# Active Directory Onboarding Automation - Sanitized Portfolio Sample
# This sample uses placeholder domain and path values. Review and test in a lab
# before adapting it to any production environment.

Import-Module ActiveDirectory

function New-RandomPassword {
    param (
        [int]$Length = 14
    )

    $characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()"
    return -join ((1..$Length) | ForEach-Object {
        $characters[(Get-Random -Minimum 0 -Maximum $characters.Length)]
    })
}

function Get-OUByOffice {
    param (
        [Parameter(Mandatory)]
        [string]$Office
    )

    $safeOffice = $Office.Replace("'", "''")
    $ou = Get-ADOrganizationalUnit -Filter "Name -eq '$safeOffice'" | Select-Object -First 1
    return $ou.DistinguishedName
}

function New-OnboardingUser {
    param (
        [Parameter(Mandatory)]
        [string]$FullName,

        [string]$JobTitle,
        [string]$CopyFromUser,
        [string]$ManagerFullName,

        [Parameter(Mandatory)]
        [string]$Office,

        [Parameter(Mandatory)]
        [string]$OutputCsv
    )

    $nameParts = $FullName.Trim().Split(" ", [System.StringSplitOptions]::RemoveEmptyEntries)

    if ($nameParts.Length -lt 2) {
        Write-Warning "Skipping '$FullName'. Enter at least a first and last name."
        return
    }

    $firstName = $nameParts[0]
    $lastName = $nameParts[-1]
    $username = "$firstName.$lastName".ToLower()
    $userPrincipalName = "$username@example.local"

    $managerDn = $null

    if (-not [string]::IsNullOrWhiteSpace($ManagerFullName)) {
        $safeManager = $ManagerFullName.Replace("'", "''")
        $manager = Get-ADUser -Filter "Name -eq '$safeManager'" -Properties DistinguishedName |
            Select-Object -First 1

        if ($manager) {
            $managerDn = $manager.DistinguishedName
        }
    }

    if (-not [string]::IsNullOrWhiteSpace($CopyFromUser)) {
        $templateUser = Get-ADUser -Identity $CopyFromUser -Properties MemberOf, Department
    } else {
        $templateUser = Get-ADUser -Filter {
            Title -eq $JobTitle -and Enabled -eq $true
        } -Properties MemberOf, Department | Select-Object -First 1
    }

    if ($null -eq $templateUser) {
        Write-Warning "No enabled template user found for '$JobTitle' or '$CopyFromUser'."
        return
    }

    $department = $templateUser.Department
    $targetOu = Get-OUByOffice -Office $Office

    if ($null -eq $targetOu) {
        Write-Warning "No OU found for office location '$Office'."
        return
    }

    $temporaryPassword = New-RandomPassword
    $securePassword = ConvertTo-SecureString $temporaryPassword -AsPlainText -Force

    New-ADUser `
        -Name $FullName `
        -GivenName $firstName `
        -Surname $lastName `
        -SamAccountName $username `
        -UserPrincipalName $userPrincipalName `
        -DisplayName $FullName `
        -Title $JobTitle `
        -Description $JobTitle `
        -Department $department `
        -Manager $managerDn `
        -Office $Office `
        -Path $targetOu `
        -AccountPassword $securePassword `
        -Enabled $true

    $templateUser.MemberOf | ForEach-Object {
        $groupDn = $_

        if ($groupDn -notmatch "CN=Domain Users," -and $groupDn -notmatch "LIC-") {
            Add-ADGroupMember -Identity $groupDn -Members $username
        }
    }

    [PSCustomObject]@{
        Username = $username
        TemporaryPassword = $temporaryPassword
        Enabled = $true
    } | Export-Csv -Path $OutputCsv -Append -NoTypeInformation

    Write-Output "Created AD user '$username'."
}

$outputDirectory = "C:\LabOutput"
$counter = 1
$csvFile = Join-Path $outputDirectory "User_Credentials.csv"

while (Test-Path $csvFile) {
    $counter++
    $csvFile = Join-Path $outputDirectory "User_Credentials_$counter.csv"
}

$fullNames = Read-Host -Prompt "Enter full names separated by commas, or type 'exit' to quit"

if ($fullNames -ne "exit") {
    $jobTitle = Read-Host -Prompt "Enter job title, or leave blank if copying from a user"
    $copyFromUser = Read-Host -Prompt "Enter username to copy from, or leave blank to use job title"
    $managerFullName = Read-Host -Prompt "Enter manager full name, or leave blank"
    $office = Read-Host -Prompt "Enter office location"

    $fullNames.Split(",") | ForEach-Object {
        New-OnboardingUser `
            -FullName $_.Trim() `
            -JobTitle $jobTitle `
            -CopyFromUser $copyFromUser `
            -ManagerFullName $managerFullName `
            -Office $office `
            -OutputCsv $csvFile
    }
}

$createdUsers = Import-Csv -Path $csvFile

foreach ($user in $createdUsers) {
    $adUser = Get-ADUser -Identity $user.Username
    $user.Enabled = $adUser.Enabled
}

$createdUsers | Export-Csv -Path $csvFile -NoTypeInformation
Write-Output "User status validation complete. Output written to $csvFile."