In an effort to make user terminations and layoff as simple as possible, I wrote an Exchange Powershell script to do all the important tasks. My script does the following:

  • Moves the account to the “Inactive Users” OU (We never delete user accounts once created…)
  • Sets the description attribute of the AD account to “NoSearch” (Our email-enabled network scanners are configured to ignore accounts with NoSearch in the description field)
  • Lists and deletes user-created inbox rules that forward email to outside accounts (to prevent data leaks and possible espionage)
  • Hides account from Exchange address lists
  • Moves the mailbox to the disabled accounts database
  • Removes the user account from group membership, and creates a log of the groups the user was a member of (useful if the user is laid off and will be returning at a later date)

This script does not prompt for a forwarding address, but could be easily configured to do so.  Instead, it reminds you to configure one at the end of the script.


The script takes a single argument, the alias of the account being disabled.

import-module ActiveDirectory
$user = read-host "Enter user account to disable"
get-mailbox $user | get-mailboxstatistics | select displayname, database, totalitemsize
$confirmation = Read-Host "Are you Sure You Want To Proceed? (Y/N)"
if ($confirmation -eq 'y') {
Write-Host Moving user account to Inactive Users OU...
Get-ADUser $user| Move-ADObject -TargetPath 'OU=Inactive,OU=Contoso Accounts,DC=contoso,Dc=com'
Write-Host Disabling user account...
disable-adaccount -identity $user
Write-Host Setting NoSearch for LDAP queries...
set-aduser -identity $user -enabled $False -Description NoSearch
Write-Host Disabling user-created inbox rules to forward/redirect email to other accounts
Get-InboxRule -Mailbox $user | where {$_.forwardto -ne $null -or $_.forwardasattachmentto -ne $null -or $_.redirectto -ne $null } | Remove-InboxRule
Write-Host Hiding from address lists...
set-mailbox -identity $user -hiddenfromaddresslists $true
Write-Host Moving account to disabled_accts database...
new-moverequest -identity $user -targetdatabase disabled_accts
Write-Host Removing user account from the following security and distribution groups:
$user1 = Get-ADUser $user -properties memberof
$userGroups = $user1.memberof
$userGroups | fl name
$userGroups | fl name | Out-File C:\scripts\DisabledAcctGroupMembership\$user1.txt
$userGroups | %{get-adgroup $_ | Remove-ADGroupMember -confirm:$false -member $user1}
Write-Host The account for $ has been successfully disabled.
Write-Host Remember to configure a forwarding address!!!
if ($confirmation -ne 'y') {
Write-Host Aborting operation. No changes have been made.
$userGroups = $null
$user = $null
$user1 = $null