDisable -and -not $willUpdateEmail) {
        $noChanges++
        continue
    }

    Write-Log ""
    Write-Log "  User    : $($adUser.DisplayName) ($samAccount)"
    Write-Log "  Status  : $status"

    # Update email
    if ($willUpdateEmail) {
        try {
            Set-ADUser -Identity $samAccount -EmailAddress $email
            Write-Log "  Email   : $($adUser.EmailAddress) --> $email  [UPDATED]" "Green"
            $emailUpdates++
        } catch {
            Write-Log "  Email   : FAILED to update - $_" "Red"
        }
    }

    # Disable account
    if ($willDisable) {
        try {
            Disable-ADAccount -Identity $samAccount
            Write-Log "  Account : DISABLED (status: $status)  [UPDATED]" "Green"
            $disables++
        } catch {
            Write-Log "  Account : FAILED to disable - $_" "Red"
        }
    }
}

# --- Summary ---
Write-Log ""
Write-Log "  --- Summary ---"

if ($emailUpdates -eq 0 -and $disables -eq 0) {
    Write-Log "  No changes were made on this run." "Cyan"
}

Write-Log "  Email updates       : $emailUpdates"
Write-Log "  Accounts disabled   : $disables"
Write-Log "  No changes needed   : $noChanges"
Write-Log "  Not found in AD     : $notFound"
Write-Log $RunHeader
Write-Log ""