1. Home
  2. IT Process Automation Tutorials
  3. Process Automation – Employee Access Termination Workflow

Process Automation – Employee Access Termination Workflow

In this Process Automation tutorial, we will showcase how to handle some of the IT processes and active directory management tasks traditionally associated with employee termination from disabling accounts to archiving emails and login history.

This tutorial requires building several IT workflows and running them sequentially in one Master Scope Action:

  • Terminate Employee – This workflow will log off the console user from any detected workstation, create a login history report, create a recursive group member report and move/disable/reset the password of the Active Directory account.
  • Report NTFS Permissions – This workflow will create an NTFS permissions report on a file server and filter the results by the user account that is being terminated.
  • Export Mailbox to PST – This workflow will run a PowerShell script against an Exchange server and export the mailbox to a PST.
  • Master Termination Scope Action – This workflow will run the other three workflows in their specific order.

Process Automation – Prerequisite

Note:

To be able to implement this tutorial, you will need access to the full version of Goverlan Reach and its Process Automation framework. If you don’t currently own a valid license, you can download a free version of our remote access software on our website. The 30-day trial is free and no credit card is required.  

If you have never automated a workflow with our Process Automation framework,  you may watch the below video or read our Scope Action Creation Basics article for more information.

**This feature requires Goverlan v8.01.06 or higher.

Disclaimer:

** These tutorials are for demonstration purposes. Please test all Scope Actions before deploying them into production.**

Process Automation Step 1 – Terminating Access

Scope Module: User Target Type
Add the user who’s access will be terminated.

Action Module 1 – Log off current sessions:

Select the following Action Module item from the Add\Remove button
Execute User Action –> Logged-in computers –> Log off Console User

Arguments:

Action Module 2 – Login History Report

Select the following Action Module from the Add\Remove button
Report User Property –> Computer Login History –> All Login Event Information

Action Module 3 – Recursive Group Membership Report

Select the following Action Module from the Add\Remove button
Report User Property –> Groups –> AD Account Name
Report User Property –> Groups –> Members (Effective).AD Account Name
Report User Property –> Groups –> Members (Effective).Effective Via

Action Module 4 – Move, Disable and Reset Password

Select the following Action Module from the Add\Remove button
Set User Property –> User Account Information –> Account Disabled TRUE
Set User Property –> User Account Information –> Password *Set password*
Execute User Action –> Move Object *New OU location*

Process Automation Step 2 – Report NTFS Permissions

Scope Module: Computer Target Type
Add the file server that is hosting the files to be queried.

Action Module 1 – NTFS permissions report

Set the path that needs to be queried using the Manage Accessible Directories screen.
Report Computer Property –> File System Permissions –> Manage Accessible Directories

Use the icon to add a new path that will be queried.

Enter the local path that will be queried for permissions. This field supports wildcards and Windows Environment Variables.
In this example, we will query the C:\Corporate Shares directory on the corporate file server.
We set the recursive depth to 2 by settings the “Include subdirectories field to 2. Give this object a display name.

Once the Accessible Directory is set, Set the following report item:
Report Computer Property –> File System Permissions –> YOUR ACCESSIBLE PATH DIR –> Parent Directory, Object Name, Principle, Access (Basic) and Is Inherited.

Set a condition to filter all permissions related to the user who is being terminated
In the section called “Only if the following is true” set the following option with the Add \ Remove button
Set Computer Condition –> File System Permissions –> YOUR ACCESSIBLE PATH DIR –> Principle
Condition is “=” and desired value is the DOMAIN\Username of the terminated employee.

Process Automation Step 3 – Export Mailbox to PST with PowerShell

This Scope Action will need to the following script to function.
Export-MailboxPSTv1.zip

This script will require Exchange Server 2010 SP3 or later. The script also assumes you have the permissions to export the mailbox. If not you may need to alter the script to use an encrypted password file as described in this article. http://stackoverflow.com/questions/6239647/using-powershell-credentials-without-being-prompted-for-a-password

Once you have the script working correctly, add it to Goverlan Batch and Script. For more information see the Script Package Manager in the user guide.

Be sure to enter the “Report Output” setting to catch any output from the script.

Scope Module – Enter the Exchange server that is hosting the mailbox as the target.

Action Module – Export to PST Powershell:
Select the following action item from the Add \ Remove button
Execute Computer Action –> Processes –> Run a batch or script package

Argument Screen
Select the script package that will run the Export to PST PowerShell script.

Process Automation Step 4 – Master Termination Workflow

This scope action will run the above three scope actions sequentially. For more information on configuring this scope action, use this technique.

After this scope action is created, run it to start the termination process.

Was this article helpful?

Related Articles