how to combine two scripts into one

Hello,
So, in Office 365 we can’t assign permissions to security groups on shared mailboxes unless they are mail enabled groups. Client doen’st want to mail enable security groups and asks to extract members from security groups and assign individual permissions to shared mailboxes.

Is it possible to combine two scripts into one in order to get a list of sharedmailbox permissions and individual members who have permissions to those mailboxes through security groups?

I have two separate scripts already.
One is getting permissions for shared mailboxes, but it doesn’t expand security groups.
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Domain,DC=domain,DC=local" -ResultSize Unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation c:\temp\Sharedmailboxpermissions10-10-2014.csv

I am getting the shared mailbox and the security group that has permissions assigned to it. I need then to run another command to extract members from security groups

Another script below gets the security groups and members.

$Users | % {
$group = $_.Group
Get-ADGroupMember –identity $group} | select @{Name="Group Name";Expression={$group}},@{Name="Member";Expression={$_.Name}} | export-csv c:\temp\SecurityGroupTest.csv -NoTypeInformation

So, please advise if it is possible to have those two combined. If it is not possible with powershell, what would be alternative excel solution to combine those two into one?

I am using the following script later to assign permissions to the shared mailboxes, but as I said, I need to have individual mailboxes and not security groups on the excel file in order for it to work.
$Users = Import-CSV -Path c:\Temp\RoommailboxpermissionsTest2.csv
$Users | ForEach-Object {Add-MailboxPermission -Identity $_.Identity –User $_.User -AccessRights FullAccess -InheritanceType all}


Thank you so much.
claudiamcseAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
QlemoConnect With a Mentor DeveloperCommented:
Please use a Code block for posting code snippets, that retains line breaks where they should be only ;-).
Currently I'm not able to test myself, Exchange and AD are using different domains, so sorry for the bugs.
In your error messages there is something missing from the top, but I suppose it is the same message as the last:
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the t
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |

Open in new window

This tells that the ActiveDirectory module has not been loaded, because Get-ADGroupMember definetly is part of that module. Is there another error in regard of that (needs to be the very first error then)?
For the other error, obviously we need to convert the user name to string first before trying to extract the name only (vs. having domain\group). So replace
    $group = $_.User.Split('\')[-1]

Open in new window

by
    $group = $_.User.ToString().Split('\')[-1]

Open in new window

0
 
claudiamcseAuthor Commented:
If you could please right a comment to explain what each commands does because I am learning powershell.

Thank you so much.
0
 
QlemoDeveloperCommented:
Of course you can do that, if you tell what you mean with "combining". The script fragments are loosely related only. E.g. where is $users coming from in the 2nd code fragment?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
claudiamcseAuthor Commented:
Oh. Great!
$Users are coming from the import file. So, for the second script I am getting the membership of the security groups that are listed on the spreadsheet. I took the security groups that have permissions to the mailboxes and copied them to the import file for the second script to get the membership for those groups.
$Users = Import-CSV -Path c:\Temp\securitygroups.csv

So, the final output that I am trying to get to assign permissions to the mailboxes is the following:
first column is the shared mailbox -identity name, 2nd column is group (dont use this column because I can't add permissions through group), 3rd column - is mailbox name/full name/, and 4th column is the fullaccess column.
Identity                  Group                                   User                                AccessRights
Workforce Management      Security Group1      Doe,  John      FullAccess
Workforce Management   Security Group 2      Doe, Jane       FullAccess
0
 
QlemoDeveloperCommented:
Your first export does not create a "Group" column. It is "User", which might contain a user or group name, hence my confusion.
Assuming you do not need any of the other exports:
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Domain,DC=domain,DC=local" -ResultSize Unlimited |
  Get-MailboxPermission |
  where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
  % {
    $group = $_.User.Split('\')[-1]
    $id    = $_.Identity
    Get-ADGroupMember –identity $group} |
      select @{Name = "Identity"  ; Expression = {$id}},
             @{Name = "Group Name"; Expression = {$group}},
             @{Name = "Member"    ; Expression = {$_.Name}}
  } |
  % {
    Add-MailboxPermission -Identity $_.Identity –User $_.Member -AccessRights FullAccess -InheritanceType all
  }

Open in new window

Note we have to use consistent property (= column) names for the results.
We could export results to CSV anywhere in the pipe, if needed, but that is some fiddeling.
0
 
claudiamcseAuthor Commented:
WHere do I run it from - EMS or Windows Powershell? I can't run get-mailbox in Widows Powershell and I can't run Get-ADgroup member in EMS.
0
 
claudiamcseAuthor Commented:
[PS] C:\temp\scripts>.
Missing expression after '.' in pipeline element.
At line:1 char:1
+ . <<<<
[PS] C:\temp\scripts>C:\temp\scripts\CombinedScript2.ps1
Unexpected token '}' in expression or statement.
At C:\temp\scripts\CombinedScript2.ps1:12 char:3
+   } <<<<
PS C:\temp> .\groupTest.ps1
Unexpected token '}' in expression or statement.
At C:\temp\groupTest.ps1:3 char:40
+     Get-ADGroupMember -identity $group} <<<<  |
    + CategoryInfo          : ParserError: (}:String) [], ParseException
    + FullyQualifiedErrorId : UnexpectedToken
0
 
QlemoDeveloperCommented:
Please only post the relevant actions. You've done three things above. I assume the last call is the error you wanted to show?
In http:#a40399811 I've left over an closing curly brace not belonging there, so  line 8 should be:
    Get-ADGroupMember –identity $group |

Open in new window

You best run the code in EMS, and add this line to the very start of the combined PS script:
import-module ActiveDirectory

Open in new window

0
 
claudiamcseAuthor Commented:
WHen I run the following script in EMS (Exchange Management Shell), I get this error:
[PS] C:\temp\scripts>C:\temp\scripts\CombinedScript2.ps1
Unexpected token '}' in expression or statement.
At C:\temp\scripts\CombinedScript2.ps1:12 char:3
+   } <<<<

Below is the scipt that I saved as CombinedScript2.ps1

Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Vertex-NA,DC=msg,DC=local" -ResultSize Unlimited |
  Get-MailboxPermission |
  where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
  % {
    $group = $_.User.Split('\')[-1]
    $id    = $_.Identity
    Get-ADGroupMember –identity $group} |
      select @{Name = "Identity"  ; Expression = {$id}},
             @{Name = "Group Name"; Expression = {$group}},
             @{Name = "Member"    ; Expression = {$_.Name}}
  }
0
 
claudiamcseAuthor Commented:
THank you. I did as you said. Below is the script. Still getting this error when running from EMS:

At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |
Method invocation failed because [Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter] doesn't conta
a method named 'Split'.
At C:\temp\scripts\CombinedScript2.ps1:7 char:27
+     $group = $_.User.Split( <<<< '\')[-1]
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the t
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |
[PS] C:\temp\scripts>
0
 
claudiamcseAuthor Commented:
Below is the script I modified

import-module ActiveDirectory
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=domainhidden,DC=private,DC=local" -ResultSize Unlimited |
  Get-MailboxPermission |
  where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
  % {
    $group = $_.User.Split('\')[-1]
    $id    = $_.Identity
    Get-ADGroupMember –identity $group |
      select @{Name = "Identity"  ; Expression = {$id}},
             @{Name = "Group Name"; Expression = {$group}},
             @{Name = "Member"    ; Expression = {$_.Name}}
  }
0
 
claudiamcseAuthor Commented:
How do you use Code block for posting code snippets? Sorry I am new to this.....
0
 
claudiamcseAuthor Commented:
I modified the script as you advised but still get the following errors when running it from EMS
The term 'import-module' is not recognized as a cmdlet, function, operable program, or script file. V
 try again.
At C:\temp\scripts\CombinedScript2.ps1:1 char:14
+ import-module  <<<< ActiveDirectory
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script fil
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22

+     Get-ADGroupMember  <<<< -identity $group |
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the term
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the term
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the term
 and try again.
0
 
QlemoDeveloperCommented:
Re: Code block: either wrap your code in [code] and [/code], or select the code and click on Code in the toolbar, or use the </>> of the toolbar to post code from a file.
0
 
QlemoDeveloperCommented:
Something went wrong in a very severe way. import-module is a cmdlet which is part of PowerShell.
Are you supplying the dash ('-') as normal dash, or as long dash, or use anything similar to be outside of the traditional US ASCII character set?
Best to make sure you save the script as ASCII/ANSI, not any of Unicode/UTF encodings.
0
 
claudiamcseAuthor Commented:
It is working once I replaced the line with this below as you advised
 $group = $_.User.ToString().Split('\')[-1]


THank you so much. Here is the revised script that does an incredible job.
import-module ActiveDirectory
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Vertex-NA,DC=msg,DC=local" -
ResultSize Unlimited |
Get-MailboxPermission |
where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
% {
$group = $_.User.ToString().Split('\')[-1]
$id = $_.Identity
Get-ADGroupMember –identity $group |
select @{Name = "Identity" ; Expression = {$id}},
@{Name = "Group Name"; Expression = {$group}},
@{Name = "Member" ; Expression = {$_.Name}}
}
0
 
claudiamcseAuthor Commented:
This script is perfect. Now, is it possible to select and export the Access rights column as well in addition to identity, group, and user?

Please advise.

THank you so much!
0
 
QlemoDeveloperCommented:
Of course, as a comma-separated list. But I've omitted that part because you wanted to set the FullAccess right anyway.
import-module ActiveDirectory
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Domain,DC=domain,DC=local" -ResultSize Unlimited |
  Get-MailboxPermission |
  where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
  % {
    $group = $_.User.Split('\')[-1]
    $rights= $_.'Access Rights'
    $id    = $_.Identity  Get-ADGroupMember –identity $group |
      select @{Name = 'Identity'     ; Expression = {$id}},
             @{Name = 'Group Name'   ; Expression = {$group}},
             @{Name = 'Member'       ; Expression = {$_.Name}},
             @{Name = 'Access Rights'; Expression = {$rights}}
  } |
  % {
    Add-MailboxPermission -Identity $_.Identity –User $_.Member -AccessRights FullAccess -InheritanceType all
  }

Open in new window

is the full code. If you remove lines 14-16, no permission change is taking place, and the access rights are dumped.
0
 
claudiamcseAuthor Commented:
Excellent! Thank you so much!!
0
All Courses

From novice to tech pro — start learning today.