I have this Powershell-Script that Gets-DistributionGroupMembers and or Update the member's policy.
$DL = Get-DistributionGroupMember "Distribution List GroupName"
ForEach ($Member in $DL) { Set-CASMailbox -Identity $Member.Name -OwaMailboxPolicy "Allow Download Access" }
The above code is working okay.
My question is:
how do you check if $Member.Name is an individual account or a group
and IF its a group, Then how do you call the same Action Script recursively.
Thank you in advance.
Untested, but I think you can determine if the member is a group or not by checking the RecipientTypeDetails property.
Something like:
function Set-DistributionGroupPolicy([string] $group) {
Get-DistributionGroupMember $group -ResultSize Unlimited | ForEach-Object {
if ($_.RecipientTypeDetails -match "Group") {
Write-Verbose "Recursing on group '$($_.Name)'"
Set-DistributionGroupPolicy $_.Name
}
Set-CASMailbox -Identity $_.Name -OwaMailboxPolicy "Allow Download Access"
}
}
Set-DistributionGroupPolicy
Related
Using powershell I must check on each Administrator user that they are only a member of a particular group and not of other groups.
Of course since the Active Directory.
I have an order that allows me to make a list of accounts that are related to the group, but it doesn’t work:
$users = Get-QADUser ""nom du compte""
$group = Get-QADGroupMember ""nom du group""
$members = Get-QADGroupMember -Identity $group | Select -ExpandProperty Name
ForEach ($user in $users) {
If ($members -contains $user) {
Write-Host "$user exists in the group"
} Else {
Write-Host "$user not exists in the group"
}}
What would be a PowerShell script to export all Azure AD groups, their members and owners into one CSV file?
I also need an expanded nested groups.
Here is something I came up with. It should work as long as you have the AzureAD PowerShell module.
function get-recursivegroupmembers {
param($grouplistname, $currgroup, $groupmemtype)
$members = if ($groupmemtype -eq "owner") {get-azureadgroupowner -ObjectId $currgroup.ObjectId -All $true} else {get-azureadgroupmember -ObjectId $currgroup.ObjectId -All $true}
$grouptype = "Distribution Group"
if ($currgroup.SecurityEnabled -eq $true)
{
$grouptype = "Security Group"
}
foreach ($member in $members)
{
if($member.ObjectType -eq "Group" )
{
get-recursivegroupmembers "$grouplistname->$($member.DisplayName)" $member $groupmemtype
}
else
{
Add-Content -Path $filename -Value "$grouplistname,$grouptype,$groupmemtype,$($member.ObjectId),$($member.ObjectType) $($member.UserType),$($member.UserPrincipalName)"
}
}
}
Connect-AzureAD
$filename = ".\groupusers-$(get-date -f 'ddMMyyyy-HHmmss').csv"
$groups = Get-AzureADGroup -All $true
Add-Content -Path $filename -Value "Group(s),Group Type,Member Type,User ObjectId,AAD Object Type,UPN"
ForEach ($group in $groups)
{
get-recursivegroupmembers $group.DisplayName $group "owner"
get-recursivegroupmembers $group.DisplayName $group "member"
}
This will give you a file in the current folder where the script is. Called groupusers, the first field will contain the group and if it's a nested group member it would show like group->nestedgroup, owner or member, etc.
Sorry couldn't comment as I don't have enough rep, I created an account to thank you Peter.
This worked a treat. I had tried multiple other articles but this one works. All I did was to target groups with a specific naming scheme was change this line and remove $true as that said 'a positional parameter cannot be found that accepts the argument True'
$groups = Get-AzureADGroup -SearchString "File Share"
That then searches for any group starting with 'File Share'
$Email = "#"
Get-DistributionGroup | where { (Get-DistributionGroupMember $_.Name | foreach {$_.PrimarySmtpAddress}) -contains "$Email"}
Results: Name, DisplayName, Group Type, PrimarySMTPAddress
I need to remove the user's email address from the distribution group.
I know it will be a foreach command.
Does anyone know how to run that command?
You can use the If statement within a For loop that determines if the email address exists in the distribution group.
If this condition is satisfied, that's when you want to run the Remove-DistributionGroupMember cmdlet:
$Email = "#"
Get-DistributionGroup |
ForEach-Object {
If ((Get-DistributionGroupMember -Identity $_.Name).PrimarySmtpAddress -contains $Email) {
Remove-DistributionGroupMember -Identity $_.Name -Member $Email -WhatIf}
}
}
Disclaimer: I am not good with powershell, this in mainly butchered code. I apologize if this is done poorly or is a stupid question.
I am trying to filter the ACTIVE users in my company by their company (ET) and whether or not they are in a certain group.
So the filter for ACTIVE users in the company "ET" is working properly, the output of this script gives me every active users with that parameter; it does not filter it further down into only users in a certain group.
$users = Get-ADUser -filter {(Enabled -eq $True) -and (Company -eq "ET")}
-SearchBase 'DC=CSOKI,DC=Local' |select -exp samaccountname
$group = "O365-E3-Full"
$members = Get-ADGroupMember -Identity $group -Recursive | Select -
ExpandProperty samaccountname
ForEach ($user in $users) {
If ($members -contains $user) {
Write-output $(name) | out-file ".\TEST.txt"
} Else {
Write-Host "$user does not exist in the group"
}}
Expected:
Output ACTIVE users in company ET that are in group O365-E3-FULL and write-host users that are not(unnecessary, I just want the filter).
Actual:
Write-hosts every ACTIVE user in company ET and ignores the group filter.
In getting your list of users you are collecting the account name for the users with:
| Select -exp samaccountname
Then in getting group members you are getting the Name with:
| Select -ExpandProperty Name
You need to be selecting SamAccountName in both of your Gets
Sorry, pretty quick knock together
# Create empty array
$answer = New-Object System.Collections.ArrayList
# If is in group then add to array
If ($members -contains $user) {
$answer.Add($user) > $null
} Else {
Write-Host $user "does not exist in the group"
}
# Output the array to the text file
Write-output $answer | out-file ".\TEST.txt"
List all users that have mailboxes but are not in a group called Metalogix*. I need a PowerShell script that will check whether specific user is a part of certain group or not and if the user is part of any of those groups.
I already have working script:
Import-Module ActiveDirectory
$Users = Get-Mailbox -ResultSize "unlimited"
$Group = "Metalogix*"
foreach ($user in $Users) {
$Check = Get-ADPrincipalGroupMembership -Identity $User.sAMAccountName |
? { $_.Name -like $Group }
if ($Check -eq $null) {
Write-Output "$User.sAMAccountName is NOT part of this group"
} else {
$Results = Get-Mailbox -Identity $User.sAMAccountName |
select Name, sAMAccountName, PrimarySmtpAddress, Database |
Export-csv "c:\results1.csv" -NTI -Append
}
}
But script doesn't list groups recursively, e.g tester4-6 are members of 'Test Group 2', which is a member of 'Test Group 1'. The rest are direct. Just I can see direct membership, not recursive membership.
2nd question : I want to get all users with samaccountname that begins with "STR" prefix.
Test Group 1
tester1
tester2
-> Test Group 2
tester4
tester6
I'd probably use a recursive function. Something like this:
function Test-GroupMembership {
Param(
[Parameter(Mandatory=$true)]
[string]$Identity,
[Parameter(Mandatory=$true)]
[string]$Name
)
$groups = Get-ADPrincipalGroupMembership -Identity $Identity
if ($groups | Where-Object { $_.Name -like $Name }) {
return $true
} elseif ($groups -ne $null) {
foreach ($g in $groups) {
if (Test-GroupMembership -Identity $g -Name $Name) {
return $true
}
}
}
return $false
}
Get-ADPrincipalGroupMembership isn't recursive, but Get-ADGroupMember is.
$Users = Get-Mailbox -ResultSize "unlimited"
$Group = 'Metalogix*'
$GroupMembers = Get-ADGroupMember -Identity $Group | Get-ADGroupMember -Recursive | Select-Object -ExpandProperty samAccountName
foreach ($User in $Users) {
if ($User -in $GroupMembers) {
Write-Output "User $User is in group $Group."
}
else {
Write-Output "User $User is not in group $Group."
}
}
This is also more efficient because you're only fetching group membership once.
I'm away from my servers, so treat the above as pseudocode.