Solved

Joint results from Powershell script

Posted on 2014-03-10
11
561 Views
Last Modified: 2014-03-18
Hello,

I want to export and import Send-As and Full Access Rights from user mailboxes. Because we moving to a new forest and there is no trust involved I am trying to export this with a Powershell script.

The script I have is as followed:

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $SendAs | Out-File $OutFile -Append
}

Open in new window

Because in the new environment the SAMAccount and UPN is going to change, I need the Firstname and Lastname from each user. With Excel I can combine several fields to match for the import.

I already succeeded to get the First en Lastname from the user stated in the DisplayName field, now I need to have the first and lastname from the users with Send-As and Full Access permissions. This part I am failing and somehow I cannot combine them.

I think I have to create a new variable, and use it somehow like this:

$FullAccessFN = Get-User $FullAccess | Select-Object FirstName
$FullAccessLN = Get-User $FullAccess | Select-Object LastName

Open in new window

But when I use the code I wrote above it is just returning empty field (ofc I am editing the Out-File rules with extra output).

If my powershell script is the wrong approach to accomplish this, please point me in the right direction.

Thanks in advance,
Best,
0
Comment
Question by:offextlmo
  • 6
  • 5
11 Comments
 
LVL 3

Expert Comment

by:chriskelk
ID: 39917909
As $FullAccess will return multiple results, you'll need to do each one separately.  If you look at the $FullAccess results, the username is in a property called RawIdentity.  So the following should help:

foreach ($fullaccessuser in $fullaccess)
{
$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccessFN + "," + $FullAccessLN| Out-File $OutFile -Append
}

Open in new window


Then repeat for $SendAs, to get the Send-As list
0
 

Author Comment

by:offextlmo
ID: 39921370
I tried combining them but it does not seem to work. This is how my code is now:

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName	
}
foreach ($fullaccessuser in $fullaccess){
	$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
	$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $FullAccessFN + "," + $FullAccessLN + "," + $SendAs | Out-File $OutFile -Append
} 

Open in new window

Any ideas?
0
 
LVL 3

Expert Comment

by:chriskelk
ID: 39922972
You need to put the second foreach loop inside the first, so:

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName	
foreach ($fullaccessuser in $fullaccess){
	$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
	$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $FullAccessFN + "," + $FullAccessLN + "," + $SendAs | Out-File $OutFile -Append
}
}

Open in new window

0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:offextlmo
ID: 39928716
When I run the script it does not return any value in the $FullAccessFN and $FullAccessLN field. When I run this part of the script:
get-user $fullaccessuser.rawidentity).FirstName

Open in new window

And it also gives no result. I changed the line to

Get-User $fullaccessuser.rawidentity | Select-Object FirstName

Open in new window


This give me all the results i needed, but when i combine it in the script it only gives me allot of spaces and no result.

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName	
foreach ($fullaccessuser in $fullaccess){
	$FullAccessFN = Get-User $fullaccessuser.rawidentity | Select-Object FirstName
	$FullAccessLN = get-user $fullaccessuser.rawidentity | Select-Object LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $fullaccessuser.FullAccessFN + "," + $fullaccessuser.FullAccessLN + "," + $SendAs | Out-File $OutFile -Append
}
} 

Open in new window


Any idea why it not returning values in the combined script?
0
 
LVL 3

Accepted Solution

by:
chriskelk earned 500 total points
ID: 39928802
Try this

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Permission" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	write-host 'Processing mailbox:' $mailbox.DisplayName
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited -and $_.User -notlike "NT AUTHORITY\SELF"-and $_.User -notlike "*S-1*"} | % {$_.User}
 	$Firstname = (Get-User $Mailbox.identity).FirstName
	$Lastname = (Get-User $Mailbox.identity).LastName	
	foreach ($fullaccessuser in $fullaccess){
		write-host 'Processing Full Access permission ' $FullAccessUser.RawIdentity
		$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
		$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
		$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + 'FullAccess'+ "," + $FullAccessFN + "," + $FullAccessLN + ","  | Out-File $OutFile -Append
		} 
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and $_.User -notlike "NT AUTHORITY\SYSTEM" -and $_.User -notlike "BUILTIN\ADMINISTRATORS" -and $_.User -notlike "*S-1*" -and !$_.IsInherited} | % {$_.User}
	foreach ($sendasuser in $sendas){
		write-host 'Processing SendAs permission ' $SendAsUser
		$SendAsFN=(get-user $SendAsuser.rawidentity).FirstName
		$SendAsLN=(get-user $SendAsuser.rawidentity).LastName
		$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + 'SendAs'+ "," + $SendAsFN + "," + $SendAsLN + ","  | Out-File $OutFile -Append
	}
}

Open in new window


I've put a little bit of progress reporting in, and filtered a few exclusions out.
0
 

Author Comment

by:offextlmo
ID: 39928838
I have tried your script, it is still not giving me any values.

What is does do, it is creating a new rule for every send-as and full access permissions. Meaning that when Mailbox A is shared, and 3 users have access to it, it shows 3 rules with empty values in the Export.txt file.

Any idea?
0
 
LVL 3

Expert Comment

by:chriskelk
ID: 39928915
It's working perfectly in our environment.  Is every line of the output entirely blank?  i.e.  ,,,,,,,

or are you getting

mailbox A, mailbox, A, mailboxA,FullAccess,,,

Does the output I put in show that it's processing a particular user, and permissions for that user?

Next thing I'd suggest is running some of the commands directly in a console, starting with

$Mailbox = Get-Mailbox username -ResultSize:Unlimited | Select Identity, Alias, DisplayName, DistinguishedName

to limit the results to a single user (one who you know has delegates for both FullAccess and SendAs delegates) in order to see what's happening

then

$Mailbox

to see that the results are as expected

then run through the other commands, to see what the results are, i.e.

$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited -and $_.User -notlike "NT AUTHORITY\SELF"-and $_.User -notlike "*S-1*"} | % {$_.User}

$FullAccess

(to see the results)

 $Firstname = (Get-User $Mailbox.identity).FirstName

$Firstname


etc.
0
 

Author Comment

by:offextlmo
ID: 39929048
I am getting the following: mailbox A, mailbox, A, mailboxA,FullAccess,,,

I did as you requested by doing it step by step.

And everything is working (as expected because we receive mailbox A, mailbox, A, mailboxA,FullAccess,,, in export file)

$Firstname = (Get-User $Mailbox.identity).FirstName

$Firstname

Open in new window

The part above is not returning any results, and when i run the following command:
$FullAccessFN = Get-User $fullaccessuser.rawidentity | Select-Object FirstName
$FullAccessFN

Open in new window

It will give me a list with all users Firstname.

With my little knowledge; it seems that '$fullaccessuser.rawidentity' is not selecting the correct user that is comming from this result
'$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited -and $_.User -notlike "NT AUTHORITY\SELF"-and $_.User -notlike "*S-1*"} | % {$_.User}"

Open in new window


When i execute the $fullAccess cmdlet it outputs me this:
SecurityIdentifier
------------------
S-1-5-21-1746158562-412432939-3720733172-500
S-1-5-21-1746158562-412432939-3720733172-1194
S-1-5-21-1746158562-412432939-3720733172-3652

Open in new window

Can it be that '$FullAccessFN=(get-user $fullaccessuser.identity).FirstName' is expecting some output like 'internaldomain\usera' instead of SID?
0
 

Author Comment

by:offextlmo
ID: 39929054
I am on a Windows 2008SP2 with Exchange 2007SP3. Maybe powershell 1.0 is not as smart to complete this?
0
 
LVL 3

Assisted Solution

by:chriskelk
chriskelk earned 500 total points
ID: 39929163
It would be worth updating Powershell - up to v3 can be installed on Server 2008.  The Exchange version won't affect which Powershell version you can install.
0
 

Author Closing Comment

by:offextlmo
ID: 39936984
It was indeed my powershell version. After updating to version 3 your last powershell script did the job.

Thanks for you help!
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Replication problems 6 21
Exchange 2010 Dag Setup 2 17
Exchange 2013 - Enalbe Activesyncdebuglogging not working 2 10
Exchange 2007 Autodiscover 6 5
Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question