I am trying to output all AD users calendar and contact permissions. I have tried adding an -or operator but as per the error screenshot it does not work. I am not sure if Get-MailboxFolderPermission can take more than one parameter.
This script does not run
$OU = OrganizationalUnit "OU=users,OU=test.com,OU=PIPE,OU=Hosting,DC=options,DC=com"
Get-Mailbox -OrganizationalUnit $OU -Filter * |
select -Expand alias |
Where-Object {Get-MailboxFolderPermission -Identity $($_ + ':\Calendar') -or $($_ + ':\Contacts')} |
select Identity, FolderName, User, #{name="AccessRights";expression={[string]::Join(",",#($_.accessrights))}}, IsValid |
Sort-Object Identity |
Export-Csv C:\temp\calendarpemstest2.csv
This script runs fine just getting calendar permissions
$OU = OrganizationalUnit "OU=users,OU=test.com,OU=PIPE,OU=Hosting,DC=options,DC=com"
Get-Mailbox -OrganizationalUnit $OU -Filter * |
select -Expand alias |
ForEach-Object {Get-MailboxFolderPermission -Identity $($_ + ':\Calendar')} |
select Identity, FolderName, User, #{name="AccessRights";expression={[string]::Join(",",#($_.accessrights)) }}, IsValid |
Sort-Object Identity |
Export-Csv C:\temp\calendarpemstest2.csv
Powershell tries to parse the -or parameter for Get-MailboxFolderPermission, but Get-MailboxFolderPermission does not have an -or parameter.
One way to work around this problem is to pipe the same aliases object twice (once for Calendar and once for Contacts).
$OU=OrganizationalUnit "OU=users,OU=test.com,OU=PIPE,OU=Hosting,DC=options,DC=com"
$aliases = Get-Mailbox -OrganizationalUnit $OU -filter * | select -expand alias
$calendarPermissions = $aliases | ForEach-Object { Get-MailboxFolderPermission -identity $($_ + ':\Calendar' ) }
$contactsPermissions = $aliases | ForEach-Object { Get-MailboxFolderPermission -identity $($_ + ':\Contacts' ) }
# now merge both permissions and pipe to the rest of the code
$calendarPermissions + $contactsPermissions |
Select Identity, FolderName, User, #{name="AccessRights";expression={ [string]::join(",",#($_.accessrights)) }}, IsValid |
Sort-Object identity |
Export-Csv C:\temp\calendarpemstest2.csv
Related
I have a list with AD groups in a CSV file: Input_ADGroup.csv
Column A looks like this:
CN
ADgroup1
ADgroup2
I already have some code which list all the users of the groups in the output.csv file, however I am missing the ADgroup name. So it is unclear which users are member of which group.
$Manager = #{Name = "Manager"; Expression = {%{(Get-ADUser $_.Manager -Properties DisplayName).DisplayName}}}
$Manager_Location = #{Name = "Manager_Location"; Expression = {%{(Get-ADUser $_.Manager -Properties Office).Office}}}
$Fields = #(
'SamAccountName'
'CN'
'DisplayName'
'Office'
'mail'
'Department'
$Manager
$Manager_Location
)
Import-Csv -Path H:\Test\Input_ADGroup.csv |
ForEach-Object {
Get-ADGroup -Filter "CN -eq '$($_.CN)'" -Properties * -ErrorAction SilentlyContinue |
Get-ADGroupMember | Get-ADUser -properties * | Select $Fields
} | Export-Csv -Path H:\Test\Output_ADGroup.csv -NoTypeInformation
H:\Test\Output_ADGroup.csv
So is it possible to get a column which shows the "source-ADgroup"... or another format which breaks the list with the ADGroup name or something?
IMO my other suggested solution is more efficient applyig the same CN from the input:
$Data = ForEach($CN in (Import-Csv -Path H:\Test\Input_ADGroup.csv).CN) {
Get-ADGroup -Filter "CN -eq '$CN'" -Properties CN -ErrorAction SilentlyContinue |
Get-ADGroupMember | Get-ADUser -Properties * | Select-Object ($Fields+#{n="Group";e={$CN}})
}
$Data
$Data | Export-Csv -Path H:\Test\Output_ADGroup.csv -NoTypeInformation
As you already have AD group name in $_, you can add one more calculated property to your Select-Object by changing this:
Get-ADGroup -Filter "CN -eq '$($_.CN)'" -Properties * -ErrorAction SilentlyContinue |
Get-ADGroupMember | Get-ADUser -properties * | Select $Fields
to this (saving first group name to variable to not mix up with $_ used later in pipeline):
$GroupName = $_.CN
Get-ADGroup -Filter "CN -eq '$($_.CN)'" -Properties * -ErrorAction SilentlyContinue |
Get-ADGroupMember | Get-ADUser -properties * | Select ($Fields+#{n="Group";e={$GroupName}})
Credits to #LotPings and #Maikel for pointing out the issue with incorrect $_ usage in comments
NOTE: remember about brackets, otherwise you'd receive an error like:
Select-Object : A positional parameter cannot be found that accepts argument n="Group";e={$GroupName}
#Lotpings #robdy - Thanks for your input, I got it working so many thanks. See code below
Import-Csv -Path H:\Test\Input_ADGroup.csv |
ForEach-Object {
Get-ADGroup -Filter "CN -eq '$($_.CN)'" -Properties CN -PipelineVariable name -ErrorAction SilentlyContinue |
Get-ADGroupMember | Get-ADUser -properties * | Select ($Fields+#{n="Group";e={$name}})
} | Export-Csv -Path H:\Test\Output_ADGroup.csv -NoTypeInformation
H:\Test\Output_ADGroup.csv
One last note: The AD group gets displayed as CN=Groupname,OU=...OU=… etc
I couldn't get it to show just "Groupname" but this really is not an issue.
I'm trying to collect folder permissions to a csv file with Powershell. My problem is that I'd need the results to contain both the SamAccountName and FileSystemRights.
I tried two different method. The first I came up with was a simple approach that gave me IdentityReference and FileSystemRights, but I couldn't find any working method that can get SamAccountName from IdentityReference.
The second one I found on the internet was much more sophisticated. It collects all the accounts that has access to the folder, but it doesn't show FileSystemRights and I couldn't figure out how to change it to do so.
My own solution
(Get-Acl "FolderPath").Access | Select-Object IdentityReference, FileSystemRights
The solution I found
Get-Acl $UncPath | Select-Object -ExpandProperty Access | Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER' -notcontains $_.IdentityReference) } | Select-Object -ExpandProperty IdentityReference | ForEach-Object { $_.Translate('System.Security.Principal.SecurityIdentifier').Value } | Get-ADGroup -ErrorAction SilentlyContinue | get-adgroupmember | select-object SamAccountName | Format-Table | Out-String
Is there any working method that can get me a result where I can see SamAccountName and FileSystemRights?
Thank you in advance.
$UncPath = 'E:\temp\test'
$all = Get-Acl $UncPath |
Select -ExpandProperty Access |
Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER' -notcontains $_.IdentityReference) } |
Select-Object #{ Name = 'Identity'; Expression = { $_.IdentityReference -replace "\w+\\(.+)", '$1' } }, FileSystemRights
# Here you can get Users ACL
$distinct_users = $all |
Select-Object Identity, #{ Name = 'sAMAccountName'; Expression = { (Get-ADUser -Identity $_.Identity -ErrorAction SilentlyContinue).sAMAccountName }}, FileSystemRights |
Where-Object sAMAccountName -ne $null
# Here we will expand group acls
$groups = $all |
Select-Object Identity, #{ Name = 'sAMAccountName'; Expression = { (Get-ADGroup -Identity $_.Identity -ErrorAction SilentlyContinue).sAMAccountName }}, FileSystemRights |
Where-Object sAMAccountName -ne $null
# now we will get groups membership
$group_users = #()
Foreach($group in $groups){
Get-ADGroupMember -Identity $group.Identity | ForEach-Object { $group_users += [PSCustomObject]#{
'Identity' = $group.Identity
'sAMAccountName' = $_.sAMAccountName
'FileSystemRights' = $group.FileSystemRights
} }
}
$everyone = $distinct_users + $group_users
$everyone | Export-Csv -Path D:\example.csv
Check $everyone variable it will contain 3 columns: Identity as it was in the ACL, sAMAccountName and FileSystem Rights.
I'm trying to create a multi purpose report to query Share permissions and group members who have access.
All the data is shown in a table on screen, or outputted to a file, but I'm having trouble with Convertto-HTML/CSV. Apparently due to not using original properties. Everything I try fails... Anyone able to figure out what can be the issue or have a solution? You can see the screenshot here.
Function Get-Membr {
$Groups = Get-Acl $UNC |
Select-Object -ExpandProperty Access |
Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER','BUILTIN\Users' -notcontains $_.IdentityReference) } |
Select-Object -Exp IdentityReference
foreach ($Group in $Groups)
{ $group | ft Value,Name,Department #| ConvertTo-HTML
$group.Translate('System.Security.Principal.SecurityIdentifier').Value |
Get-ADGroupMember -ErrorAction SilentlyContinue |
Get-ADObject -Properties name, Department |
select name, Department |
ft -HideTableHeaders Value,Name,Department #| ConvertTo-HTML #| out-file -append $tmp
}
}
EDIT / UPDATE:
I was able to solve the issue myself by:
Function Get-Membr {
$Groups = Get-Acl $UNC |
Select-Object -ExpandProperty Access |
Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER','BUILTIN\Users' -notcontains $_.IdentityReference) } |
Select-Object -Exp IdentityReference
$global:Results2 = foreach ($Group in $Groups){
$group.Translate('System.Security.Principal.SecurityIdentifier').Value |
Get-ADGroupMember -ErrorAction SilentlyContinue | Select-Object -Property #{l="GroupName";e={$Group}}, Name, #{name="Description";expression={(Get-ADUser -Identity $_.SamAccountName -Properties Description).Description}},#{name="Enabled";expression={((Get-ADUser $_.SamAccountName).Enabled)}},#{name="- - Action - -";e={(get-aduser -identity $_.Manager -properties DisplayName).DisplayName}}
}
}
You can see the End result here
I am trying to create a powershell to audit new created accounts & groups and who created them. The objects are created by account operators, but they are not domain admins.
I think something like this:
$Last = (Get-Date).AddDays(-1);
Get-Acl | Get-ADUser -Filter {WhenCreated -ge $Last} | FL DistinguishedName, Path,owner
But this doesn't work yet.
This one liner will let you know about the changes after a certain date. There is a whenchanged property with which you can filter down the objects.
Get-ADObject -Filter 'whenchanged -gt $dte' | Group-Object objectclass
then you can use :
get-adgroup -filter * | sort name | select Name
Get-adgroupmember "Name"
or
Get-ADGroup -filter "GroupCategory -eq 'Security'" –properties Member |
Select Name,#{Name="Members";
Expression={($_.member | Measure-Object).count}},
GroupCategory,GroupScope,Distinguishedname |
Out-GridView -Title "Select one or more groups to export" -OutputMode Multiple |
foreach {
Write-Host "Exporting $($_.name)" -ForegroundColor cyan
#replace spaces in name with a dash
$name = $_.name -replace " ","-"
$file = Join-Path -path "C:\work" -ChildPath "$name.csv"
Get-ADGroupMember -identity $_.distinguishedname -Recursive |
Get-ADUser -Properties Title,Department |
Select Name,Title,Department,SamAccountName,DistinguishedName |
Export-CSV -Path $file -NoTypeInformation
Get-Item -Path $file
}
I would like an active directory query to list all users who only belong to "Domain Users" and no other groups.
I already tried the following query, but it showed all users with all groups they belong to:
Import-Module Activedirectory
Get-ADUser -Filter * -Properties DisplayName,memberof | % {
New-Object PSObject -Property #{
UserName = $_.DisplayName
Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ","
}
} | Select UserName,Groups | Export-Csv C:\temp\report.csv -NTI
Search for an empty memberof-property while PrimaryGroup is "Domain Users". No need to list the groups if you expect nothing.
Get-ADUser -Filter "samaccountname -eq 'froflatest-sshf'" -Properties Memberof, PrimaryGroup, DisplayName, Description |
Where-Object { -not ($_.memberof) -and $_.PrimaryGroup -match 'Domain Users' } |
Select-Object SamAccountName, DisplayName, Description |
Export-CSV -Path "c:\report.csv" -NoTypeInformation
Import-Module Activedirectory
Get-ADUser -Filter "*" -Properties sAMAccountName,Description, Memberof, PrimaryGroup |
Where-Object { -not ($_.memberof) -and $_.PrimaryGroup -match 'Domain Users' } | Select sAMAccountName,Description | Export-Csv C:\temp\report.csv -NTI