1. Support
  2. Tutorials
  3. Scope Action – How to terminate an employee with one click!

Scope Action – How to terminate an employee with one click!

This tutorial will demonstrate some procedures for disabling employee access and create several employee reports for management.

If you have never created a Scope Action before, please refer to the below video and the Scope Action Creation Basics article for more information.

**This feature requires Goverlan v8.01.06 or higher.

Disclaimer:

** These tutorials are for demonstration purposes. Please test all Scope Actions before deploying them into production.**

Tutorial

This process involves creating several scope actions and using this technique to run them sequentially with one Master Scope Action.

In this tutorial, you will create the following scope actions:

  • Terminate Employee – This scope action will log off the console user from any detected workstation, create a login history report, create a recursive group members report and move/disable/reset the password of the Active Directory account.
  • Report NTFS Permissions – This scope action will create an NTFS permissions report on a file server and filter the results by the user account that is being terminated.
  • Export Mailbox to PST – This scope action will run a PowerShell script against an Exchange server and export the mailbox to a PST.
  • Master Termination Scope Action – This scope action will run the other three scope actions in order.

You will also need this PowerShell script for the Export PST scope action.

Step 1 – Create each scope action

Scope Action #1 – Terminate Employee Scope Action

Scope Module: User Target Type
Add the user who’s access will be terminated.

Action Module 1 – Log off current sessions:

Select the following Action Module item from the Add\Remove button
Execute User Action –> Logged-in computers –> Log off Console User

Arguments:

Action Module 2 – Login History Report

Select the following Action Module from the Add\Remove button
Report User Property –> Computer Login History –> All Login Event Information

Action Module 3 – Recursive Group Membership Report

Select the following Action Module from the Add\Remove button
Report User Property –> Groups –> AD Account Name
Report User Property –> Groups –> Members (Effective).AD Account Name
Report User Property –> Groups –> Members (Effective).Effective Via

Action Module 4 – Move, Disable and Reset Password

Select the following Action Module from the Add\Remove button
Set User Property –> User Account Information –> Account Disabled TRUE
Set User Property –> User Account Information –> Password *Set password*
Execute User Action –> Move Object *New OU location*

Scope Action #2 – Report NTFS Permissions

Scope Module: Computer Target Type
Add the file server that is hosting the files to be queried.

Action Module 1 – NTFS permissions report

Set the path that needs to be queried using the Manage Accessible Directories screen.
Report Computer Property –> File System Permissions –> Manage Accessible Directories

Use the icon to add a new path that will be queried.

Enter the local path that will queried for permissions. This field supports wildcards and Windows Environment Variables.
In this example, we will query the C:\Corporate Shares directory on the corporate file server.
We set the recursive depth to 2 by settings the “Include sub directories field to 2. Give this object a display name.

Once the Accessible Directory is set, Set the following report item:
Report Computer Property –> File System Permissions –> YOUR ACCESSIBLE PATH DIR –> Parent Directory, Object Name, Principle, Access (Basic) and Is Inherited.

Set a condition to filter all permissions related to the user who is being terminated
In the section called “Only if the following is true” set the following option with the Add \ Remove button
Set Computer Condition –> File System Permissions –> YOUR ACCESSIBLE PATH DIR –> Principle
Condition is “=” and desired value is the DOMAIN\Username of the terminated employee.

Scope Action #3 – Export Mailbox to PST

This Scope Action will need to the following script to function.
Export-MailboxPSTv1.zip

This script will require Exchange Server 2010 SP3 or later. The script also assumes you have the permissions to export the mailbox. If not you may need to alter the script to use an encrypted password file as described in this article. http://stackoverflow.com/questions/6239647/using-powershell-credentials-without-being-prompted-for-a-password

Once you have the script working correctly, add it to Goverlan Batch and Script. For more information see the Script Package Manager in the user guide.

Be sure to enter the “Report Output” setting to catch any output from the script.

Scope Module – Enter the Exchange server that is hosting the mailbox as the target.

Action Module – Export to PST Powershell:
Select the following action item from the Add \ Remove button
Execute Computer Action –> Processes –> Run a batch or script package

Argument Screen
Select the script package that will run the Export to PST PowerShell script.

Step 2 – Master Termination Scope Action

This scope action will run the above three scope actions sequentially. For more information on configuring this scope action, use this technique.

After this scope action is created, run it to start the termination process.

Was this article helpful?

Related Articles