I'm connecting to Exchange Online using PowerShell and the following command:
Connect-ExchangeOnline -AppId APP_ID -CertificateFilePath CERTIFICATE_PATH -Organization ORG_NAME
And would like to use the "Search-Mailbox" cmdlet.
The docs say:
By default, Search-Mailbox is available only in the Mailbox Search or Mailbox Import Export roles, and these roles aren't assigned to any role groups.
The app has the Exchange administrator role assigned in Azure.
In Exchange admin center, I added Exchange administrators to the Discovery Management role group that has the Mailbox Search role enabled.
After reconnecting, Search-Mailbox is still not available:
Search-Mailbox: The term 'Search-Mailbox' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
Could someone please explain why it doesn't work and how to make it work?
It worked after I assigned "Mailbox Search" role to the "Organization Management" role group (Exchange administrators role groups inherits from it).
When the CmdLet is not available it needs to be imported, installed or run on the correct server. It seems like Search-Mailbox is part of the module ExchangePowerShell.
I believe you either need to import the module in your PowerShell session:
Import-Module -Name 'ExchangePowerShell'
Or run the CmdLet on the Exchange server directly or use Connect-ExchangeOnline.
Related
I'm trying to get the current Windows username & domain from Powershell on a Windows 10 Azure Active Directory (AAD) joined machine.
I've tried the tips at this question, but none of them seem to work for Azure Active Directory-joined machines.
e.g. for the user: Jonathan Doe, john#example.com you'll get only the users' proper name & AzureAD (not their username or 'real' domain):
$env:UserName --> JonathanDoe
$env:UserDomain --> AzureAD
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name --> AzureAD\JonathanDoe
Does anyone know how to get any part of the user's actual credential or specific Azure AAD domain? (e.g. john or example.com or ideally john#example.com)
You can run the following command in PowerShell, the output will display the user name in UPN format.You can get both of the username and domain name from that.
whoami.exe /UPN
In addition, the program 'whoami.exe' provides many other parameters for getting additional information about current user. You can type the following command for more details about 'whoami.exe'.
whoami.exe /?
I'm not sure how official this is, but I found a link in the registry that contains the username which is user#company.com. This was under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\Cache\xxx\IdentityCache\xxx. The key name was UserName. You can use the built-in powershell registry provider to navigate to this registry entry.
I am working on proofing out if there is a way to automate a Global administrator's Azure AD access for other User role accounts in the same tenant to grant access to OneDrive.
If you navigate to portal.office.com and then click on a user's name, that will bring up some settings for that user. The setting I am referring to is under the dropdown for OneDrive Settings, (see attached image).
Is there a way to automate this process via some PowerShell cmdlet?
Solved
I found an article that shows how to run PowerShell commands via the SharePoint Online Management Shell
Tutorial link has the section for Prerequisites for setup: Easy Manage Multiple Office 365 Tenants with Windows PowerShell
Actual PowerShell commands:
$site = Get-SPOSite -Identity https://mydemo-my.sharepoint.com/personal/sarad_mydemo_onmicrosoft_com
Set-SPOUser -Site $site.Url -LoginName admin#mydemo.onmicrosoft.com -IsSiteCollectionAdmin $true
Tutorial: How to Get Administrative Access to the OneDrive for Business Environment for a User
Now, before I start, I will let you in on a secret: this is on a Domain Controller.*
*The above statement is stricken due to irrelevance as the only significant change that occurs to the Local Administrator account and the Local Administrator Group (within the context and scope of this question) is minimal and doesn't alter the outcome enough to require differentiation.
I didn't have this kind of trouble on any of the other servers and I am willing to bet that the reason behind it is because it is on a DC.*
*Same reason as stated above. The accepted answer explains the inconsistency and was an oversight on my part, not the architecture (read features) of Windows Security or Domain Controllers.
I have been playing around with a few ideas on how to check if a script has been called from an account that is either the local Administrator or, at the very least, called by an account that is part of the Local Administrators group.
I have renamed the local Admin account, however, I know that I can see if the script has been called by local Admin account by typing:
(New-Object System.Security.Principal.NTAccount('reserved')).Translate([System.Security.Principal.SecurityIdentifier]).Value
and I can see if the SID ends in -500.
The problem occurs when I run a condition to see if the calling account is part of the Administrators group (which is a larger scope) by typing:
PS> [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).Groups -match "S-1-5-32-544")
PS> False
A quick check to see what account it was using:
PS> $env:username
PS> reserved
or the needlessly complicated way (though I prefer it sometimes):
PS> Write-Host ((Get-WmiObject Win32_Account | ?{$_.SID.Substring($_.SID.Length-4,4) -eq '-500'}).Caption).Split("\",2)[1] -fore GREEN
PS> reserved
and I even type:
PS> net user reserved
where it tells me Local Group Memberships *Administrators.
I pull up ADUC (dsa.msc) and I look in the Builtin container and double-click on the Administrators group. I select the Members tag and lo, and behold, reserved is actually a member!
So, a recap:
By typing net user reserved, I was able to verify it was part of the Local Administrators group
I looked in ADUC and verified reserved was a member of the builtin Administrators group
I ensured reserved was indeed the Local Administrator account by verifying the SID started with S-1-5... and ended with ...-500
To take it a step further, I made sure the SID matched the Active Directory Group named "Administrators" by typing Get-ADGroup -Identity "Administrators". I then typed Get-ADGroupMember -Identity "Administrators" and made sure reserved was listed (it was AND the SID matched!).
When I check to see if the well-known Administrators Group SID is found in the Groups of that account (by getting the current Windows Identity), it says that it isn't.
What gives?
Why do I get every indication that it actually is a member of the Local Administrators group but that SID isn't found in the account's groups?
When a computer is promoted to a domain controller, there are no more local users or groups on the machine. Member computers have local users and groups, and can also use domain users and groups for authentication, but on a DC, there are only domain objects.
See also: https://serverfault.com/a/264327/236470
I happened to stumble across something and I realized the answer to this question. For the sake of those that come here looking for assistance, here is the answer to my question:
Very simply--in regards to Powershell--if the Administrator Group SID (S-1-5-32-544) does not show up in the Groups of the user, that is a first-line indication that the script is not running with Administrative credentials.
For example, when I type out:
([Security.Principal.WindowsIdentity]::GetCurrent()).Groups
and I do not see the Administrator Group SID listed even though I know for a fact that the account I am signed into is a member of the Administrator Group, it means the current Powershell process does not have Administrative credentials.
If you click Run As Administrator and type the same as above, you will see that it lists the Administrator Group SID in Groups.
The reason why I was experiencing the inconsistency is simply because I was not running the Powershell process as an Administrator.
So, in short, there are a few ways you can check to verify if your current Powershell session has Administrator credentials. The first one is found in countless websites around the internet and is very common (I did not write this one):
$myWindowsID = [Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal = New-Object Security.Principal.WindowsPrincipal($myWindowsID)
$adminRole = [Security.Principal.WindowsBuiltInRole]::Administrator
if($myWindowsPrincipal.IsInRole($adminRole)) {
\\ TODO: Process is running as Administrator
Clear-Host
} else {
$newProcess = New-Object System.Diagnostics.ProcessStartInfo "Powershell"
$newProcess.Arguments = "& '" + $script:MyInvocation.MyCommand.Path + "'"
$newProcess.Verb = "runas"
[System.Diagnostics.Process]::Start($newProcess)
exit
}
Here is another way (I did write this one):
[Security.Principal.WindowsIdentity]::GetCurrent() | %{
if($_.Groups -contains "S-1-5-32-544") {
\\ TODO: Process is running as Administrator
Clear-Host
} else {
Start Powershell -ArgumentList "& '$MyInvocation.MyCommand.Path'" -Verb runas
exit
}
}
# The Foreach-Object (%) could be replaced with another pipeline filter
I see a lot of people asking this question and because of Powershell appealing to many Systems Administrator (especially ones without a background in programming), I really think this will come in handy for others down the line.
I'm trying to use DSACLS command to grant specific permission to a User object. DSACLS command will only available if you have AD-Snapin installed.
When I run this command on a User object, it will list all of its object security permissions:
dsacls "CN=Aaron Ooi,OU=Users,OU=IT,DC=Domain"
The permission that I want is from the list called:
Allow BUILTIN\Windows Authorization Access Group
SPECIAL ACCESS for tokenGroupsGlobalAndUniversal
READ PROPERTY
How do I use this command to apply the similar permission above to another User account? I cant seem to figure it out from the help menu.
If similar requirements could be done in PowerShell would be great as well.
After Google everywhere, DSACLS could not do the work for special access permission. Then I looked for my answer in PowerShell and manage to find the solution:
You need to install Quest ActiveRoles for the PowerShell command:
http://www.quest.com/powershell/activeroles-server.aspx
After install, turn on the snap-in:
Add-PSSnapin Quest.ActiveRoles.ADManagement
Command to get the AD Object security permission:
Get-QADPermission UserID -Inherited -SchemaDefault
Command to set the AD Object security permission:
Add-QADPermission UserID -Account "Windows Authorization Access Group" -Rights "ReadProperty" -Property "tokenGroupsGlobalAndUniversal" -ApplyTo "ThisObjectOnly"
Issue resolved!
I am writing a simple script to copy AD group membership from one user to the other. I am doing it using the ActiveDirectory module only.
The script looks like it would work and does work up until I try to ad the groups to the user.
Code:
import-module ActiveDirectory
$templateUser = get-ADUser user1
$targetUser = getADUser user2
$groups =get-adprincipalgroupmembership $templateUser
$groups2 = get-ADPrincipalGroupMembership $targetUser
foreach($group in $groups) {
add-adGroupMember $group $targetUser
}
Error:
Add-ADGroupMember : insufficient access rights to performt the operation
At line:9 char:18
+ FullyQualifiedErrorID : Insufficient access rights to perform the operation,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
Notes/Thoughts:
I am logged in as a normal user, but I ran the powershell as a different user (my admin account). I am not a local admin, but I am an admin on the domain. I am able to add the user to groups if I launch the AD Tools and do it manually (I have permissions to add to those groups).
Edit:
Run the powershell as admin.
Run powershell as administrator.
I hit this today in Server 2012. I was running the powershell as Administrator, I was a domain admin, I was a local admin, I was every kind of admin I could find.
I "fixed" it by using the Active Directory Users and Computers tool, adding myself as the Manager of the AD groups I was trying to add users to, and ticked the box to allow the manager to change membership. I could then run AD-AddGroupMember happily.
I ran into this problem as well using Powershell remoting to connect to a domain controller.
In my case it turned out Include inheritable permissions from this object's parent was turned off for the specific object I couldn't change.
I ran into this issue today where an automated system was using powershell scripts for various things.... It turned out to be executionpolicy.
We were running our script with the ExecutionPolicy Bypass flag, and even running the command directly in powershell outside of a script wouldn't work, but once we set executionpolicy to unrestricted, everything magically worked.
For us we were able to create security groups even, but not add users to groups via powershell, even though we could make the same changes in ADUC.