Remove AD Accounts and User Share

$ErrorActionPreference = 'SilentlyContinue'
<#
Account Cleanup Utility, 0.2
C. Nichols, 2021

Removes AD accounts older than 90 days including test and admin.
Removes the user's group memberships.
Removes the user's share folder.

The dangerous parts are currently commented out for safety.

ToDo
    Might need -Force on some commands.

Error Logging (Some-Command -ErrorVariable +CMDErrors):
    We can create an error variable to each command then write that var to an error log like so:

    PS C:\Users > $ErrorActionPreference = 'SilentlyContinue'
    PS C:\Users > Get-ChildItem -Path "e'\tesmp" -Recurse -ErrorVariable +CMDErrors
    PS C:\Users> ForEach ($err in $CMDErrors) { Write-Host $err }
    Cannot find path 'C:\Users\ \e'\' because it does not exist.
    $CMDErrors | Out-File -Append e:\junk\error.log
#>

<# ============================================================ #>

$ADMOU = "OU=Admins,DC=domain"
$PRDOU = "OU=Users,DC=domain"
$TSTOU = "OU=Users,DC=testdomain"

function Remove-Member {
    PARAM (
        [string]$Member,
        [Array]$Groups
    )

    ForEach ($MbrOf in $Groups) {
        #$CurrGroup = Get-ADGroup $MbrOf | Remove-ADGroupMember -Members $Member -Confirm:$false
        Write-Host "Removing $($Member) from Group $($MbrOf)"
    }
}

<# =========================== MAIN =========================== #>

$RmvList = New-Object -TypeName "System.Collections.ArrayList"
$UsrShare = New-Object -TypeName "System.Collections.ArrayList"
$UsrGroups = New-Object -TypeName "System.Collections.ArrayList"
$ReportLines = @()

$DDay = [DateTime]::Today.AddDays(-90) # go back 90 days: any account older than 90 gets collected.

<# ============================================================ #>

# extensionAttribute5 is an example filter that guarantees we only return employees.
$DisabledUsers = Get-ADUser -Filter {Enabled -EQ $false -AND extensionAttribute5 -EQ "e" -AND whenChanged -LE $DDay} -Properties samAccountName, extensionAttribute5, description, whenChanged, homeDirectory, memberof |
    Select samAccountName, extensionAttribute5, description, whenChanged, homeDirectory, memberof

ForEach ($Usr in $DisabledUsers) {

    [void]$RmvList.Add($Usr.samAccountName)
    [void]$UsrShare.Add($Usr.homeDirectory)

    # Remove user from groups.
    Remove-Member -Member $Usr.samAccountName -Groups $Usr.memberof
    $Admin = "$($Usr.samAccountName)_adm" # Let's pretend _adm is appended to the SAM account name for admins.
    $ADMINX = Get-ADUser -Filter {samAccountName -EQ $Admin} -SearchBase $ADMOU -Properties samAccountName, memberof |
        Select samAccountName, memberof

    if ($ADMINX -NE $Null) {
        [void]$RmvList.Add($Admin)
        Remove-Member -Member $ADMINX.samAccountName -Groups $ADMINX.memberof
    }
}

# Remove all old disabled accounts.
write-host "Total account(s) found: $($RmvList.Count)"

ForEach ($RUsr in $RmvList) {

    $DNProd  = "CN=$($Rusr),$($PRDOU)"
    $DNTest  = "CN=$($Rusr),$($TSTOU)"

    if ($RUsr.Contains("_")){
        $DNAdmin = "CN=$($Rusr),$($ADMOU)"
        Write-Host "Removing admin. $($DNAdmin)"
        #Remove-ADUser -Identity $DNAdmin
    } else {
        Write-Host "Removing prod account: $($DNProd)"
        Write-Host "Removing test account: $($DNTest)"
        #Remove-ADUser -Identity $DNProd
        #Remove-ADUser -Identity $DNTest
    }
    $ReportLines += $RUsr
}

# Delete user's H drive share.
ForEach ($Pth in $UsrShare) {

    $Share = $Pth.Split('\')[-1] # Get the share name only.

    Write-Host "Removing folder $($Pth)"
    #Remove-Item $HPath -Force -Recurse

    Write-Host "Removing share $($Share)"
    #Remove-SmbShare -Name $Name -Force
}

$RemovedAccounts = $ReportLines | Out-String
$Body = "Removed.`n$($RemovedAccounts)"
$Subj = "AD Account Cleanup Notification"
$From = "someone@somewhere"

$Addresses = @("you@somewhere")

ForEach ($To in $Addresses) {
    Write-Host "Sending mail to $($To)"
    #Send-MailMessage -From $From -To $To -Subject $Subj -Body $Body -SmtpServer "YOUR_SMTP_SERVER"
}