Solved

how to combine two scripts into one

Posted on 2014-10-22
19
307 Views
Last Modified: 2014-11-05
Hello,
So, in Office 365 we can’t assign permissions to security groups on shared mailboxes unless they are mail enabled groups. Client doen’st want to mail enable security groups and asks to extract members from security groups and assign individual permissions to shared mailboxes.

Is it possible to combine two scripts into one in order to get a list of sharedmailbox permissions and individual members who have permissions to those mailboxes through security groups?

I have two separate scripts already.
One is getting permissions for shared mailboxes, but it doesn’t expand security groups.
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Domain,DC=domain,DC=local" -ResultSize Unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation c:\temp\Sharedmailboxpermissions10-10-2014.csv

I am getting the shared mailbox and the security group that has permissions assigned to it. I need then to run another command to extract members from security groups

Another script below gets the security groups and members.

$Users | % {
$group = $_.Group
Get-ADGroupMember –identity $group} | select @{Name="Group Name";Expression={$group}},@{Name="Member";Expression={$_.Name}} | export-csv c:\temp\SecurityGroupTest.csv -NoTypeInformation

So, please advise if it is possible to have those two combined. If it is not possible with powershell, what would be alternative excel solution to combine those two into one?

I am using the following script later to assign permissions to the shared mailboxes, but as I said, I need to have individual mailboxes and not security groups on the excel file in order for it to work.
$Users = Import-CSV -Path c:\Temp\RoommailboxpermissionsTest2.csv
$Users | ForEach-Object {Add-MailboxPermission -Identity $_.Identity –User $_.User -AccessRights FullAccess -InheritanceType all}


Thank you so much.
0
Comment
Question by:claudiamcse
  • 12
  • 7
19 Comments
 

Author Comment

by:claudiamcse
ID: 40398095
If you could please right a comment to explain what each commands does because I am learning powershell.

Thank you so much.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40398197
Of course you can do that, if you tell what you mean with "combining". The script fragments are loosely related only. E.g. where is $users coming from in the 2nd code fragment?
0
 

Author Comment

by:claudiamcse
ID: 40399612
Oh. Great!
$Users are coming from the import file. So, for the second script I am getting the membership of the security groups that are listed on the spreadsheet. I took the security groups that have permissions to the mailboxes and copied them to the import file for the second script to get the membership for those groups.
$Users = Import-CSV -Path c:\Temp\securitygroups.csv

So, the final output that I am trying to get to assign permissions to the mailboxes is the following:
first column is the shared mailbox -identity name, 2nd column is group (dont use this column because I can't add permissions through group), 3rd column - is mailbox name/full name/, and 4th column is the fullaccess column.
Identity                  Group                                   User                                AccessRights
Workforce Management      Security Group1      Doe,  John      FullAccess
Workforce Management   Security Group 2      Doe, Jane       FullAccess
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40399811
Your first export does not create a "Group" column. It is "User", which might contain a user or group name, hence my confusion.
Assuming you do not need any of the other exports:
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Domain,DC=domain,DC=local" -ResultSize Unlimited |
  Get-MailboxPermission |
  where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
  % {
    $group = $_.User.Split('\')[-1]
    $id    = $_.Identity
    Get-ADGroupMember –identity $group} |
      select @{Name = "Identity"  ; Expression = {$id}},
             @{Name = "Group Name"; Expression = {$group}},
             @{Name = "Member"    ; Expression = {$_.Name}}
  } |
  % {
    Add-MailboxPermission -Identity $_.Identity –User $_.Member -AccessRights FullAccess -InheritanceType all
  }

Open in new window

Note we have to use consistent property (= column) names for the results.
We could export results to CSV anywhere in the pipe, if needed, but that is some fiddeling.
0
 

Author Comment

by:claudiamcse
ID: 40400577
WHere do I run it from - EMS or Windows Powershell? I can't run get-mailbox in Widows Powershell and I can't run Get-ADgroup member in EMS.
0
 

Author Comment

by:claudiamcse
ID: 40400584
[PS] C:\temp\scripts>.
Missing expression after '.' in pipeline element.
At line:1 char:1
+ . <<<<
[PS] C:\temp\scripts>C:\temp\scripts\CombinedScript2.ps1
Unexpected token '}' in expression or statement.
At C:\temp\scripts\CombinedScript2.ps1:12 char:3
+   } <<<<
PS C:\temp> .\groupTest.ps1
Unexpected token '}' in expression or statement.
At C:\temp\groupTest.ps1:3 char:40
+     Get-ADGroupMember -identity $group} <<<<  |
    + CategoryInfo          : ParserError: (}:String) [], ParseException
    + FullyQualifiedErrorId : UnexpectedToken
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40400617
Please only post the relevant actions. You've done three things above. I assume the last call is the error you wanted to show?
In http:#a40399811 I've left over an closing curly brace not belonging there, so  line 8 should be:
    Get-ADGroupMember –identity $group |

Open in new window

You best run the code in EMS, and add this line to the very start of the combined PS script:
import-module ActiveDirectory

Open in new window

0
 

Author Comment

by:claudiamcse
ID: 40400632
WHen I run the following script in EMS (Exchange Management Shell), I get this error:
[PS] C:\temp\scripts>C:\temp\scripts\CombinedScript2.ps1
Unexpected token '}' in expression or statement.
At C:\temp\scripts\CombinedScript2.ps1:12 char:3
+   } <<<<

Below is the scipt that I saved as CombinedScript2.ps1

Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Vertex-NA,DC=msg,DC=local" -ResultSize Unlimited |
  Get-MailboxPermission |
  where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
  % {
    $group = $_.User.Split('\')[-1]
    $id    = $_.Identity
    Get-ADGroupMember –identity $group} |
      select @{Name = "Identity"  ; Expression = {$id}},
             @{Name = "Group Name"; Expression = {$group}},
             @{Name = "Member"    ; Expression = {$_.Name}}
  }
0
 

Author Comment

by:claudiamcse
ID: 40400638
THank you. I did as you said. Below is the script. Still getting this error when running from EMS:

At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |
Method invocation failed because [Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter] doesn't conta
a method named 'Split'.
At C:\temp\scripts\CombinedScript2.ps1:7 char:27
+     $group = $_.User.Split( <<<< '\')[-1]
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the t
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |
[PS] C:\temp\scripts>
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:claudiamcse
ID: 40400641
Below is the script I modified

import-module ActiveDirectory
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=domainhidden,DC=private,DC=local" -ResultSize Unlimited |
  Get-MailboxPermission |
  where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
  % {
    $group = $_.User.Split('\')[-1]
    $id    = $_.Identity
    Get-ADGroupMember –identity $group |
      select @{Name = "Identity"  ; Expression = {$id}},
             @{Name = "Group Name"; Expression = {$group}},
             @{Name = "Member"    ; Expression = {$_.Name}}
  }
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40400654
Please use a Code block for posting code snippets, that retains line breaks where they should be only ;-).
Currently I'm not able to test myself, Exchange and AD are using different domains, so sorry for the bugs.
In your error messages there is something missing from the top, but I suppose it is the same message as the last:
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the t
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |

Open in new window

This tells that the ActiveDirectory module has not been loaded, because Get-ADGroupMember definetly is part of that module. Is there another error in regard of that (needs to be the very first error then)?
For the other error, obviously we need to convert the user name to string first before trying to extract the name only (vs. having domain\group). So replace
    $group = $_.User.Split('\')[-1]

Open in new window

by
    $group = $_.User.ToString().Split('\')[-1]

Open in new window

0
 

Author Comment

by:claudiamcse
ID: 40403106
How do you use Code block for posting code snippets? Sorry I am new to this.....
0
 

Author Comment

by:claudiamcse
ID: 40403197
I modified the script as you advised but still get the following errors when running it from EMS
The term 'import-module' is not recognized as a cmdlet, function, operable program, or script file. V
 try again.
At C:\temp\scripts\CombinedScript2.ps1:1 char:14
+ import-module  <<<< ActiveDirectory
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script fil
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22

+     Get-ADGroupMember  <<<< -identity $group |
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the term
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the term
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the term
 and try again.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40403319
Re: Code block: either wrap your code in [code] and [/code], or select the code and click on Code in the toolbar, or use the </>> of the toolbar to post code from a file.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40403332
Something went wrong in a very severe way. import-module is a cmdlet which is part of PowerShell.
Are you supplying the dash ('-') as normal dash, or as long dash, or use anything similar to be outside of the traditional US ASCII character set?
Best to make sure you save the script as ASCII/ANSI, not any of Unicode/UTF encodings.
0
 

Author Comment

by:claudiamcse
ID: 40424108
It is working once I replaced the line with this below as you advised
 $group = $_.User.ToString().Split('\')[-1]


THank you so much. Here is the revised script that does an incredible job.
import-module ActiveDirectory
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Vertex-NA,DC=msg,DC=local" -
ResultSize Unlimited |
Get-MailboxPermission |
where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
% {
$group = $_.User.ToString().Split('\')[-1]
$id = $_.Identity
Get-ADGroupMember –identity $group |
select @{Name = "Identity" ; Expression = {$id}},
@{Name = "Group Name"; Expression = {$group}},
@{Name = "Member" ; Expression = {$_.Name}}
}
0
 

Author Comment

by:claudiamcse
ID: 40424126
This script is perfect. Now, is it possible to select and export the Access rights column as well in addition to identity, group, and user?

Please advise.

THank you so much!
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40424352
Of course, as a comma-separated list. But I've omitted that part because you wanted to set the FullAccess right anyway.
import-module ActiveDirectory
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Domain,DC=domain,DC=local" -ResultSize Unlimited |
  Get-MailboxPermission |
  where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
  % {
    $group = $_.User.Split('\')[-1]
    $rights= $_.'Access Rights'
    $id    = $_.Identity  Get-ADGroupMember –identity $group |
      select @{Name = 'Identity'     ; Expression = {$id}},
             @{Name = 'Group Name'   ; Expression = {$group}},
             @{Name = 'Member'       ; Expression = {$_.Name}},
             @{Name = 'Access Rights'; Expression = {$rights}}
  } |
  % {
    Add-MailboxPermission -Identity $_.Identity –User $_.Member -AccessRights FullAccess -InheritanceType all
  }

Open in new window

is the full code. If you remove lines 14-16, no permission change is taking place, and the access rights are dumped.
0
 

Author Closing Comment

by:claudiamcse
ID: 40424494
Excellent! Thank you so much!!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video discusses moving either the default database or any database to a new volume.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now