backup and delete google workspace users

mail@pastecode.io avatar
unknown
powershell
a month ago
4.5 kB
132
Indexable
Never
#Gam Advanced and GYB must be installed on your enviroment, set up as company admin, and added to the Path 
#Gam advanced: https://github.com/taers232c/GAMADV-XTD3
#GYB: https://github.com/GAM-team/got-your-back

#Query the users on the suspended OU and set up inital variables. 
gam print users query "orgUnitPath='/path/to/ou'" lastlogintime > users.csv #Note the OU I query only has disabled users. if your disabled users are all over the place you might want to also check for 'isSuspended'
$users = Import-csv -path "users.csv"
$90DaysAgo = (Get-Date).AddDays(-90)
$backupemail = "backupuser@company.com"
$continue = $false
$messagebody = "test email please ignore"

#parse and classify each user last logged in date. if it has been more than 90 days set as True. 
foreach ($user in $users){
    $date = [DateTime]::Parse($user.lastLoginTime)
    if ($date -lt $90DaysAgo) {
        $user| Add-Member -MemberType NoteProperty -Name "ToDelete" -Value $true
    } else {
        $user| Add-Member -MemberType NoteProperty -Name "ToDelete" -Value $false
    }
}

# Email formating 
$users = $users | Where-Object { $_.ToDelete -eq $true } | Select-Object primaryEmail, lastLoginTime, organizations.0.department, organizations.0.title, ToDelete
$htmlTable = $users | ConvertTo-Html -Property primaryEmail, lastLoginTime, organizations.0.department, organizations.0.title, ToDelete
$messageBody += "<br><br>"  # Adding line breaks for separation
$messageBody += $htmlTable
$messagebody | Out-File -FilePath "emailtosend.html" -Encoding UTF8
$htmlContent = "emailtosend.html"

#send email command. 
gam sendemail to "myemailorsupervisor@company.com" subject "test gam email" htmlfile $htmlContent charset utf-8

$users |Select-Object primaryEmail, ToDelete | Format-Table

#manual check before continuing
while ($continue -eq $false){
    $con = Read-host -prompt "If the table above looks correct Enter 'yes' To continue or 'no' to exit"
    if ($con -eq "yes"){
        $continue = $true
    }
    elseif ($con -eq "no"){
        Write-Host "Script Canceled Manually"
        Exit 1
    }
}

#backup google drive
foreach ($user in $users){
    if ($user.ToDelete -eq $true){
        gam create datatransfer $user.primaryEmail gdrive $backupemail privacy_level shared,private
    }
}

#download emails, WARNING this will download emails to your computer and this script do not deletes them. so add that at the end
foreach ($user in $users){
    if ($user.ToDelete -eq $true){
        gyb --email $user.primaryEmail --service-account --action backup --local-folder "$($user.primaryEmail)" --search "to:me OR cc:me OR bcc:me OR label:sent" # you can change the search criteria to whatever you want remove --search to backup everything. 
    }
}

#upload emails, this part takes ages as it only does 15 emails concurrently or just a single big email. 
foreach($user in $users){
    if ($user.ToDelete -eq $true){
        gyb --email $backupemail --service-account --action restore --local-folder "$($user.primaryEmail)" --strip-labels --label-restored $user.primaryEmail
    }
}

#delete user in google 
foreach($user in $users){
    if ($user.ToDelete -eq $true){
        gam delete user $user.primaryEmail
    }
}

$continue = $false

while ($continue -eq $false){
    $con = Read-host -prompt "Delete AD users too?"
    if ($con -eq "yes"){
        $continue = $true
    }
    elseif ($con -eq "no"){
        Write-Host "Script Canceled Manually"
        Exit 1
    }
}


# uncomment this if you want to call the AD user delete script from withing this one. 
#Write-Host "Enter Domain Admin Credentials"
#Start-Process powershell "bulkADuserdelete.ps1" -Credential (Get-Credential) # you can save your creds in a encripted file too if you prefer that. 


# I should make the following block a fucntion, but on my enviroment it is a different script uncomment or paste in another ps1 for use. 

<#$users = Import-csv -path "users.csv"

foreach ($user in $users) {
    $SamAccountName = $user.primaryEmail -replace '@company.com', '' # this implies that the user format is the same in gmail and in AD EJ First.Last or FLast if they are different maybe you need another filter. 
    write-Host "Deleting $SamAccountName"
    $AdUser = Get-ADUser -Filter {SamAccountName -eq $SamAccountName}

    if ($null -ne $AdUser){
        Remove-ADuser -Identity $AdUser -Confirm:$false -WhatIf #remove whatif when ready. 
        Write-Host "deleting $($AdUser.SamAccountName)"
    }
}#>
Leave a Comment