We sync our local AD to Office 365.
I have been asked to get the out-of-office reply for users who are:
Disabled
Still have an Exchange mailbox.
I have some of the command but cannot figure out how to make it work:
$disabled = Get-ADUser -SearchBase "ou=Employees,ou=accounts,dc=domain,dc=local" -Filter { UserAccountControl -eq 514 } -Properties mail | Select-Object mail
foreach ($mail in $disabled) {
Get-MailboxAutoreplyConfiguration -Identity $mail
}
I believe this can be achieved without the call to AD via Get-ADUser cmdlet to get the list of disabled accounts. You can check the result of Get-Mailbox for the property ExchangeUserAccountControl. If the value is AccountDisabled then the account should be disabled in AD.
So that means you can do this :
Get-Mailbox -ResultSize Unlimited |
Where {
$_.recipienttype -eq "UserMailbox" -and ` # make sure we only get user mailboxes
$_.recipienttypedetails -eq "UserMailbox" -and ` # make sure we only get licenced mailboxes only, no shared mailboxes, no room mailboxes, etc
$_.exchangeuseraccountcontrol -like "*accountdisabled*" # make sure we only get disabled user accounts
} |
Get-MailboxAutoreplyConfiguration | # we can pipe user mailbox object directly into this cmdlet (no need to go into a foreach loop)
Format-List identity,autoreplystate,internalmessage,externalmessage # you can remove this and replace with Select then send to Csv or wherever you need
That last line with Format-List is just for viewing (and should be changed if you want to send data to a file, for example), this data can have large output depending if a user has internal or external messages set or not.
Please note that the above will return list of all Active Mailboxes in your Office365 tenant that :
have an Office365 UserMailbox (should be licensed mailbox)
is Disabled in Active Directory (AD account has Enabled : $False)
You can tell if the AutoReply messages are Active by looking at the autoreplystate value. It will either be Enabled or Disabled. So you can even add another Where clause to filter down to only those mailboxes that have autoreplystate : Enabled to only view mailboxes that have active auto replies set (based on your description, this was not clear if it was required or not).
Related
I tried the PowerShell command below to extract a report for all Shared Mailboxes to our tenant. It was successful but it didn't provide the information I need. I would like to know as well if the automapping is set as "True" or "False" for each member of a Shared Mailbox. TIA!
Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Get-MailboxPermission | Select-Object Identity,User,AccessRights,IsInherited | Where-Object {($_.user -like '*#*')} | Export-Csv C:\Users\xxxxx\Downloads\xxxxx.csv -NoTypeInformation
based on this sentence
There is a way for on-prem and for hybrid. Are you in a hybrid setup? If automapping is NOT being utilized by a user, the user who has access to the mailbox does not appear in the msExchDelegateListLink attribute on the shared mailbox AD user object. If automapping IS being utilized by a user, you'll see the user DN within the attribute. For onprem, its just this one attribute. There is a second attribute for hybrid called msExchDelegateListBL.
i found this
Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | % {get-aduser -identity $_.distinguishedname -properties msExchDelegateListLink, msExchDelegateListBL}
what do u think ? this command really works ?
I've been trying to do this for a while now. When Exchange mailboxes are disabled or soft-deleted they are disconnected from their AD user account object. We can reconnect them if we want to but is there a way to identify the AD user account it was associated with before disconnect ?.
I'm not an on-prem Exchange Administrator but have the necessary access for Recipient Configuration.
I've been able to use the displayName property from Get-MailboxStatistics results, but displayName is not a unique attribute (like distinguishedname, for instance).
I'm connecting to Exchange Server 2013 via PowerShell remote PSSession.
I know LastLoggedOnUserAccount property is no longer an option with 2013.
I see Mailbox auditing can help but this needs to be enabled per mailbox, this is out of my work scope and might add a big overhead in large organizations
Search-MailboxAuditLog cmdlet is not visible for me in PowerShell my Exchange Management session
Any solution/workaround would be very much appreciated.
I cannot test this myself, but there is a property returned by Get-MailboxStatistics you could use, which is called MailboxGuid.
Below should get you a list of disconnected mailboxes where besides the DisplayName, the users EmailAddress and DistinghuishedName is returned.
Get-MailboxStatistics | Where-Object { $_.DisconnectReason } | ForEach-Object { # get disconected mailboxes
$email = Get-User -Identity $_.MailboxGuid.Guid | Select-Object -ExpandProperty WindowsEmailAddress
$userDN = Get-Mailbox -Identity $email | Select-Object -ExpandProperty DistinguishedName
Select-Object DisconnectDate, DisconnectReason, DisplayName,
#{Name = "EmailAddress"; Expression = { $email }},
#{Name = "DistinguishedName"; Expression = {$userDN }}
}
I’m looking for a powershell exchange script to remove Full access permissions of all disabled users on all shared mailboxes in a specific OU.
This is what I got so far
Remove-MailboxPermission -Identity Sharedmailbox -AccessRights Fullaccess -InheritanceType all -user DisabledUser -Confirm:$false | where {$_.UseraccountControl -like "*accountdisabled*"}
Its seems to work but I’m not sure about the last piece of het script if it will check for “accountdisabled”
Then I created a variable so it will check only one specific OU
$ou = Get-ADUser -SearchBase "OU=Functional Mailboxes,OU=Generalaccounts,DC=DOMAIN,DC=COM" -Filter * foreach ($user in $ou)
Remove-MailboxPermission -Identity "$ou" -AccessRights Fullaccess -InheritanceType all -Confirm:$false | where {$_.UseraccountControl -like "*accountdisabled*"}
The script is checking the right OU but I'm still looking for the last part where it will automatically remove full access permissions of the disabled users ONLY.
Can someone show me the way?
Instead of trying to screen for disabled users after removing the mailbox permissions (which is what your Remove-MailboxPermission ... | Where-Object ... appears to be intended to do - except that the way you wrote it, it's only checking for disabled state after removing the permissions), try selecting for the disabled accounts first, then passing only the disabled accounts to Remove-MailboxPermission:
Get-ADUser -SearchBase ... -filter {Enabled -eq $false} | Remove-Mailbox ...
(replacing ... with the appropriate SearchBase or parameters for Remove-Mailbox, using $_ for the identity of the ADUser whose mailbox permissions you're removing.)
The company I am working for would like a splash screen that I did to pop up when ever a user changes password (90 day rule at present), this is mainly due to a external requirement.
One of the snags I have is that the system has no email to show me that a user is expiring, I am looking at a couple of things
A log output of expired accounts and locked accounts, ignoring accounts not logged on disabled accounts system etc.
On the 90 day policy a splash screen pops up with the t$c with an accept or decline window (they see this when they first turn the PC and pops up just before the logon box on basically saying by accepting you agree to have read blah and blah)
I do not know how to get either this to run as one script or have two separate scripts,
Any input greatly appreciated
Import-Module ActiveDirectory # Required for PowerShell 2.0 only
$a = (Get-Date).Date.AddDays(-89)
# The following line will build the variable based upon the noted criteria
$b = Get-ADUser `
-Property Name, SamAccountName, PasswordLastSet, CannotChangePassword, PasswordNeverExpires `
-Filter { (PasswordLastSet -lt $a) -and (PasswordNeverExpires -eq $false) } |
Where-Object { $_.CannotChangePassword -eq $false }
# The following line will display/export the data logging the accounts to be changed
# please note the Out-File path and change to suit your needs.
$b | Format-Table Name, PasswordLastSet, CannotChangePassword, PasswordNeverExpires -AutoSize |
Out-File -FilePath "C:\passwordchanges.txt"
# The following line will actually flag the accounts to require a password change
# (after -WhatIf is removed)
$b.SamAccountName | ForEach-Object {
Set-ADUser -Identity $_ -ChangePasswordAtLogon $true -WhatIf
}
I'm trying to write powershell script which hides user from exchange lists.
I was able to find following command:
Set-Mailbox -Identity [user id here] -HiddenFromAddressListsEnabled $true
And it doesn't give me an error message, and when I run the command twice, I get following warning:
WARNING: The command completed successfully but no settings of '[user id here]' have been modified.
Which probably means that the command did actually work.
but when I go to Exchange Management Console, and open user profile, "hide user from exchange address lists" check box is off.
What could be the reason?
I use this as a daily scheduled task to hide users disabled in AD from the Global Address List
$mailboxes = get-user | where {$_.UserAccountControl -like '*AccountDisabled*' -and $_.RecipientType -eq 'UserMailbox' } | get-mailbox | where {$_.HiddenFromAddressListsEnabled -eq $false}
foreach ($mailbox in $mailboxes) { Set-Mailbox -HiddenFromAddressListsEnabled $true -Identity $mailbox }
You can use the following script, just replace DOMAIN with the name of your domain. When executed it will prompt you for a userlogin then hide that user's account from the address lists.
$name=Read-Host "Enter login name of user to hide"
Set-Mailbox -Identity DOMAIN\$name -HiddenFromAddressListsEnabled $true
Brian.
I was getting the exact same error, however I solved it by running $false first and then $true.
You will have to pass one of the valid Identity values like DN, domain\user etc to the Set-Mailbox cmdlet. Currently you are not passing anything.
"WARNING: The command completed successfully but no settings of '[user id here]' have been modified."
This warning means the setting was already set like what you want it to be. So it didn't change anything for that object.
For Office 365 users or Hybrid exchange, go to using Internet Explorer or Edge, go to the exchange admin center, choose hybrid, setup, chose the right button for hybrid or exchange online.
To connect:
Connect-EXOPSSession
To see the relevant mailboxes:
Get-mailbox -filter {ExchangeUserAccountControl -eq 'AccountDisabled'
-and RecipientType -eq 'UserMailbox' -and RecipientTypeDetails -ne 'SharedMailbox' }
To block based on the above idea of 0KB size:
Get-mailbox -filter {ExchangeUserAccountControl -eq 'AccountDisabled'
-and RecipientTypeDetails -ne 'SharedMailbox' -and RecipientType -eq 'UserMailbox' } | Set-Mailbox -MaxReceiveSize 0KB
-HiddenFromAddressListsEnabled $true