?
Solved

Joint results from Powershell script

Posted on 2014-03-10
11
Medium Priority
?
585 Views
Last Modified: 2014-03-18
Hello,

I want to export and import Send-As and Full Access Rights from user mailboxes. Because we moving to a new forest and there is no trust involved I am trying to export this with a Powershell script.

The script I have is as followed:

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $SendAs | Out-File $OutFile -Append
}

Open in new window

Because in the new environment the SAMAccount and UPN is going to change, I need the Firstname and Lastname from each user. With Excel I can combine several fields to match for the import.

I already succeeded to get the First en Lastname from the user stated in the DisplayName field, now I need to have the first and lastname from the users with Send-As and Full Access permissions. This part I am failing and somehow I cannot combine them.

I think I have to create a new variable, and use it somehow like this:

$FullAccessFN = Get-User $FullAccess | Select-Object FirstName
$FullAccessLN = Get-User $FullAccess | Select-Object LastName

Open in new window

But when I use the code I wrote above it is just returning empty field (ofc I am editing the Out-File rules with extra output).

If my powershell script is the wrong approach to accomplish this, please point me in the right direction.

Thanks in advance,
Best,
0
Comment
Question by:offextlmo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 3

Expert Comment

by:chriskelk
ID: 39917909
As $FullAccess will return multiple results, you'll need to do each one separately.  If you look at the $FullAccess results, the username is in a property called RawIdentity.  So the following should help:

foreach ($fullaccessuser in $fullaccess)
{
$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccessFN + "," + $FullAccessLN| Out-File $OutFile -Append
}

Open in new window


Then repeat for $SendAs, to get the Send-As list
0
 

Author Comment

by:offextlmo
ID: 39921370
I tried combining them but it does not seem to work. This is how my code is now:

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName	
}
foreach ($fullaccessuser in $fullaccess){
	$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
	$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $FullAccessFN + "," + $FullAccessLN + "," + $SendAs | Out-File $OutFile -Append
} 

Open in new window

Any ideas?
0
 
LVL 3

Expert Comment

by:chriskelk
ID: 39922972
You need to put the second foreach loop inside the first, so:

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName	
foreach ($fullaccessuser in $fullaccess){
	$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
	$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $FullAccessFN + "," + $FullAccessLN + "," + $SendAs | Out-File $OutFile -Append
}
}

Open in new window

0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:offextlmo
ID: 39928716
When I run the script it does not return any value in the $FullAccessFN and $FullAccessLN field. When I run this part of the script:
get-user $fullaccessuser.rawidentity).FirstName

Open in new window

And it also gives no result. I changed the line to

Get-User $fullaccessuser.rawidentity | Select-Object FirstName

Open in new window


This give me all the results i needed, but when i combine it in the script it only gives me allot of spaces and no result.

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName	
foreach ($fullaccessuser in $fullaccess){
	$FullAccessFN = Get-User $fullaccessuser.rawidentity | Select-Object FirstName
	$FullAccessLN = get-user $fullaccessuser.rawidentity | Select-Object LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $fullaccessuser.FullAccessFN + "," + $fullaccessuser.FullAccessLN + "," + $SendAs | Out-File $OutFile -Append
}
} 

Open in new window


Any idea why it not returning values in the combined script?
0
 
LVL 3

Accepted Solution

by:
chriskelk earned 2000 total points
ID: 39928802
Try this

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Permission" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	write-host 'Processing mailbox:' $mailbox.DisplayName
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited -and $_.User -notlike "NT AUTHORITY\SELF"-and $_.User -notlike "*S-1*"} | % {$_.User}
 	$Firstname = (Get-User $Mailbox.identity).FirstName
	$Lastname = (Get-User $Mailbox.identity).LastName	
	foreach ($fullaccessuser in $fullaccess){
		write-host 'Processing Full Access permission ' $FullAccessUser.RawIdentity
		$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
		$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
		$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + 'FullAccess'+ "," + $FullAccessFN + "," + $FullAccessLN + ","  | Out-File $OutFile -Append
		} 
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and $_.User -notlike "NT AUTHORITY\SYSTEM" -and $_.User -notlike "BUILTIN\ADMINISTRATORS" -and $_.User -notlike "*S-1*" -and !$_.IsInherited} | % {$_.User}
	foreach ($sendasuser in $sendas){
		write-host 'Processing SendAs permission ' $SendAsUser
		$SendAsFN=(get-user $SendAsuser.rawidentity).FirstName
		$SendAsLN=(get-user $SendAsuser.rawidentity).LastName
		$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + 'SendAs'+ "," + $SendAsFN + "," + $SendAsLN + ","  | Out-File $OutFile -Append
	}
}

Open in new window


I've put a little bit of progress reporting in, and filtered a few exclusions out.
0
 

Author Comment

by:offextlmo
ID: 39928838
I have tried your script, it is still not giving me any values.

What is does do, it is creating a new rule for every send-as and full access permissions. Meaning that when Mailbox A is shared, and 3 users have access to it, it shows 3 rules with empty values in the Export.txt file.

Any idea?
0
 
LVL 3

Expert Comment

by:chriskelk
ID: 39928915
It's working perfectly in our environment.  Is every line of the output entirely blank?  i.e.  ,,,,,,,

or are you getting

mailbox A, mailbox, A, mailboxA,FullAccess,,,

Does the output I put in show that it's processing a particular user, and permissions for that user?

Next thing I'd suggest is running some of the commands directly in a console, starting with

$Mailbox = Get-Mailbox username -ResultSize:Unlimited | Select Identity, Alias, DisplayName, DistinguishedName

to limit the results to a single user (one who you know has delegates for both FullAccess and SendAs delegates) in order to see what's happening

then

$Mailbox

to see that the results are as expected

then run through the other commands, to see what the results are, i.e.

$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited -and $_.User -notlike "NT AUTHORITY\SELF"-and $_.User -notlike "*S-1*"} | % {$_.User}

$FullAccess

(to see the results)

 $Firstname = (Get-User $Mailbox.identity).FirstName

$Firstname


etc.
0
 

Author Comment

by:offextlmo
ID: 39929048
I am getting the following: mailbox A, mailbox, A, mailboxA,FullAccess,,,

I did as you requested by doing it step by step.

And everything is working (as expected because we receive mailbox A, mailbox, A, mailboxA,FullAccess,,, in export file)

$Firstname = (Get-User $Mailbox.identity).FirstName

$Firstname

Open in new window

The part above is not returning any results, and when i run the following command:
$FullAccessFN = Get-User $fullaccessuser.rawidentity | Select-Object FirstName
$FullAccessFN

Open in new window

It will give me a list with all users Firstname.

With my little knowledge; it seems that '$fullaccessuser.rawidentity' is not selecting the correct user that is comming from this result
'$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited -and $_.User -notlike "NT AUTHORITY\SELF"-and $_.User -notlike "*S-1*"} | % {$_.User}"

Open in new window


When i execute the $fullAccess cmdlet it outputs me this:
SecurityIdentifier
------------------
S-1-5-21-1746158562-412432939-3720733172-500
S-1-5-21-1746158562-412432939-3720733172-1194
S-1-5-21-1746158562-412432939-3720733172-3652

Open in new window

Can it be that '$FullAccessFN=(get-user $fullaccessuser.identity).FirstName' is expecting some output like 'internaldomain\usera' instead of SID?
0
 

Author Comment

by:offextlmo
ID: 39929054
I am on a Windows 2008SP2 with Exchange 2007SP3. Maybe powershell 1.0 is not as smart to complete this?
0
 
LVL 3

Assisted Solution

by:chriskelk
chriskelk earned 2000 total points
ID: 39929163
It would be worth updating Powershell - up to v3 can be installed on Server 2008.  The Exchange version won't affect which Powershell version you can install.
0
 

Author Closing Comment

by:offextlmo
ID: 39936984
It was indeed my powershell version. After updating to version 3 your last powershell script did the job.

Thanks for you help!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
New style of hardware planning for Microsoft Exchange server.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month12 days, 3 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question