I'd like to make a script to set the access rights for everyone as "Reviewer" on the calendar of some users, members of an specific AD group.
I've already made a script which works weel to do that for all members of this group.
I'd just want to make it a little smarter.
I'd like to schedule this script to run automatically once a week and to only apply on mailboxes on which accessrights are not already set as "Reviewer" for everyone.
Something like that :
$comm = Get-ADGroupMember GG_CalendarPermission-Reviewer | select -ExpandProperty name
$GetCalendar = Get-mailboxfolderpermission -identity $user":\calendar" -user default
foreach ($user in $comm) {
if ($GetCalendar.AccessRights -ne "Reviewer") {
set-mailboxfolderpermission -identity $user":\calendar" -user Default -accessrights reviewer
}
elseif($GetCalendar.AccessRights -eq "Reviewer") {
Write-Host "ALREADY DONE"
}
}
But the "if/Elseif" doesn't seems to work :/
Could you help me please ?
Thanks.
$comm = Get-ADGroupMember GG_CalendarPermission-Reviewer | select -ExpandProperty name
foreach ($user in $comm) {
$GetCalendar = Get-Mailboxfolderpermission -identity $user":\calendar" -user default
If ($GetCalendar.AccessRights -ne "Reviewer") {
Set-Mailboxfolderpermission -identity $user":\calendar" -user Default -accessrights reviewer
Write-Host 'Done'
}
ElseIf($GetCalendar.AccessRights -eq "Reviewer") {
Write-Host "ALREADY DONE"
}
}
Related
I currently have a script that is able to disable a list of usernames using a text file which has a list of username specified:
$users = Get-Content C:\disableusers.txt
foreach ($user in $users) {
Disable-ADAccount -Identity $user
Write-Host "user $($user) has been disabled"
}
I was wondering if it is possible to incorporate moving using from one OU to another during the execution of this script?
e.g. moving from "Users" OU to "Disabled Users" OU.
I have created another script which does move a list of usernames to "Disabled Users" OU:
$users=Get-Content C:\disableusers.txt
$OU = "distinguishedName of my Disable Users OU"
foreach ($user in $users) {
Get-ADUser $user | Move-ADObject -TargetPath $OU
}
Any help on this is much appreciated thanks.
Both of your snippets look good to me, if you are interested in combining them into one you could use -PassThru from Disable-ADAccount to pass the disabled object through the pipeline to Move-ADObject:
$OU = "distinguishedName of my Disable Users OU"
Get-Content C:\disableusers.txt | ForEach-Object {
try {
Disable-ADAccount $_ -PassThru |
Move-ADObject -TargetPath $ou
Write-Host "user $($user) has been disabled and moved"
}
catch {
Write-Error $_
}
}
I'm currently trying to use powershell to change Outlook calendar permissions for a subset of users, so that they can all view calendar details of one another.
So far, I have been able to find the commands to change permissions for a single user, and for all users in the org - but have not yet established how to apply these changes to just a group.
Here is the script I found to modify permissions for all users:
foreach($user in Get-Mailbox -RecipientTypeDetails UserMailbox) {
$cal = $user.alias+”:\Calendar”
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights LimitedDetails
}
In order to apply this to just a group of users, would my modifications below be correct?
foreach($user in Get-MsolGroupMember -Identity "Name of Group") {
$cal = $user.alias+”:\Calendar”
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights LimitedDetails
}
You need to first find the group as object, because Get-MsolGroupMember doesn't have a -Identity parameter.
Then use that to get info of its users:
$groupToFind = 'DisplayName of Group'
$permissions = 'LimitedDetails'
$group = Get-MsolGroup | Where-Object { $_.DisplayName -eq $groupToFind }
if ($group) {
# get the group members (users only) and run through
Get-MsolGroupMember -GroupObjectId $group.ObjectId -MemberObjectTypes User -All | ForEach-Object {
$cal = '{0}:\Calendar' -f $_.Alias
$perms = Get-MailboxFolderPermission -Identity $cal -User Default
if ($perms.AccessRights -contains $permissions) {
Write-Host "User $($_.Alias) already has the '$permissions' permission"
}
else {
Write-Host "Setting permissions on $cal"
# for safety, first run with the -WhatIf switch. If you are satisfied with what
# is output on screen, remove or comment out that switch and run again
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights $permissions -WhatIf
}
}
}
else {
Write-Warning "Could not find group '$groupToFind'..."
}
Instead of using the Where-Object clause on Get-MsolGroup, you could also do Get-MsolGroup -SearchString $groupToFind, but beware that using -SearchString will return groups that have a display name that START with this string.
If you receive "The command completed successfully, no permissions were changed", this could mean the user first needs to get permissions on the so-called top of the information store (i.e. the mailbox folder itself):
Get-MsolGroupMember -GroupObjectId $group.ObjectId -MemberObjectTypes User -All | ForEach-Object {
$top = '{0}:\' -f $_.Alias # Top of Information Store
$cal = '{0}:\Calendar' -f $_.Alias
Add-MailboxFolderPermission -Identity $top -User Default -AccessRights FolderVisible -Confirm:$false
Set-MailboxFolderPermission -Identity $cal -User Default -AccessRights LimitedDetails -Confirm:$false
}
P.S. Because Outlook runs in cache, it takes time to reflect the changes there.
I've written a script that our provisioning team uses to manage terminated users and group memberships.
The script works well, but it takes a long time due to how I chose to enumerate group memberships to begin with.
The current script uses Get-ADGroup $group -pr Members | select -ExpandProperty Members to enumerate membership.
I figure there has to be a more efficient method of doing this, so I wrote this:
$grpMemberships = Get-ADPrincipalGroupMembership $user | select name
foreach ($Group in $Groups){
if ($grpMemberships -contains $group) {
Write-Host "$grpMembership found!"
Remove-ADGroupMember $grpMembership -members $user
Write-Host "Removing $user from $grpMembership"
"$user is a member of $group" | out-file -filepath Termed_Users-$get-date -f yyy-MM-dd.txt -Append
Write-Host ""
}
}
The problem is that this never seems to execute. Any idea why this doesn't work?
Thank you #Olaf
I figured it out with your assistance.
foreach ($grpMembership in $grpMemberships.name) {
foreach ($Group in $Groups){
if ($Groups -contains $grpMembership) {
Write-Host "$grpMembership found!"
#Remove-ADGroupMember $grpMembership -members $user
Write-Host "Removing $user from $grpMembership"
"$user is a member of $group" | out-file -filepath Termed_Users-$(get-date -f yyy-MM-dd).txt -Append
Write-Host ""
}
}
}
I have this Powershell-Script that Gets-DistributionGroupMembers and or Update the member's policy.
$DL = Get-DistributionGroupMember "Distribution List GroupName"
ForEach ($Member in $DL) { Set-CASMailbox -Identity $Member.Name -OwaMailboxPolicy "Allow Download Access" }
The above code is working okay.
My question is:
how do you check if $Member.Name is an individual account or a group
and IF its a group, Then how do you call the same Action Script recursively.
Thank you in advance.
Untested, but I think you can determine if the member is a group or not by checking the RecipientTypeDetails property.
Something like:
function Set-DistributionGroupPolicy([string] $group) {
Get-DistributionGroupMember $group -ResultSize Unlimited | ForEach-Object {
if ($_.RecipientTypeDetails -match "Group") {
Write-Verbose "Recursing on group '$($_.Name)'"
Set-DistributionGroupPolicy $_.Name
}
Set-CASMailbox -Identity $_.Name -OwaMailboxPolicy "Allow Download Access"
}
}
Set-DistributionGroupPolicy
I'm pulling out details for Delegate details of mailboxes from Office 365 setup using the exchange shell.
The problem is I'm getting the Display name of users in the GrantSendOnBehalfTo attribute of the Mailbox which isn't unique a value. How to print the unique ID of users in the GrantSendOnBehalfTo attribute?
I cannot test this right now, but I think this may help:
$SendOnBehalf = Get-Mailbox -Identity 'testing' | Select-Object -ExpandProperty GrantSendOnBehalfTo
foreach ($user in $SendOnBehalf) {
try {
# get the user or group that has SendOnBehalf permissions
$sob = Get-User -Identity $user -ErrorAction SilentlyContinue
if ($sob) {
Write-Host "User: $($sob.SamAccountName)" # or use $($sob.WindowsEmailAddress) if that is more unique for you
}
else {
$sobGroup = Get-Group -Identity $user -ErrorAction SilentlyContinue
Write-Host "Group: $($sob.SamAccountName)"
}
}
catch {}
}