[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 598
  • Last Modified:

Joint results from Powershell script

Hello,

I want to export and import Send-As and Full Access Rights from user mailboxes. Because we moving to a new forest and there is no trust involved I am trying to export this with a Powershell script.

The script I have is as followed:

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $SendAs | Out-File $OutFile -Append
}

Open in new window

Because in the new environment the SAMAccount and UPN is going to change, I need the Firstname and Lastname from each user. With Excel I can combine several fields to match for the import.

I already succeeded to get the First en Lastname from the user stated in the DisplayName field, now I need to have the first and lastname from the users with Send-As and Full Access permissions. This part I am failing and somehow I cannot combine them.

I think I have to create a new variable, and use it somehow like this:

$FullAccessFN = Get-User $FullAccess | Select-Object FirstName
$FullAccessLN = Get-User $FullAccess | Select-Object LastName

Open in new window

But when I use the code I wrote above it is just returning empty field (ofc I am editing the Out-File rules with extra output).

If my powershell script is the wrong approach to accomplish this, please point me in the right direction.

Thanks in advance,
Best,
0
offextlmo
Asked:
offextlmo
  • 6
  • 5
2 Solutions
 
chriskelkCommented:
As $FullAccess will return multiple results, you'll need to do each one separately.  If you look at the $FullAccess results, the username is in a property called RawIdentity.  So the following should help:

foreach ($fullaccessuser in $fullaccess)
{
$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccessFN + "," + $FullAccessLN| Out-File $OutFile -Append
}

Open in new window


Then repeat for $SendAs, to get the Send-As list
0
 
offextlmoAuthor Commented:
I tried combining them but it does not seem to work. This is how my code is now:

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName	
}
foreach ($fullaccessuser in $fullaccess){
	$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
	$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $FullAccessFN + "," + $FullAccessLN + "," + $SendAs | Out-File $OutFile -Append
} 

Open in new window

Any ideas?
0
 
chriskelkCommented:
You need to put the second foreach loop inside the first, so:

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName	
foreach ($fullaccessuser in $fullaccess){
	$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
	$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $FullAccessFN + "," + $FullAccessLN + "," + $SendAs | Out-File $OutFile -Append
}
}

Open in new window

0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
offextlmoAuthor Commented:
When I run the script it does not return any value in the $FullAccessFN and $FullAccessLN field. When I run this part of the script:
get-user $fullaccessuser.rawidentity).FirstName

Open in new window

And it also gives no result. I changed the line to

Get-User $fullaccessuser.rawidentity | Select-Object FirstName

Open in new window


This give me all the results i needed, but when i combine it in the script it only gives me allot of spaces and no result.

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Full Access" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and !$_.IsInherited} | % {$_.User}
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited} | % {$_.User}
 	$Firstname = Get-User $Mailbox.DistinguishedName | Select-Object FirstName
	$Lastname = Get-User $Mailbox.Identity | Select-Object LastName	
foreach ($fullaccessuser in $fullaccess){
	$FullAccessFN = Get-User $fullaccessuser.rawidentity | Select-Object FirstName
	$FullAccessLN = get-user $fullaccessuser.rawidentity | Select-Object LastName
	$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + $FullAccess + "," + $fullaccessuser.FullAccessFN + "," + $fullaccessuser.FullAccessLN + "," + $SendAs | Out-File $OutFile -Append
}
} 

Open in new window


Any idea why it not returning values in the combined script?
0
 
chriskelkCommented:
Try this

$OutFile = "C:\Export\PermissionExport.txt"
"DisplayName" + "," + "Firstname" + "," + "Lastname" + "," + "Alias" + "," + "Permission" + "," + " FullAccessFN" + "," + "FullAccessLN" + "," + "Send As" | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -ResultSize:Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $false} | Select Identity, Alias, DisplayName, DistinguishedName
ForEach ($Mailbox in $Mailboxes) {
	write-host 'Processing mailbox:' $mailbox.DisplayName
	$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited -and $_.User -notlike "NT AUTHORITY\SELF"-and $_.User -notlike "*S-1*"} | % {$_.User}
 	$Firstname = (Get-User $Mailbox.identity).FirstName
	$Lastname = (Get-User $Mailbox.identity).LastName	
	foreach ($fullaccessuser in $fullaccess){
		write-host 'Processing Full Access permission ' $FullAccessUser.RawIdentity
		$FullAccessFN=(get-user $fullaccessuser.rawidentity).FirstName
		$FullAccessLN=(get-user $fullaccessuser.rawidentity).LastName
		$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + 'FullAccess'+ "," + $FullAccessFN + "," + $FullAccessLN + ","  | Out-File $OutFile -Append
		} 
	$SendAs = Get-ADPermission $Mailbox.DistinguishedName | ? {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF" -and $_.User -notlike "NT AUTHORITY\SYSTEM" -and $_.User -notlike "BUILTIN\ADMINISTRATORS" -and $_.User -notlike "*S-1*" -and !$_.IsInherited} | % {$_.User}
	foreach ($sendasuser in $sendas){
		write-host 'Processing SendAs permission ' $SendAsUser
		$SendAsFN=(get-user $SendAsuser.rawidentity).FirstName
		$SendAsLN=(get-user $SendAsuser.rawidentity).LastName
		$Mailbox.DisplayName + "," + $Firstname  + "," + $Lastname  + "," + $Mailbox.Alias + "," + 'SendAs'+ "," + $SendAsFN + "," + $SendAsLN + ","  | Out-File $OutFile -Append
	}
}

Open in new window


I've put a little bit of progress reporting in, and filtered a few exclusions out.
0
 
offextlmoAuthor Commented:
I have tried your script, it is still not giving me any values.

What is does do, it is creating a new rule for every send-as and full access permissions. Meaning that when Mailbox A is shared, and 3 users have access to it, it shows 3 rules with empty values in the Export.txt file.

Any idea?
0
 
chriskelkCommented:
It's working perfectly in our environment.  Is every line of the output entirely blank?  i.e.  ,,,,,,,

or are you getting

mailbox A, mailbox, A, mailboxA,FullAccess,,,

Does the output I put in show that it's processing a particular user, and permissions for that user?

Next thing I'd suggest is running some of the commands directly in a console, starting with

$Mailbox = Get-Mailbox username -ResultSize:Unlimited | Select Identity, Alias, DisplayName, DistinguishedName

to limit the results to a single user (one who you know has delegates for both FullAccess and SendAs delegates) in order to see what's happening

then

$Mailbox

to see that the results are as expected

then run through the other commands, to see what the results are, i.e.

$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited -and $_.User -notlike "NT AUTHORITY\SELF"-and $_.User -notlike "*S-1*"} | % {$_.User}

$FullAccess

(to see the results)

 $Firstname = (Get-User $Mailbox.identity).FirstName

$Firstname


etc.
0
 
offextlmoAuthor Commented:
I am getting the following: mailbox A, mailbox, A, mailboxA,FullAccess,,,

I did as you requested by doing it step by step.

And everything is working (as expected because we receive mailbox A, mailbox, A, mailboxA,FullAccess,,, in export file)

$Firstname = (Get-User $Mailbox.identity).FirstName

$Firstname

Open in new window

The part above is not returning any results, and when i run the following command:
$FullAccessFN = Get-User $fullaccessuser.rawidentity | Select-Object FirstName
$FullAccessFN

Open in new window

It will give me a list with all users Firstname.

With my little knowledge; it seems that '$fullaccessuser.rawidentity' is not selecting the correct user that is comming from this result
'$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq "FullAccess" -and !$_.IsInherited -and $_.User -notlike "NT AUTHORITY\SELF"-and $_.User -notlike "*S-1*"} | % {$_.User}"

Open in new window


When i execute the $fullAccess cmdlet it outputs me this:
SecurityIdentifier
------------------
S-1-5-21-1746158562-412432939-3720733172-500
S-1-5-21-1746158562-412432939-3720733172-1194
S-1-5-21-1746158562-412432939-3720733172-3652

Open in new window

Can it be that '$FullAccessFN=(get-user $fullaccessuser.identity).FirstName' is expecting some output like 'internaldomain\usera' instead of SID?
0
 
offextlmoAuthor Commented:
I am on a Windows 2008SP2 with Exchange 2007SP3. Maybe powershell 1.0 is not as smart to complete this?
0
 
chriskelkCommented:
It would be worth updating Powershell - up to v3 can be installed on Server 2008.  The Exchange version won't affect which Powershell version you can install.
0
 
offextlmoAuthor Commented:
It was indeed my powershell version. After updating to version 3 your last powershell script did the job.

Thanks for you help!
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now