130 lines
3.6 KiB
PowerShell
130 lines
3.6 KiB
PowerShell
# Update-StaffAD.ps1
|
|
# Reads Staff_Extract.csv and updates AD email addresses and account status.
|
|
# Matches users by sAMAccountName (PAYROLL_REC_NO column).
|
|
# If duplicate entries exist, ACTV takes priority over INAC/LEFT.
|
|
# Applies changes automatically and appends results to a log file.
|
|
|
|
# --- Configuration ---
|
|
$CsvPath = "C:\Scripts\Staff_Extract.csv"
|
|
$LogFile = "C:\Scripts\Logs\StaffAD_Changes.log"
|
|
|
|
# --- Setup ---
|
|
if (-not (Test-Path $CsvPath)) {
|
|
Write-Error "CSV not found: $CsvPath"
|
|
exit 1
|
|
}
|
|
|
|
$LogDir = Split-Path $LogFile
|
|
if (-not (Test-Path $LogDir)) {
|
|
New-Item -ItemType Directory -Path $LogDir | Out-Null
|
|
}
|
|
|
|
$Staff = Import-Csv -Path $CsvPath
|
|
$DisableStatuses = @("INAC", "LEFT")
|
|
$RunHeader = "=" * 60
|
|
$Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
|
|
|
|
function Write-Log {
|
|
param([string]$Message, [string]$Color = "White")
|
|
Write-Host $Message -ForegroundColor $Color
|
|
Add-Content -Path $LogFile -Value $Message
|
|
}
|
|
|
|
# --- Deduplicate: ACTV wins over INAC/LEFT ---
|
|
$Deduped = @{}
|
|
foreach ($entry in $Staff) {
|
|
$key = $entry.PAYROLL_REC_NO.Trim()
|
|
if (-not $Deduped.ContainsKey($key)) {
|
|
$Deduped[$key] = $entry
|
|
} elseif ($entry.STAFF_STATUS.Trim() -eq "ACTV") {
|
|
# ACTV always overrides whatever was stored
|
|
$Deduped[$key] = $entry
|
|
}
|
|
}
|
|
|
|
# --- Run Header ---
|
|
Write-Log ""
|
|
Write-Log $RunHeader
|
|
Write-Log " RUN: $Timestamp"
|
|
Write-Log $RunHeader
|
|
|
|
$emailUpdates = 0
|
|
$disables = 0
|
|
$noChanges = 0
|
|
$notFound = 0
|
|
$notFoundList = @()
|
|
|
|
foreach ($entry in $Deduped.Values) {
|
|
$samAccount = $entry.PAYROLL_REC_NO.Trim()
|
|
$status = $entry.STAFF_STATUS.Trim()
|
|
$email = $entry.E_MAIL.Trim()
|
|
|
|
# Find user in AD by sAMAccountName
|
|
try {
|
|
$adUser = Get-ADUser -Identity $samAccount `
|
|
-Properties EmailAddress, Enabled, DisplayName `
|
|
-ErrorAction Stop
|
|
} catch {
|
|
$notFound++
|
|
$parsedName = if ($email -match "^([^.]+)\.([^@]+)@") {
|
|
"$($Matches[1]) $($Matches[2])"
|
|
} else { "Unknown" }
|
|
$notFoundList += "$samAccount, $parsedName"
|
|
continue
|
|
}
|
|
|
|
$willDisable = ($status -in $DisableStatuses) -and $adUser.Enabled
|
|
$willUpdateEmail = ($adUser.EmailAddress -ne $email)
|
|
|
|
if (-not $willDisable -and -not $willUpdateEmail) {
|
|
$noChanges++
|
|
continue
|
|
}
|
|
|
|
Write-Log ""
|
|
Write-Log " User : $($adUser.DisplayName) ($samAccount)"
|
|
Write-Log " Status : $status"
|
|
|
|
# Update email
|
|
if ($willUpdateEmail) {
|
|
try {
|
|
Set-ADUser -Identity $samAccount -EmailAddress $email
|
|
Write-Log " Email : $($adUser.EmailAddress) --> $email [UPDATED]" "Green"
|
|
$emailUpdates++
|
|
} catch {
|
|
Write-Log " Email : FAILED to update - $_" "Red"
|
|
}
|
|
}
|
|
|
|
# Disable account
|
|
if ($willDisable) {
|
|
try {
|
|
Disable-ADAccount -Identity $samAccount
|
|
Write-Log " Account : DISABLED (status: $status) [UPDATED]" "Green"
|
|
$disables++
|
|
} catch {
|
|
Write-Log " Account : FAILED to disable - $_" "Red"
|
|
}
|
|
}
|
|
}
|
|
|
|
# --- Summary ---
|
|
Write-Log ""
|
|
Write-Log " --- Summary ---"
|
|
|
|
if ($emailUpdates -eq 0 -and $disables -eq 0) {
|
|
Write-Log " No changes were made on this run." "Cyan"
|
|
}
|
|
|
|
Write-Log " Email updates : $emailUpdates"
|
|
Write-Log " Accounts disabled : $disables"
|
|
Write-Log " No changes needed : $noChanges"
|
|
Write-Log " Not found in AD : $notFound"
|
|
if ($notFoundList.Count -gt 0) {
|
|
foreach ($missing in $notFoundList) {
|
|
Write-Log " - $missing" "Yellow"
|
|
}
|
|
}
|
|
Write-Log $RunHeader
|
|
Write-Log ""
|