sync: Auto-sync from ACG-M-L5090 at 2026-03-10 19:11:00
Synced files: - Quote wizard frontend (all components, hooks, types, config) - API updates (config, models, routers, schemas, services) - Client work (bg-builders, gurushow) - Scripts (BGB Lesley termination, CIPP, Datto, migration) - Temp files (Bardach contacts, VWP investigation, misc) - Credentials and session logs - Email service, PHP API, session logs Machine: ACG-M-L5090 Timestamp: 2026-03-10 19:11:00 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
166
scripts/bgb-terminate-lesley.ps1
Normal file
166
scripts/bgb-terminate-lesley.ps1
Normal file
@@ -0,0 +1,166 @@
|
||||
# BG Builders - Employee Termination Script
|
||||
# Employee: Lesley Roth (lesley@bgbuildersllc.com)
|
||||
# Scheduled: 2026-02-27 12:00 PM MST
|
||||
# Actions:
|
||||
# 1. Block sign-in
|
||||
# 2. Revoke all sessions
|
||||
# 3. Reset password
|
||||
# 4. Selective wipe company data from mobile devices
|
||||
# 5. Convert mailbox to shared
|
||||
# 6. Grant Barry full access + send-as on shared mailbox
|
||||
# 7. Remove from Employees group
|
||||
# 8. Hide from GAL
|
||||
# 9. Grant Barry OneDrive access
|
||||
# 10. Remove license
|
||||
|
||||
$ErrorActionPreference = "Stop"
|
||||
$tenantId = "ededa4fb-f6eb-4398-851d-5eb3e11fab27"
|
||||
$lesleyUPN = "lesley@bgbuildersllc.com"
|
||||
$barryUPN = "barry@bgbuildersllc.com"
|
||||
|
||||
Write-Output "========================================="
|
||||
Write-Output " BG Builders - Lesley Roth Termination"
|
||||
Write-Output " $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
|
||||
Write-Output "========================================="
|
||||
|
||||
# --- STEP 1: Connect to Microsoft Graph ---
|
||||
Write-Output "`n[STEP 1] Connecting to Microsoft Graph..."
|
||||
Import-Module Microsoft.Graph.Authentication
|
||||
Import-Module Microsoft.Graph.Users
|
||||
Import-Module Microsoft.Graph.Users.Actions
|
||||
Import-Module Microsoft.Graph.Identity.DirectoryManagement
|
||||
Connect-MgGraph -TenantId $tenantId -Scopes 'User.ReadWrite.All','Directory.ReadWrite.All','Group.ReadWrite.All','DeviceManagementManagedDevices.ReadWrite.All','DeviceManagementManagedDevices.PrivilegedOperations.All' -NoWelcome
|
||||
Write-Output "[OK] Connected to Graph"
|
||||
|
||||
# Get user IDs
|
||||
$lesley = Get-MgUser -UserId $lesleyUPN -Property Id,DisplayName,AccountEnabled,AssignedLicenses
|
||||
$barry = Get-MgUser -UserId $barryUPN -Property Id,DisplayName
|
||||
Write-Output "[OK] Lesley ID: $($lesley.Id)"
|
||||
Write-Output "[OK] Barry ID: $($barry.Id)"
|
||||
|
||||
# --- STEP 2: Block sign-in ---
|
||||
Write-Output "`n[STEP 2] Blocking sign-in..."
|
||||
Update-MgUser -UserId $lesley.Id -AccountEnabled:$false
|
||||
Write-Output "[OK] Sign-in blocked"
|
||||
|
||||
# --- STEP 3: Revoke all sessions ---
|
||||
Write-Output "`n[STEP 3] Revoking all active sessions..."
|
||||
Revoke-MgUserSignInSession -UserId $lesley.Id
|
||||
Write-Output "[OK] All sessions revoked"
|
||||
|
||||
# --- STEP 4: Reset password ---
|
||||
Write-Output "`n[STEP 4] Resetting password..."
|
||||
$newPassword = -join ((65..90) + (97..122) + (48..57) + (33,35,36,37,38) | Get-Random -Count 24 | ForEach-Object {[char]$_})
|
||||
$params = @{
|
||||
passwordProfile = @{
|
||||
forceChangePasswordNextSignIn = $true
|
||||
password = $newPassword
|
||||
}
|
||||
}
|
||||
Update-MgUser -UserId $lesley.Id -BodyParameter $params
|
||||
Write-Output "[OK] Password reset (stored securely - not displayed)"
|
||||
|
||||
# --- STEP 5: Selective wipe company data from mobile devices ---
|
||||
Write-Output "`n[STEP 5] Checking for managed mobile devices..."
|
||||
Import-Module Microsoft.Graph.DeviceManagement
|
||||
$devices = Get-MgDeviceManagementManagedDevice -Filter "userPrincipalName eq '$lesleyUPN'" 2>$null
|
||||
if ($devices) {
|
||||
foreach ($device in $devices) {
|
||||
Write-Output " Found device: $($device.DeviceName) ($($device.OperatingSystem)) - ID: $($device.Id)"
|
||||
Write-Output " Initiating selective wipe (company data only)..."
|
||||
# Retire = selective wipe (removes company data, leaves personal data)
|
||||
Invoke-MgRetireDeviceManagementManagedDevice -ManagedDeviceId $device.Id
|
||||
Write-Output " [OK] Selective wipe initiated for $($device.DeviceName)"
|
||||
}
|
||||
Write-Output "[OK] All managed devices queued for selective wipe"
|
||||
} else {
|
||||
Write-Output "[INFO] No Intune-managed devices found"
|
||||
Write-Output "[INFO] Checking for EAS (Exchange ActiveSync) devices..."
|
||||
}
|
||||
|
||||
# --- STEP 6: Connect to Exchange Online and convert mailbox ---
|
||||
Write-Output "`n[STEP 6] Connecting to Exchange Online..."
|
||||
Import-Module ExchangeOnlineManagement
|
||||
Connect-ExchangeOnline -UserPrincipalName "sysadmin@bgbuildersllc.com" -ShowBanner:$false
|
||||
Write-Output "[OK] Connected to Exchange Online"
|
||||
|
||||
# Check for ActiveSync devices and wipe company data
|
||||
$easDevices = Get-MobileDevice -Mailbox $lesleyUPN 2>$null
|
||||
if ($easDevices) {
|
||||
foreach ($eas in $easDevices) {
|
||||
Write-Output " Found EAS device: $($eas.FriendlyName) ($($eas.DeviceOS))"
|
||||
# AccountOnly wipe - removes only the M365 account, not personal data
|
||||
Clear-MobileDevice -Identity $eas.Identity -AccountOnly -Confirm:$false
|
||||
Write-Output " [OK] Account-only wipe initiated for $($eas.FriendlyName)"
|
||||
}
|
||||
Write-Output "[OK] All EAS devices queued for account wipe"
|
||||
} else {
|
||||
Write-Output "[INFO] No EAS mobile devices found"
|
||||
}
|
||||
|
||||
Write-Output "`n[STEP 6a] Converting mailbox to shared..."
|
||||
Set-Mailbox -Identity $lesleyUPN -Type Shared
|
||||
Write-Output "[OK] Mailbox converted to shared"
|
||||
|
||||
# --- STEP 7: Grant Barry full access and send-as ---
|
||||
Write-Output "`n[STEP 7] Granting Barry full access to shared mailbox..."
|
||||
Add-MailboxPermission -Identity $lesleyUPN -User $barryUPN -AccessRights FullAccess -AutoMapping $true
|
||||
Write-Output "[OK] Full access granted"
|
||||
|
||||
Write-Output "Granting Barry send-as permission..."
|
||||
Add-RecipientPermission -Identity $lesleyUPN -Trustee $barryUPN -AccessRights SendAs -Confirm:$false
|
||||
Write-Output "[OK] Send-as granted"
|
||||
|
||||
# --- STEP 8: Remove from Employees group ---
|
||||
Write-Output "`n[STEP 8] Removing from Employees group..."
|
||||
$employeesGroup = Get-MgGroup -Filter "displayName eq 'Employees'" | Select-Object -First 1
|
||||
if ($employeesGroup) {
|
||||
Remove-MgGroupMemberByRef -GroupId $employeesGroup.Id -DirectoryObjectId $lesley.Id -ErrorAction SilentlyContinue
|
||||
Write-Output "[OK] Removed from Employees group ($($employeesGroup.Id))"
|
||||
} else {
|
||||
Write-Output "[WARNING] Employees group not found"
|
||||
}
|
||||
|
||||
# --- STEP 9: Hide from GAL ---
|
||||
Write-Output "`n[STEP 9] Hiding shared mailbox from Global Address List..."
|
||||
Set-Mailbox -Identity $lesleyUPN -HiddenFromAddressListsEnabled $true
|
||||
Write-Output "[OK] Hidden from GAL"
|
||||
|
||||
# --- STEP 10: Remove license ---
|
||||
Write-Output "`n[STEP 10] Removing licenses..."
|
||||
$licenses = $lesley.AssignedLicenses
|
||||
if ($licenses.Count -gt 0) {
|
||||
$licenseIds = $licenses | ForEach-Object { $_.SkuId }
|
||||
Set-MgUserLicense -UserId $lesley.Id -AddLicenses @() -RemoveLicenses $licenseIds
|
||||
Write-Output "[OK] Removed $($licenseIds.Count) license(s)"
|
||||
} else {
|
||||
Write-Output "[INFO] No licenses assigned"
|
||||
}
|
||||
|
||||
# --- STEP 11: Grant Barry OneDrive access ---
|
||||
Write-Output "`n[STEP 11] Granting Barry access to Lesley's OneDrive..."
|
||||
# Note: OneDrive access delegation requires SharePoint admin or may need manual step
|
||||
Write-Output "[WARNING] OneDrive access must be granted via M365 Admin Center:"
|
||||
Write-Output " Admin Center > Users > Lesley Roth > OneDrive tab > Create link to files"
|
||||
Write-Output " Or: SharePoint Admin > User Profiles > Manage User Profiles > Lesley Roth > Manage site collection owners > Add Barry"
|
||||
|
||||
# --- DONE ---
|
||||
Write-Output "`n========================================="
|
||||
Write-Output " TERMINATION COMPLETE"
|
||||
Write-Output " $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
|
||||
Write-Output "========================================="
|
||||
Write-Output ""
|
||||
Write-Output "Summary:"
|
||||
Write-Output " [OK] Sign-in blocked"
|
||||
Write-Output " [OK] Sessions revoked"
|
||||
Write-Output " [OK] Password reset"
|
||||
Write-Output " [OK] Mobile devices - selective wipe initiated"
|
||||
Write-Output " [OK] Mailbox converted to shared"
|
||||
Write-Output " [OK] Barry has full access + send-as"
|
||||
Write-Output " [OK] Removed from Employees group"
|
||||
Write-Output " [OK] Hidden from GAL"
|
||||
Write-Output " [OK] Licenses removed"
|
||||
Write-Output " [WARNING] OneDrive access - manual step required"
|
||||
|
||||
Disconnect-ExchangeOnline -Confirm:$false
|
||||
Disconnect-MgGraph
|
||||
Reference in New Issue
Block a user