Solved

Joint results from Powershell script

Posted on 2014-03-10
11
542 Views
Last Modified: 2014-03-18
Hello,

I want to export and import Send-As and Full Access Rights from user mailboxes. Because we moving to a new forest and there is no trust involved I am trying to export this with a Powershell script.

The script I have is as followed:

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $SendAs | Out-File $OutFile -Append
}

Open in new window

Because in the new environment the SAMAccount and UPN is going to change, I need the Firstname and Lastname from each user. With Excel I can combine several fields to match for the import.

I already succeeded to get the First en Lastname from the user stated in the DisplayName field, now I need to have the first and lastname from the users with Send-As and Full Access permissions. This part I am failing and somehow I cannot combine them.

I think I have to create a new variable, and use it somehow like this:

$FullAccessFN = Get-User $FullAccess | Select-Object FirstName
$FullAccessLN = Get-User $FullAccess | Select-Object LastName

Open in new window

But when I use the code I wrote above it is just returning empty field (ofc I am editing the Out-File rules with extra output).

If my powershell script is the wrong approach to accomplish this, please point me in the right direction.

Thanks in advance,
Best,
0
Comment
Question by:offextlmo
  • 6
  • 5
11 Comments
 
LVL 3

Expert Comment

by:chriskelk
Comment Utility
As $FullAccess will return multiple results, you'll need to do each one separately.  If you look at the $FullAccess results, the username is in a property called RawIdentity.  So the following should help:

foreach ($fullaccessuser in $fullaccess)
{
$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccessFN + "," + $FullAccessLN| Out-File $OutFile -Append
}

Open in new window


Then repeat for $SendAs, to get the Send-As list
0
 

Author Comment

by:offextlmo
Comment Utility
I tried combining them but it does not seem to work. This is how my code is now:

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName	
}
foreach ($fullaccessuser in $fullaccess){
	$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
	$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $FullAccessFN + "," + $FullAccessLN + "," + $SendAs | Out-File $OutFile -Append
} 

Open in new window

Any ideas?
0
 
LVL 3

Expert Comment

by:chriskelk
Comment Utility
You need to put the second foreach loop inside the first, so:

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName	
foreach ($fullaccessuser in $fullaccess){
	$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
	$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $FullAccessFN + "," + $FullAccessLN + "," + $SendAs | Out-File $OutFile -Append
}
}

Open in new window

0
 

Author Comment

by:offextlmo
Comment Utility
When I run the script it does not return any value in the $FullAccessFN and $FullAccessLN field. When I run this part of the script:
get-user $fullaccessuser.rawidentity).FirstName

Open in new window

And it also gives no result. I changed the line to

Get-User $fullaccessuser.rawidentity | Select-Object FirstName

Open in new window


This give me all the results i needed, but when i combine it in the script it only gives me allot of spaces and no result.

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName	
foreach ($fullaccessuser in $fullaccess){
	$FullAccessFN = Get-User $fullaccessuser.rawidentity | Select-Object FirstName
	$FullAccessLN = get-user $fullaccessuser.rawidentity | Select-Object LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $fullaccessuser.FullAccessFN + "," + $fullaccessuser.FullAccessLN + "," + $SendAs | Out-File $OutFile -Append
}
} 

Open in new window


Any idea why it not returning values in the combined script?
0
 
LVL 3

Accepted Solution

by:
chriskelk earned 500 total points
Comment Utility
Try this

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Permission" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	write-host 'Processing mailbox:' $mailbox.DisplayName
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited -and $_.User -notlike "NT AUTHORITY\SELF"-and $_.User -notlike "*S-1*"} | % {$_.User}
 	$Firstname = (Get-User $Mailbox.identity).FirstName
	$Lastname = (Get-User $Mailbox.identity).LastName	
	foreach ($fullaccessuser in $fullaccess){
		write-host 'Processing Full Access permission ' $FullAccessUser.RawIdentity
		$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
		$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
		$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + 'FullAccess'+ "," + $FullAccessFN + "," + $FullAccessLN + ","  | Out-File $OutFile -Append
		} 
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and $_.User -notlike "NT AUTHORITY\SYSTEM" -and $_.User -notlike "BUILTIN\ADMINISTRATORS" -and $_.User -notlike "*S-1*" -and !$_.IsInherited} | % {$_.User}
	foreach ($sendasuser in $sendas){
		write-host 'Processing SendAs permission ' $SendAsUser
		$SendAsFN=(get-user $SendAsuser.rawidentity).FirstName
		$SendAsLN=(get-user $SendAsuser.rawidentity).LastName
		$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + 'SendAs'+ "," + $SendAsFN + "," + $SendAsLN + ","  | Out-File $OutFile -Append
	}
}

Open in new window


I've put a little bit of progress reporting in, and filtered a few exclusions out.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:offextlmo
Comment Utility
I have tried your script, it is still not giving me any values.

What is does do, it is creating a new rule for every send-as and full access permissions. Meaning that when Mailbox A is shared, and 3 users have access to it, it shows 3 rules with empty values in the Export.txt file.

Any idea?
0
 
LVL 3

Expert Comment

by:chriskelk
Comment Utility
It's working perfectly in our environment.  Is every line of the output entirely blank?  i.e.  ,,,,,,,

or are you getting

mailbox A, mailbox, A, mailboxA,FullAccess,,,

Does the output I put in show that it's processing a particular user, and permissions for that user?

Next thing I'd suggest is running some of the commands directly in a console, starting with

$Mailbox = Get-Mailbox username -ResultSize:Unlimited | Select Identity, Alias, DisplayName, DistinguishedName

to limit the results to a single user (one who you know has delegates for both FullAccess and SendAs delegates) in order to see what's happening

then

$Mailbox

to see that the results are as expected

then run through the other commands, to see what the results are, i.e.

$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited -and $_.User -notlike "NT AUTHORITY\SELF"-and $_.User -notlike "*S-1*"} | % {$_.User}

$FullAccess

(to see the results)

 $Firstname = (Get-User $Mailbox.identity).FirstName

$Firstname


etc.
0
 

Author Comment

by:offextlmo
Comment Utility
I am getting the following: mailbox A, mailbox, A, mailboxA,FullAccess,,,

I did as you requested by doing it step by step.

And everything is working (as expected because we receive mailbox A, mailbox, A, mailboxA,FullAccess,,, in export file)

$Firstname = (Get-User $Mailbox.identity).FirstName

$Firstname

Open in new window

The part above is not returning any results, and when i run the following command:
$FullAccessFN = Get-User $fullaccessuser.rawidentity | Select-Object FirstName
$FullAccessFN

Open in new window

It will give me a list with all users Firstname.

With my little knowledge; it seems that '$fullaccessuser.rawidentity' is not selecting the correct user that is comming from this result
'$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited -and $_.User -notlike "NT AUTHORITY\SELF"-and $_.User -notlike "*S-1*"} | % {$_.User}"

Open in new window


When i execute the $fullAccess cmdlet it outputs me this:
SecurityIdentifier
------------------
S-1-5-21-1746158562-412432939-3720733172-500
S-1-5-21-1746158562-412432939-3720733172-1194
S-1-5-21-1746158562-412432939-3720733172-3652

Open in new window

Can it be that '$FullAccessFN=(get-user $fullaccessuser.identity).FirstName' is expecting some output like 'internaldomain\usera' instead of SID?
0
 

Author Comment

by:offextlmo
Comment Utility
I am on a Windows 2008SP2 with Exchange 2007SP3. Maybe powershell 1.0 is not as smart to complete this?
0
 
LVL 3

Assisted Solution

by:chriskelk
chriskelk earned 500 total points
Comment Utility
It would be worth updating Powershell - up to v3 can be installed on Server 2008.  The Exchange version won't affect which Powershell version you can install.
0
 

Author Closing Comment

by:offextlmo
Comment Utility
It was indeed my powershell version. After updating to version 3 your last powershell script did the job.

Thanks for you help!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
how to add IIS SMTP to handle application/Scanner relays into office 365.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now