[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

PowerShell Direct Reports with same Manager, grant full access to eachother

Posted on 2011-10-26
6
Medium Priority
?
1,513 Views
Last Modified: 2012-05-12
EE User "stefor" provided this script, which grants Managers full mailbox access to their Direct Reports, and then also removes the auto-mapping of the mailboxes from opening in Outlook (we use an add-on in Outlook that allows manager to open a mailbox instead of using Account settings) when the Manager's open Outlook.

PowerShell:
$users = get-user -resultsize unlimited
foreach ($user in $users)
{
        $manUserDN = $user.DistinguishedName
        $directReports = @($user.DirectReports)
        if ($directReports -ne $Null)
        {
                foreach ($directReport in $directReports)
                {
						$drUserdn = $directReport.DistinguishedName
						Add-MailboxPermission $drUserDN -User $manUserDN -AccessRights:FullAccess
						$Mailbox = Get-Mailbox $drUserDN
						$DomainController = $Mailbox.OriginatingServer
							$LDAPUser=[ADSI]"LDAP://$($DomainController)/$($Mailbox.DistinguishedName)"
							$LDAPUser.msExchDelegateListLink.Remove(((Get-Mailbox $manUserDN).DistinguishedName))
							$LDAPUser.SetInfo()

                }
        }
}

Open in new window



Can this script be modified so that, for each Direct Report who has the same Manager, the Direct Reports people can also be granted access to each-other's mailbox with full access, but not granted full access to their Managers? And also turn off auto-mapping (msExchDelegateListLink.Remove) to other Direct Reports for each Direct Report?
If Direct Reports have different managers, they shouldn't be able to open eachother's Mailbox...

So basically if John is a Manager, and his direct reports are Jim and Pam, then John will have full access to Jim and Pam's, while Jim and Pam will also have access to eachother's, but not to John's.
0
Comment
Question by:garryshape
  • 5
6 Comments
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 2000 total points
ID: 37038491
Hello,

This should do what you want.

JJ
$users = get-user -resultsize unlimited
foreach ($user in $users)
{
        $manUserDN = $user.DistinguishedName
        $directReports = @($user.DirectReports)
        if ($directReports -ne $Null)
        {
                foreach ($directReport in $directReports)
                {
			$drUserdn = $directReport.DistinguishedName
			Add-MailboxPermission $drUserDN -User $manUserDN -AccessRights:FullAccess
			$Mailbox = Get-Mailbox $drUserDN
			$DomainController = $Mailbox.OriginatingServer
			$LDAPUser=[ADSI]"LDAP://$($DomainController)/$($Mailbox.DistinguishedName)"
			$LDAPUser.msExchDelegateListLink.Remove(((Get-Mailbox $manUserDN).DistinguishedName))
			$LDAPUser.SetInfo()

			foreach ($directReport2 in $directReports)
			{
				$drUserdn2 = $directReport2.DistinguishedName
				If ($drUserdn2 -ne $drUserdn)
				{
				         Add-MailboxPermission $drUserDN -User $drUserDN2 -AccessRights:FullAccess
				         $Mailbox = Get-Mailbox $drUserDN
					$DomainController = $Mailbox.OriginatingServer
					$LDAPUser=[ADSI]"LDAP://$($DomainController)/$($Mailbox.DistinguishedName)"
					$LDAPUser.msExchDelegateListLink.Remove(((Get-Mailbox $drUserDN2).DistinguishedName))
					$LDAPUser.SetInfo()
				}
			}
                }
        }
}

Open in new window

0
 

Author Comment

by:garryshape
ID: 37047877
Thanks for the feedback. I haven't tried it yet.

I wanted to try it with a single user, so I changed the first line to:
$users = get-user username (which I used my username)

and then proceed to run the script.

However, checking my mailbox permissions after running the script, my manager doesn't appear to be listed in there with Full Access.

Is the change I made incompatible with the rest of your script?
0
 

Author Comment

by:garryshape
ID: 37047997
# $users = get-user -resultsize unlimited
$users = get-user jquile
foreach ($user in $users)
{
        $manUserDN = $user.DistinguishedName

Open in new window


Is $manUserDN supposed to be the distinguished name of the user's "Manager"? It appears to be just the user's distinguished name.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 

Author Comment

by:garryshape
ID: 37048208
Ok I think there's something I'm doing wrong, or PowerShell cannot do.

I can echo a manager's direct reports if I do the following:
$manager = get-user [ManagerAccountName]
echo $manager.directReports

Open in new window

All the employee names who are Direct Reports show up.


But I cannot echo the Direct Reports if I set the variable and echo using the following steps:
$employee = get-user [TestEmployeeName]
$manager = $employee.Manager
$managerDN = $Manager.DistinguishedName
# AT THIS POINT, I CAN "echo $managerDN" and see my manager's name. But in the next steps, I cannot echo my Manager's # directReports
echo $managerDN.directReports

Open in new window


It just returns line and nothing shows up.
0
 

Author Comment

by:garryshape
ID: 37048364
Ok I think I'm thinking in reverse here.

Let me try running the code with get-user and my manager's account.
0
 

Author Comment

by:garryshape
ID: 37048376
Well no wonder I didn't get it.
I was testing the script with my account (non-manager), expecting that it would find my manager and then process the permissions accordingly.
Just realized how dumb I was, and re-tested the script this time against my Manager's account, and it processed just fine.
Thanks for your help
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Office 365 has multiple features and services which are specially designed to help businesses to reduce their dependence on on-premises IT resources. It also offers great flexibility and enhanced security. But like any other data, Office 365 mailbo…
There’s hardly a doubt that Business Communication is indispensable for both enterprises and small businesses, and if there is an email system outage owing to Exchange server failure, it definitely results in loss of productivity.
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
Loops Section Overview
Suggested Courses
Course of the Month9 days, 19 hours left to enroll

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question