# Update-StaffAD.ps1 # Reads Staff_Extract.csv and updates AD email addresses and account status. # Previews all changes before applying them. # --- Configuration --- $CsvPath = "C:\Scripts\Staff_Extract.csv" # Update if needed # --- Import --- if (-not (Test-Path $CsvPath)) { Write-Error "CSV not found: $CsvPath" exit 1 } $Staff = Import-Csv -Path $CsvPath $DisableStatuses = @("INAC", "LEFT") # --- Preview Phase --- $Changes = [System.Collections.Generic.List[PSCustomObject]]::new() Write-Host "`n=============================" -ForegroundColor Cyan Write-Host " PREVIEW OF PLANNED CHANGES" -ForegroundColor Cyan Write-Host "=============================" -ForegroundColor Cyan foreach ($entry in $Staff) { $payrollNo = $entry.PAYROLL_REC_NO.Trim() $status = $entry.STAFF_STATUS.Trim() $email = $entry.E_MAIL.Trim() # Find user in AD by EmployeeID try { $adUser = Get-ADUser -Filter "EmployeeID -eq '$payrollNo'" ` -Properties EmployeeID, EmailAddress, Enabled, SamAccountName, DisplayName ` -ErrorAction Stop } catch { continue } if (-not $adUser) { continue } $planned = [PSCustomObject]@{ DisplayName = $adUser.DisplayName SamAccountName = $adUser.SamAccountName PayrollNo = $payrollNo Status = $status CurrentEmail = $adUser.EmailAddress NewEmail = $email CurrentEnabled = $adUser.Enabled WillDisable = ($status -in $DisableStatuses) -and $adUser.Enabled WillUpdateEmail = ($adUser.EmailAddress -ne $email) } $Changes.Add($planned) # Display the planned change Write-Host "`n User : $($planned.DisplayName) ($($planned.SamAccountName))" -ForegroundColor White Write-Host " Payroll No : $payrollNo" Write-Host " Status : $status" if ($planned.WillUpdateEmail) { Write-Host " Email : $($planned.CurrentEmail) --> $($planned.NewEmail)" -ForegroundColor Yellow } else { Write-Host " Email : No change ($email)" } if ($planned.WillDisable) { Write-Host " Account : WILL BE DISABLED (status is $status)" -ForegroundColor Red } elseif (-not $adUser.Enabled) { Write-Host " Account : Already disabled - no change" -ForegroundColor DarkGray } else { Write-Host " Account : No change (active)" } } # --- Summary --- $emailUpdates = ($Changes | Where-Object { $_.WillUpdateEmail }).Count $disables = ($Changes | Where-Object { $_.WillDisable }).Count $noChanges = ($Changes | Where-Object { -not $_.WillUpdateEmail -and -not $_.WillDisable }).Count Write-Host "`n=============================" -ForegroundColor Cyan Write-Host " SUMMARY" -ForegroundColor Cyan Write-Host "=============================" -ForegroundColor Cyan Write-Host " Users matched in AD : $($Changes.Count)" Write-Host " Email updates : $emailUpdates" -ForegroundColor Yellow Write-Host " Accounts to disable : $disables" -ForegroundColor Red Write-Host " No changes needed : $noChanges" Write-Host "" if ($Changes.Count -eq 0) { Write-Host "No matching AD users found. Exiting." -ForegroundColor Yellow exit 0 } # --- Confirmation --- $confirm = Read-Host "Do you want to apply these changes? (yes/no)" if ($confirm -ne "yes") { Write-Host "`nAborted. No changes were made." -ForegroundColor Yellow exit 0 } # --- Apply Changes --- Write-Host "`n=============================" -ForegroundColor Cyan Write-Host " APPLYING CHANGES" -ForegroundColor Cyan Write-Host "=============================" -ForegroundColor Cyan foreach ($change in $Changes) { try { $adUser = Get-ADUser -Identity $change.SamAccountName -Properties EmailAddress, Enabled if ($change.WillUpdateEmail) { Set-ADUser -Identity $change.SamAccountName -EmailAddress $change.NewEmail Write-Host " [OK] Updated email for $($change.DisplayName): $($change.NewEmail)" -ForegroundColor Green } if ($change.WillDisable) { Disable-ADAccount -Identity $change.SamAccountName Write-Host " [OK] Disabled account for $($change.DisplayName) ($($change.Status))" -ForegroundColor Green } } catch { Write-Host " [ERROR] Failed to update $($change.DisplayName): $_" -ForegroundColor Red } } Write-Host "`nDone." -ForegroundColor Cyan