Archive for Scripts

Adding permissions in a cross-forest migration

This week I was working on a cross-forest migration, and instead of using linked mailboxes to set things up and moving mailboxes, I ended up using the CodeTwo migration tool. In that scenario I had live accounts in both forests, and I wanted to allow the users to continue to use their accounts in the original forest to access their mailboxes in the new forest.

To do this, I needed to use the Add-MailboxPermission command on each mailbox, giving their account in the other forest full access. Here’s what I ended up doing:

foreach ($Mailbox in (Get-Mailbox -ResultSize Unlimited)) { Add-MailboxPermission -identity "$($Mailbox.Name)" -AccessRights FullAccess -User "olddomain\$($Mailbox.Alias)" }

Mailbox Permissions

We have a lot of shared mailboxes. Mailboxes that are setup as -type shared. It basically is a mailbox that the AD account has been disabled on, that people use their own username and password to access. One of my tasks as and Exchange Admin is to give people and remove peoples rights from these mailboxes. To help me with this process, I have created a permissions.ps1 script that I use. The syntax is .\permission.ps1 shared_mailbox_name user_name

 param($mailboxname,$user) $mailbox = get-mailbox $mailboxname

#Give user full mailbox rights 
Add-MailboxPermission -Identity $mailbox -User $user -AccessRights 'FullAccess'

#Give user send-as rights to mailbox 
Add-ADPermission -Identity $mailbox.DisplayName -User $user -ExtendedRights 'Send-as'

NOTE: If you give a person Full Mailbox rights to a mailbox, if they are running Outlook 2010, then it will automatically add that new mailbox as a mailbox to their Outlook. If you are using SP2 of Exchange 2010, you can add a parameter to the add-mailboxpermission cmdlet that will block this from happening. You can add the -AutoMapping $false to the command.

The Automapping parameter specifies whether to ignore the auto-mapping feature in Outlook. If a user is granted Full Access permissions to another user’s mailbox or to a shared mailbox, Outlook, through Autodiscover, automatically loads all mailboxes to which the user has full access. This parameter accepts $true or $false values. For more information about auto-mapping, [Source]

You can find more details here.

I also sometimes use the following script to remove permissions from the shared mailbox.

param($mailboxname,$user)

$mailbox = get-mailbox $mailboxname

#Give user full mailbox rights 
Remove-MailboxPermission -Identity $mailbox -User $user -AccessRights 'FullAccess'

#Give user send-as rights to mailbox 
Remove-ADPermission -Identity $mailbox.DistinguishedName -User $user -ExtendedRights 'Send-as' 

Script – Mailbox Audit

This is a script I wrote that will look for specific email accounts in an OU, and then send an email to all the people who have access to those email accounts.

#$ErrorActionPreference = "SilentlyContinue"
 $smtpServer = "[REMOVED]"
 $smtp = new-object Net.Mail.SmtpClient($smtpServer)
 $emailFrom = "mkieffer@[REMOVED]"

$a = get-user -OrganizationalUnit "[REMOVED]/Corp/Email Accounts" | where {$_.DistinguishedName -notlike '*OU=Contacts,OU=Email Accounts,OU=[REMOVED]' -and $_.DistinguishedName -notlike '*OU=Resources,OU=Email Accounts,OU=[REMOVED]'} | sort name

foreach ($item in $a) {

$mailboxName = $item.name
 $mailboxAddress = $item.WindowsEmailAddress
 $body = "We are in the process of auditing access rights to shared mailboxes. According to our audit, you have access to the mailbox ""$mailboxName"".

"
 $smtpAddresses = get-mailbox $mailboxName | select -expand EmailAddresses | %{$_.SmtpAddress}
 $body += "This mailbox has the following email addresses:
 $smtpAddresses

Primary Contact: [None Specified]

"
 $body += "The Following employees have full access to this mailbox:`r`n"
 $subject = ""
 $emailTo = "mkieffer@[REMOVED]"
 $subject = "Audit of mailbox $mailboxName ($mailboxAddress)"
 echo "$mailboxName ($mailboxAddress)"
 $b = get-mailboxpermission $item.Name | where {$_.AccessRights -like "*FullAccess*"}
 $newEmailTo = ""
 $emailcounter = 0
 foreach ($item2 in $b) {
 [String]$name = $item2.User
 $c = get-mailbox $name
 if ($c.OrganizationalUnit -eq "[REMOVED]/Corp/Users/Employees" -and $c.name -ne "Mike Kieffer" ) {
 [String]$email = $c.WindowsEmailAddress
 [String]$fname = $c.DisplayName
 echo "--> $fname ($email)"
 $body += $fname
 $body += [char]13
 if ($emailcounter -gt 0) {$newEmailTo += ", "}
 $newEmailTo += $email
 $emailcounter = $emailcounter + 1
 }
 }
 $body += "`r`nPlease reply to this email with the following information:
 1- If this mailbox is still needed or if this mailbox can be deleted.
 2- Who is the primary contact for this mailbox.
 3- Who needs to be added or removed from accessing this mailbox.
 4- If any of the email addresses associated with this mailbox are no longer used, and can be removed.
 5- Is the name of ""$mailboxName"" still approrpiate for this mailbox.

Thanks,
 Mike Kieffer
 IT Sr. Systems Administrator
 "
 echo $subject
 echo $body
 echo $newEmailTo
 $smtp.Send($emailFrom, $newEmailTo, $subject, $body)
 }

Of course, you will need to modify the script to work in your environment, but this is a good starting point.  Suggestions are welcomed on how to increase the usability of this script and also the effectiveness of it.

If you are unable to delete some of the users from the mailboxes during the audit, you may find this post helpful: Cannot remove ACE on object…