I've been trying to do this for a while now. When Exchange mailboxes are disabled or soft-deleted they are disconnected from their AD user account object. We can reconnect them if we want to but is there a way to identify the AD user account it was associated with before disconnect ?.
I'm not an on-prem Exchange Administrator but have the necessary access for Recipient Configuration.
I've been able to use the displayName property from Get-MailboxStatistics results, but displayName is not a unique attribute (like distinguishedname, for instance).
I'm connecting to Exchange Server 2013 via PowerShell remote PSSession.
I know LastLoggedOnUserAccount property is no longer an option with 2013.
I see Mailbox auditing can help but this needs to be enabled per mailbox, this is out of my work scope and might add a big overhead in large organizations
Search-MailboxAuditLog cmdlet is not visible for me in PowerShell my Exchange Management session
Any solution/workaround would be very much appreciated.
I cannot test this myself, but there is a property returned by Get-MailboxStatistics you could use, which is called MailboxGuid.
Below should get you a list of disconnected mailboxes where besides the DisplayName, the users EmailAddress and DistinghuishedName is returned.
Get-MailboxStatistics | Where-Object { $_.DisconnectReason } | ForEach-Object { # get disconected mailboxes
$email = Get-User -Identity $_.MailboxGuid.Guid | Select-Object -ExpandProperty WindowsEmailAddress
$userDN = Get-Mailbox -Identity $email | Select-Object -ExpandProperty DistinguishedName
Select-Object DisconnectDate, DisconnectReason, DisplayName,
#{Name = "EmailAddress"; Expression = { $email }},
#{Name = "DistinguishedName"; Expression = {$userDN }}
}
Related
I tried the PowerShell command below to extract a report for all Shared Mailboxes to our tenant. It was successful but it didn't provide the information I need. I would like to know as well if the automapping is set as "True" or "False" for each member of a Shared Mailbox. TIA!
Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Get-MailboxPermission | Select-Object Identity,User,AccessRights,IsInherited | Where-Object {($_.user -like '*#*')} | Export-Csv C:\Users\xxxxx\Downloads\xxxxx.csv -NoTypeInformation
based on this sentence
There is a way for on-prem and for hybrid. Are you in a hybrid setup? If automapping is NOT being utilized by a user, the user who has access to the mailbox does not appear in the msExchDelegateListLink attribute on the shared mailbox AD user object. If automapping IS being utilized by a user, you'll see the user DN within the attribute. For onprem, its just this one attribute. There is a second attribute for hybrid called msExchDelegateListBL.
i found this
Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | % {get-aduser -identity $_.distinguishedname -properties msExchDelegateListLink, msExchDelegateListBL}
what do u think ? this command really works ?
We sync our local AD to Office 365.
I have been asked to get the out-of-office reply for users who are:
Disabled
Still have an Exchange mailbox.
I have some of the command but cannot figure out how to make it work:
$disabled = Get-ADUser -SearchBase "ou=Employees,ou=accounts,dc=domain,dc=local" -Filter { UserAccountControl -eq 514 } -Properties mail | Select-Object mail
foreach ($mail in $disabled) {
Get-MailboxAutoreplyConfiguration -Identity $mail
}
I believe this can be achieved without the call to AD via Get-ADUser cmdlet to get the list of disabled accounts. You can check the result of Get-Mailbox for the property ExchangeUserAccountControl. If the value is AccountDisabled then the account should be disabled in AD.
So that means you can do this :
Get-Mailbox -ResultSize Unlimited |
Where {
$_.recipienttype -eq "UserMailbox" -and ` # make sure we only get user mailboxes
$_.recipienttypedetails -eq "UserMailbox" -and ` # make sure we only get licenced mailboxes only, no shared mailboxes, no room mailboxes, etc
$_.exchangeuseraccountcontrol -like "*accountdisabled*" # make sure we only get disabled user accounts
} |
Get-MailboxAutoreplyConfiguration | # we can pipe user mailbox object directly into this cmdlet (no need to go into a foreach loop)
Format-List identity,autoreplystate,internalmessage,externalmessage # you can remove this and replace with Select then send to Csv or wherever you need
That last line with Format-List is just for viewing (and should be changed if you want to send data to a file, for example), this data can have large output depending if a user has internal or external messages set or not.
Please note that the above will return list of all Active Mailboxes in your Office365 tenant that :
have an Office365 UserMailbox (should be licensed mailbox)
is Disabled in Active Directory (AD account has Enabled : $False)
You can tell if the AutoReply messages are Active by looking at the autoreplystate value. It will either be Enabled or Disabled. So you can even add another Where clause to filter down to only those mailboxes that have autoreplystate : Enabled to only view mailboxes that have active auto replies set (based on your description, this was not clear if it was required or not).
I know how to check who has Full Access or Send As permissions on a specific mailbox, but how can I check if a specific user has Full Access or Send As permissions on any mailbox?
By running Get-MailboxPermission cmdlet you can check which user/mailbox has what type of permissions to access other mailboxes in Exchange.
Check this helpful. And I'm sure it is what you was looking for.
http://exchangeserverpro.com/list-users-access-exchange-mailboxes/
And I also check this helpful
Get-Mailboxpermission for list of Mailboxes
This can be achieved by user the following powershell command:
Get-Mailbox | Get-MailboxPermission -User 'username'
The problem i run into that this doesn't include 'Security Groups' with mailbox permissions that a user might be member of.
If anyone knows how to solve this i would highly appreciate a reply.
Actually John Dane's answer is correct...it works for groups as well. The -User parameter accepts DistinguishedName or SamAccountName...both of which AD Security Groups have.
So just pass it the SamAccountName (or 'username') of your group and your golden. I used this to find out which mailbox an old group we were thinking about retiring had permissions to. I added a "| ft -autosize" to see the full identity field of the mailbox in the default output.
Get-Mailbox | Get-MailboxPermission -User 'SamAccountName'| ft -autosize
or just select the identity and access rights if that's all you need.
Get-Mailbox | Get-MailboxPermission -User 'SamAccountName'| select Identity,AccessRights | ft -autosize
With the following Command you don't have any missing entries:
Get-Mailbox -resultsize unlimited | Get-MailboxPermission | Where {(!$_.isinherited) -and ($_.user.SecurityIdentifier -ne "S-1-5-10") -and ($_.accessrights -contains "fullaccess") } | Select Identity,User | Export-Csv -Path "c:\temp\testmailboxpermissions.csv"
I am trying to list the membership list for each user in the Active Directory Domain. I created the following line:
foreach($_ in $(Get-ADUser -Filter *).Name){
Get-ADPrincipalGroupMembership -Identity $_ | select Name,Groupscope,Groupcategory| sort Name
}
The problem is that running this line of code causes the following error to come up when a user doesn't have any groupmembership.
Get-ADPrincipalGroupMembership : Cannot find an object with identity: 'TEST USER'
under: 'DC=contoso,DC=com'.
Adding -Erroraction Silentlycontinue behind Get-ADPrinicpalGroupMembership does not mitigate the problem. I'd rather not mess around with $ErrorAction. However, changing $ErrorAction to "silentlycontinue" and changing it back after the line completes does work. Not a pretty solution though. Is there any way to prevent the error showing otherwise?
Output for noam's solution: (Only shows a full list of groups available, not the memberships of the users)
name groupScope groupCategory
---- ---------- -------------
Administrators DomainLocal Security
Distributed COM Users DomainLocal Security
Domain Admins Global Security
Domain Users Global Security
Enterprise Admins Universal Security
Group Policy Creator Ow... Global Security
HelpLibraryUpdaters DomainLocal Security
Schema Admins Universal Security
TESTGROUP1 Global Security
Domain Guests Global Security
Guests DomainLocal Security
Denied RODC Password Re... DomainLocal Security
Domain Users Global Security
You could retrieve the MemberOf property and only run Get-ADPrincipalGroupMembership when that property is not null.
$all = Get-ADUser -filter * -property memberOf
foreach ($usr in $all) {
if ($usr.MemberOf) {
$groups = $usr | Get-ADPrincipalGroupMembership | select name, groupScope, groupCategory
$usr.name + " belongs to the following groups:`n"
$groups | sort name | ft -auto
} else {$usr.name + " does not belong to any groups.`n"}
} #close foreach
Custom objects can also be useful for this kind of reporting.
Get-Member is useful for exploring object properties.
Get-ADUser joeUser -Property * | gm | where {$_.memberType -eq "Property"}
I am not sure of the behavior of these cmdlets, but the error you are seeing may be caused by using only the Name property value to identify the object and not it's DN or other unique identifier (Get-ADPrincipalGroupMembership Documentation. Try piping the output of Get-ADUser to Get-ADPrincipalGroupMembership to see if the issue still occurs (see example below). Also, you may want to pipe the contents of Get-ADUser to the next cmdlet so you don't have to store the information returned by Get-ADUser in memory before processing.
Get-ADUser -Filter * | Get-ADPrincipalGroupMembership
If the issue still exists:
You could use a try/catch block:
Get-ADUser -Filter * | %{ `
try
{
Get-ADPrincipalGroupMembership $_
}
catch [Microsoft.ActiveDirectory.Management.ADIdentityResolutionException]
{
#Log
Write-Host "not found"
}
}
I have the below ps script to Import users details from a domain/ forest from a domain local group, everything is working, but i need to include two more details, user mail is and user domain in the excel. How can I do this?
Get-ADGroupMember "test" | Select-Object samaccountname, name, distinguishedname | Export-CSV -path "c:\test.csv" -notypeinformation
Some properties are not included in the default property set of a user object. In that case you need to query the user with the additional (or all) properties, e.g.:
Get-ADGroupMember "test" `
| Get-ADUser -Properties * `
| select samaccountname, name, distinguishedname, mail `
| Export-CSV "C:\test.csv" -NoTypeInformation
AFAIK the (DNS) domain name is not an AD attribute, but you could derive it from the distinguished name:
(Get-ADUser "name").distinguishedName -replace '^.*?,dc=' -replace ',dc=', '.'
so you could add another property in the select statement like this:
#{n="domain";e={$_.distinguishedName -replace '^.*?,dc=' -replace ',dc=', '.'}}
As for the referral error: the group seems to be containing members from another domain. AFAIK all of the following requirements must be met to be able to run AD PowerShell cmdlets against other domains in the same forest:
The Active Directory Web Services must be running on at least one of the DCs of the remote domain, and the port must be accessible from the local domain.
Your account must have admin privileges on the remote DCs (e.g. by being a member of the Enterprise Admins group).