I'm sure this is easy, but it's doing my head in.
I'm very new to Powershell.
Accessing the Teams powershell is no problem.
Connect-MicrosoftTeams
This brings up a dialog, and asks me to select an account, and all I need to do is to click on mine.
I get a display telling me my "account" - which is my email address.
From there I want to establish a number of things that apply to "me".
I have a piece of code that will allow me to get a list of those things either to the screen or to a .csv file by electing 1 or 2 at a prompt.
In order to this script to work it relies on lines like this
*
$AllTeams = Get-Team -User "my.emailaddress#somedomain"
Foreach ($Team in $AllTeams)
What I need is to be able to replace my.emailaddress, with the email address taken from the "account" mentioned above. (i.e My email address that the system has used to log me in)
That is, the teams powershell knows my email address, I can see it on the screen.
How can I capture this to a variable, and then feed that in later on?
This would enable other people to run the same script without having to amend it every time, and get the similar report, but based on themselves.
Is there something like
current account or"me" or currentuser smtp?
Get credential is no use because I am already past security with a single mouse click.
Similarly all the other commands and functions I've seen don't tell me anything about the current user.
Thanks
The easiest way is to save the Teams connection information from Connect-MicrosoftTeams into a variable. The email used to connect is stored in the Account.id field:
$TeamsInfo = Connect-MicrosoftTeams
$TeamsInfo.Account.id
I run a script to get permissions to a file share.
Recently i've had to add permissions from users in a separate domain.
Now when i run the script, the script returns the SID of the users, rather than their names. However if i go into the NTFS properties, the UI shows the names.
I assume since it takes awhile for NTFS to actually reference the SID to the name before it shows the name (as initially it too only shows SID) - that the script is just running and pulling the data without waiting for reference... but i don't see a 'busy' member for the get-item cmdlet...
And unfortunately since i don't have access to the other domain, i wouldn't be able to run another command to get the user names from the SID.
If push comes to shove i'll either have to get access to that domain, or run the script under an account that does - but i was just wondering if there was something i could do in my current position.
Any ideas?
((((Get-Item "D:\shares\sharelocation").GetAccessControl('access')).Access).identityreference).value
I was trying to follow this tutorial here from official Microsoft Docs in order to give in a specific user group a role.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
I want that role to be applied on subscription level. First, the screenshots are outdated and they are not represent the current portal. Second, the current portal seems to be unable to find the user groups through the search.
After searching and changing a lot of things I had realized that the issue wasn't on my action but on Azure portal. I gave up the portal and I started trying PowerShell and it works as it is expected to work.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell
Therefore, save your time and use PowerShell instead of portal in case that you want to set a role in a user group. Again, there is no specific command as far as it concerns subscription level access. You need to modify a bit the one for Resource Groups and add -Scope. Your final command should be this:
New-AzureRmRoleAssignment -ObjectId $userGroupId -RoleDefinitionName 'Reader' -scope '/subscriptions/{Change_To_Subscription_ID}'
I have a requirement to test each Domain Controller in a very large AD schema to assure that user creates are successful. I am building a script to do this in PowerShell so I can repeat the test as necessary. The script will create a user in each AD, and then check the public properties of the user on each DC to assure the creation was successful.
The input to this script will be a text file of DC names.
The Active Directory Cmdlets has New-ADUser, which creates a new AD user. It does not, however, allow the developer to specify a specific Domain Controller.
Is there a way to create an AD user using a specific Domain Controller?
Almost all cmdlets in the ActiveDirectory module have the ability to target a specific DC.
For New-ADUser use the -Server parameter. See the MDSN documentation
I need to compare AD users permissions (one user can "unset" an attribute and another cannot, both can change it).
How can I dump/compare user account "effective permissions" which I find when I go to user account > Security > Advanced > Effective Permissions (and select an user account) with powershell?
Using Quest Free PowerShell Commands for Active Directory is simple:
Get-QadPermission useraccountname -Inherited
or better way:
Get-QADUser -Name useraccountname -SecurityMask DACL | Get-QADPermission -Inherited -SchemaDefault
This return all effective permission Inherited or Explicit assigned for the user 'useraccountname'
The comparison can be made with compare-object.
A very simple example:
compare-object (Get-QADPermission userA -Inherited | select Rights) (Get-QADPermission userB -Inherited | select rights)
We were in a similar situation once and needed to know who all could delete one of our main OUs, so we figured that maybe we should dump the ACL on the OU and look for everyone who had delete permissions on the object. Of course dsacls was very helpful in this regard and we could dump the ACL on it easily.
But then, as we started looking at the ACL, we found that it had almost 60 permission entries, including about half a dozen deny entries, some of which were direct and others inherited. We initially didn't consider the denies and came up with a list of about 200 users who could delete the OU, but that did not seem right (; it seemed too high.) Then, we realized that we had to intersect the denies with the allows!
So we flattened all deny permissions, and all allow permissions, but then we had to figure out which of these denies would apply, since some of them were inherited, and I believe the inherited ones don't negate any direct allows, so that took some more pain-staking work, and while doing it we realized that some of those inherited permissions did not apply to the object, so we had to start from scratch!
Finally, we almost gave up, and when I asked one of our Enterprise Admins, he said what we needed to do was determine Effective Permissions on our OU, and he pointed us to the Effective Permissions Tab in the Active Directory Users and Computers snap-in.
So we launched ADUC and navigated to the Effective Permissions Tab, and figured it would be a matter of clicking OK somewhere. However, we soon realized that it needed us to enter each person's name individually. Now, we have almost 2000 people in our environment, so there was no way we could put in 2000 people's names one by one. The other thing was that even for a single person, it would show us all the effective permissions for that person, and in technical terms, which we would have to further refine.
We then figured we'd give Powershell a shot, and looked at many options to do this using Powerhsell, but there was no easy to determine effective permissions in AD using Powershell, which was disappointing. In particular, we tried Quest's free PowerShell commands Get-QadPermission useraccountname and Get-QADUser -Name useraccountname, but we were disappointed to see that this only retrieved the list of all permissions specified for a given user. It did not reveal the Effective Permissions granted to a user. We found ourselves having to start with the results it brought back to then manually try and determine effective permissions, which was not worth our time.
So, we had almost given up hope, but before quitting we thought we would just Google "Active Directory Effective Permissions Tool" with the hope that there must be something out there that could do this for us. I am glad we did because we found a tool that could do exactly what we needed: figure out effective permissions on our OU and give us the ability to export these effective permissions -
http://www.paramountdefenses.com/goldfinger_capabilities_true_effective_permissions_for_active_directory.html
We found that this tool (called Gold Finger for AD) has the ability to determine Effective Permissions on Active Directory objects, and provide the output such that we could easily see the list of all users who had "effective permissions" for a specific right on an object. For instance, we were able to use it to determine and enumerate the list of all admins who had "effective delete access" rights on the OU we were interested in.
It has turned out to be quite helpful for us, and maybe it could be of help to you too. I just thought I would share this because I've been the dsacls route and I wouldn't want you to go through the same pain we did in trying to manually do this. Its just too painful to do do manually.