Solved

how to combine two scripts into one

Posted on 2014-10-22
19
356 Views
Last Modified: 2014-11-05
Hello,
So, in Office 365 we can’t assign permissions to security groups on shared mailboxes unless they are mail enabled groups. Client doen’st want to mail enable security groups and asks to extract members from security groups and assign individual permissions to shared mailboxes.

Is it possible to combine two scripts into one in order to get a list of sharedmailbox permissions and individual members who have permissions to those mailboxes through security groups?

I have two separate scripts already.
One is getting permissions for shared mailboxes, but it doesn’t expand security groups.
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Domain,DC=domain,DC=local" -ResultSize Unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation c:\temp\Sharedmailboxpermissions10-10-2014.csv

I am getting the shared mailbox and the security group that has permissions assigned to it. I need then to run another command to extract members from security groups

Another script below gets the security groups and members.

$Users | % {
$group = $_.Group
Get-ADGroupMember –identity $group} | select @{Name="Group Name";Expression={$group}},@{Name="Member";Expression={$_.Name}} | export-csv c:\temp\SecurityGroupTest.csv -NoTypeInformation

So, please advise if it is possible to have those two combined. If it is not possible with powershell, what would be alternative excel solution to combine those two into one?

I am using the following script later to assign permissions to the shared mailboxes, but as I said, I need to have individual mailboxes and not security groups on the excel file in order for it to work.
$Users = Import-CSV -Path c:\Temp\RoommailboxpermissionsTest2.csv
$Users | ForEach-Object {Add-MailboxPermission -Identity $_.Identity –User $_.User -AccessRights FullAccess -InheritanceType all}


Thank you so much.
0
Comment
Question by:claudiamcse
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 7
19 Comments
 

Author Comment

by:claudiamcse
ID: 40398095
If you could please right a comment to explain what each commands does because I am learning powershell.

Thank you so much.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40398197
Of course you can do that, if you tell what you mean with "combining". The script fragments are loosely related only. E.g. where is $users coming from in the 2nd code fragment?
0
 

Author Comment

by:claudiamcse
ID: 40399612
Oh. Great!
$Users are coming from the import file. So, for the second script I am getting the membership of the security groups that are listed on the spreadsheet. I took the security groups that have permissions to the mailboxes and copied them to the import file for the second script to get the membership for those groups.
$Users = Import-CSV -Path c:\Temp\securitygroups.csv

So, the final output that I am trying to get to assign permissions to the mailboxes is the following:
first column is the shared mailbox -identity name, 2nd column is group (dont use this column because I can't add permissions through group), 3rd column - is mailbox name/full name/, and 4th column is the fullaccess column.
Identity                  Group                                   User                                AccessRights
Workforce Management      Security Group1      Doe,  John      FullAccess
Workforce Management   Security Group 2      Doe, Jane       FullAccess
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 70

Expert Comment

by:Qlemo
ID: 40399811
Your first export does not create a "Group" column. It is "User", which might contain a user or group name, hence my confusion.
Assuming you do not need any of the other exports:
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Domain,DC=domain,DC=local" -ResultSize Unlimited |
  Get-MailboxPermission |
  where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
  % {
    $group = $_.User.Split('\')[-1]
    $id    = $_.Identity
    Get-ADGroupMember –identity $group} |
      select @{Name = "Identity"  ; Expression = {$id}},
             @{Name = "Group Name"; Expression = {$group}},
             @{Name = "Member"    ; Expression = {$_.Name}}
  } |
  % {
    Add-MailboxPermission -Identity $_.Identity –User $_.Member -AccessRights FullAccess -InheritanceType all
  }

Open in new window

Note we have to use consistent property (= column) names for the results.
We could export results to CSV anywhere in the pipe, if needed, but that is some fiddeling.
0
 

Author Comment

by:claudiamcse
ID: 40400577
WHere do I run it from - EMS or Windows Powershell? I can't run get-mailbox in Widows Powershell and I can't run Get-ADgroup member in EMS.
0
 

Author Comment

by:claudiamcse
ID: 40400584
[PS] C:\temp\scripts>.
Missing expression after '.' in pipeline element.
At line:1 char:1
+ . <<<<
[PS] C:\temp\scripts>C:\temp\scripts\CombinedScript2.ps1
Unexpected token '}' in expression or statement.
At C:\temp\scripts\CombinedScript2.ps1:12 char:3
+   } <<<<
PS C:\temp> .\groupTest.ps1
Unexpected token '}' in expression or statement.
At C:\temp\groupTest.ps1:3 char:40
+     Get-ADGroupMember -identity $group} <<<<  |
    + CategoryInfo          : ParserError: (}:String) [], ParseException
    + FullyQualifiedErrorId : UnexpectedToken
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40400617
Please only post the relevant actions. You've done three things above. I assume the last call is the error you wanted to show?
In http:#a40399811 I've left over an closing curly brace not belonging there, so  line 8 should be:
    Get-ADGroupMember –identity $group |

Open in new window

You best run the code in EMS, and add this line to the very start of the combined PS script:
import-module ActiveDirectory

Open in new window

0
 

Author Comment

by:claudiamcse
ID: 40400632
WHen I run the following script in EMS (Exchange Management Shell), I get this error:
[PS] C:\temp\scripts>C:\temp\scripts\CombinedScript2.ps1
Unexpected token '}' in expression or statement.
At C:\temp\scripts\CombinedScript2.ps1:12 char:3
+   } <<<<

Below is the scipt that I saved as CombinedScript2.ps1

Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Vertex-NA,DC=msg,DC=local" -ResultSize Unlimited |
  Get-MailboxPermission |
  where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
  % {
    $group = $_.User.Split('\')[-1]
    $id    = $_.Identity
    Get-ADGroupMember –identity $group} |
      select @{Name = "Identity"  ; Expression = {$id}},
             @{Name = "Group Name"; Expression = {$group}},
             @{Name = "Member"    ; Expression = {$_.Name}}
  }
0
 

Author Comment

by:claudiamcse
ID: 40400638
THank you. I did as you said. Below is the script. Still getting this error when running from EMS:

At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |
Method invocation failed because [Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter] doesn't conta
a method named 'Split'.
At C:\temp\scripts\CombinedScript2.ps1:7 char:27
+     $group = $_.User.Split( <<<< '\')[-1]
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the t
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |
[PS] C:\temp\scripts>
0
 

Author Comment

by:claudiamcse
ID: 40400641
Below is the script I modified

import-module ActiveDirectory
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=domainhidden,DC=private,DC=local" -ResultSize Unlimited |
  Get-MailboxPermission |
  where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
  % {
    $group = $_.User.Split('\')[-1]
    $id    = $_.Identity
    Get-ADGroupMember –identity $group |
      select @{Name = "Identity"  ; Expression = {$id}},
             @{Name = "Group Name"; Expression = {$group}},
             @{Name = "Member"    ; Expression = {$_.Name}}
  }
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40400654
Please use a Code block for posting code snippets, that retains line breaks where they should be only ;-).
Currently I'm not able to test myself, Exchange and AD are using different domains, so sorry for the bugs.
In your error messages there is something missing from the top, but I suppose it is the same message as the last:
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the t
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |

Open in new window

This tells that the ActiveDirectory module has not been loaded, because Get-ADGroupMember definetly is part of that module. Is there another error in regard of that (needs to be the very first error then)?
For the other error, obviously we need to convert the user name to string first before trying to extract the name only (vs. having domain\group). So replace
    $group = $_.User.Split('\')[-1]

Open in new window

by
    $group = $_.User.ToString().Split('\')[-1]

Open in new window

0
 

Author Comment

by:claudiamcse
ID: 40403106
How do you use Code block for posting code snippets? Sorry I am new to this.....
0
 

Author Comment

by:claudiamcse
ID: 40403197
I modified the script as you advised but still get the following errors when running it from EMS
The term 'import-module' is not recognized as a cmdlet, function, operable program, or script file. V
 try again.
At C:\temp\scripts\CombinedScript2.ps1:1 char:14
+ import-module  <<<< ActiveDirectory
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script fil
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22

+     Get-ADGroupMember  <<<< -identity $group |
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the term
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the term
 and try again.
At C:\temp\scripts\CombinedScript2.ps1:9 char:22
+     Get-ADGroupMember  <<<< -identity $group |
The term 'Get-ADGroupMember' is not recognized as a cmdlet, function, operable program, or script file. Verify the term
 and try again.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40403319
Re: Code block: either wrap your code in [code] and [/code], or select the code and click on Code in the toolbar, or use the </>> of the toolbar to post code from a file.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40403332
Something went wrong in a very severe way. import-module is a cmdlet which is part of PowerShell.
Are you supplying the dash ('-') as normal dash, or as long dash, or use anything similar to be outside of the traditional US ASCII character set?
Best to make sure you save the script as ASCII/ANSI, not any of Unicode/UTF encodings.
0
 

Author Comment

by:claudiamcse
ID: 40424108
It is working once I replaced the line with this below as you advised
 $group = $_.User.ToString().Split('\')[-1]


THank you so much. Here is the revised script that does an incredible job.
import-module ActiveDirectory
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Vertex-NA,DC=msg,DC=local" -
ResultSize Unlimited |
Get-MailboxPermission |
where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
% {
$group = $_.User.ToString().Split('\')[-1]
$id = $_.Identity
Get-ADGroupMember –identity $group |
select @{Name = "Identity" ; Expression = {$id}},
@{Name = "Group Name"; Expression = {$group}},
@{Name = "Member" ; Expression = {$_.Name}}
}
0
 

Author Comment

by:claudiamcse
ID: 40424126
This script is perfect. Now, is it possible to select and export the Access rights column as well in addition to identity, group, and user?

Please advise.

THank you so much!
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40424352
Of course, as a comma-separated list. But I've omitted that part because you wanted to set the FullAccess right anyway.
import-module ActiveDirectory
Get-Mailbox -OrganizationalUnit "OU=Shared,OU=Mailboxes,OU=NA-Mail,OU=Domain,DC=domain,DC=local" -ResultSize Unlimited |
  Get-MailboxPermission |
  where {$_.user -ne "NT AUTHORITY\SELF" -and !$_.IsInherited} |
  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} |
  % {
    $group = $_.User.Split('\')[-1]
    $rights= $_.'Access Rights'
    $id    = $_.Identity  Get-ADGroupMember –identity $group |
      select @{Name = 'Identity'     ; Expression = {$id}},
             @{Name = 'Group Name'   ; Expression = {$group}},
             @{Name = 'Member'       ; Expression = {$_.Name}},
             @{Name = 'Access Rights'; Expression = {$rights}}
  } |
  % {
    Add-MailboxPermission -Identity $_.Identity –User $_.Member -AccessRights FullAccess -InheritanceType all
  }

Open in new window

is the full code. If you remove lines 14-16, no permission change is taking place, and the access rights are dumped.
0
 

Author Closing Comment

by:claudiamcse
ID: 40424494
Excellent! Thank you so much!!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question