Merge pull request #1508 from edwardchalstrey1/automate-acct-deletion

Add script to automate account deletion

deployment/administration/SHM_Delete_Unassigned_Users.ps1

@@ -0,0 +1,33 @@
+param(
+    [Parameter(Mandatory = $true, HelpMessage = "Enter SHM ID (e.g. use 'testa' for Turing Development Safe Haven A)")]
+    [string]$shmId,
+    [Parameter(Mandatory = $false, HelpMessage = "No-op mode which will not remove anything")]
+    [Switch]$dryRun
+)
+
+Import-Module Az.Accounts -ErrorAction Stop
+Import-Module $PSScriptRoot/../common/AzureCompute -Force -ErrorAction Stop
+Import-Module $PSScriptRoot/../common/Configuration -Force -ErrorAction Stop
+Import-Module $PSScriptRoot/../common/Logging -Force -ErrorAction Stop
+
+# Get config
+# -------------------------------
+$config = Get-ShmConfig -shmId $shmId
+$originalContext = Get-AzContext
+
+# Delete users not currently in a security group
+# ----------------------------------------------
+$null = Set-AzContext -SubscriptionId $config.subscriptionName -ErrorAction Stop
+$script = "remote/Delete_Unassigned_Users.ps1"
+
+# Passing a param to a remote script requires it to be a string
+if ($dryRun.IsPresent) {
+    Add-LogMessage -Level Info "Listing users not assigned to any security group from $($config.dc.vmName)..."
+    $params = @{dryRun = "yes" }
+} else {
+    Add-LogMessage -Level Info "Deleting users not assigned to any security group from $($config.dc.vmName)..."
+    $params = @{dryRun = "no" }
+}
+$result = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $script -VMName $config.dc.vmName -ResourceGroupName $config.dc.rg -Parameter $params
+
+$null = Set-AzContext -Context $originalContext -ErrorAction Stop

deployment/administration/remote/Delete_Unassigned_Users.ps1

@@ -0,0 +1,33 @@
+param(
+    [Parameter(Mandatory = $true, HelpMessage = "yes/no determines whether users should actually be deleted")]
+    [string]$dryRun
+)
+
+# Extract list of users
+$userOuPath = (Get-ADObject -Filter * | Where-Object { $_.Name -eq "Safe Haven Research Users" }).DistinguishedName
+$users = Get-ADUser -Filter * -SearchBase "$userOuPath" -Properties *
+foreach ($user in $users) {
+    $groupName = ($user | Select-Object -ExpandProperty MemberOf | ForEach-Object { (($_ -Split ",")[0] -Split "=")[1] }) -join "|"
+    if (!($groupName)) {
+        $name = $user.SamAccountName
+        if ($dryRun -eq "yes") {
+            Write-Output "User $name would be deleted by this action"
+        } else {
+            Write-Output "Deleting $name"
+            Remove-ADUser -Identity $name -Confirm:$false
+        }
+    }
+}
+
+# Force sync with AzureAD. It will still take around 5 minutes for changes to propagate
+if ($dryRun -eq "no") {
+    Write-Output "Synchronising locally Active Directory with Azure"
+    try {
+        Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -ErrorAction Stop
+        Start-ADSyncSyncCycle -PolicyType Delta
+    } catch [System.IO.FileNotFoundException] {
+        Write-Output "Skipping as Azure AD Sync is not installed"
+    } catch {
+        Write-Output "Unable to run Azure Active Directory synchronisation!"
+    }
+}

docs/source/roles/system_manager/manage_users.md

@@ -137,6 +137,14 @@ The `DC1` is the source of truth for user details. If these details need to be c
     - Click on `Users` under `Manage` and search for the user
     - Confirm the user is no longer present
 
+### {{x}} Automatically deleting all unassigned users
+
+In some situations, such as at the end of a project after an SRE has been torn down, you may want to remove all users from the SHM who are not assigned to the security group of any remaining attached SREs.
+
+- Ensure you have the same version of the Data Safe Haven repository as was used by your deployment team
+- Open a `Powershell` terminal and navigate to the `deployment/administration` directory within the Data Safe Haven repository
+- Run `./SHM_Delete_Unassigned_Users.ps1 -shmId <SHM ID>` (use the `-dryRun` flag to see who would get deleted with out performing the deletion)
+
 ## {{calling}} Assign MFA licences
 
 ### {{hand}} Manually add licence to each user