I'm trying to generate a mailbox report for our hosted Exchange platform and automate things a bit. Basically each tenant is in an OU. So I'm trying to first pull a list of OU's, then count the mailboxes in each OU. Here's what I have so far:
$ous = (Get-ADOrganizationalUnit -SearchBase "OU=Microsoft Exchange Hosted Organizations,DC=yomamma,DC=com" -Filter { (ObjectClass -eq 'organizationalunit') -and (Name -notlike 'Hosted Organization Security Groups') -and (Name -Notlike 'Microsoft Exchange Hosted Organizations') })
foreach ($ou in $ous) {
(Get-Mailbox -Organization $ou.Name -Filter {( Name -notlike 'Administrator' -and Name -notlike 'DiscoverySearch*' )} -ResultSize unlimited).count
}
It works... sort of. The result will be a ton of numbers on each line, a mailbox count for each OU. Problem is, then I have OU's in the $ous variable, and I'm outputting the count to the screen. What I need is output two columns, the OU, alongside the count in another column, so I can pipe it into Export-CSV cmdlet so I can have client name (OU), and the count in a CSV file to them email.
I'm just not sure how to get that combination of data all at once.
Easiest way to organise information is to put it into an object, if you need to alter the data later on it's already in an object that you can manipulate.
$ous = (Get-ADOrganizationalUnit -SearchBase "OU=Microsoft Exchange Hosted Organizations,DC=yomamma,DC=com" -Filter { (ObjectClass -eq 'organizationalunit') -and (Name -notlike 'Hosted Organization Security Groups') -and (Name -Notlike 'Microsoft Exchange Hosted Organizations') })
foreach ($ou in $ous)
{
# This is how many mailboxes this OU has
$mailboxCount = (Get-Mailbox -Organization $ou.Name -Filter {( Name -notlike 'Administrator' -and Name -notlike 'DiscoverySearch*' )} -ResultSize unlimited).count
# This is a fancy object to store our information
$mailboxObject = New-Object psobject -Property ([Ordered]`
#{
"OU" = $ou
"MailboxCount" = $mailboxCount
})
# You can export your CSV here or do other stuff
# $mailboxObject | Export-CSV C:\MyPath -NoTypeInformation
}
Small note: If you're not using PowerShell v3 take out the [Ordered] attribute :)
If I'm understanding you correctly, the answer is very simple. This will output csv content. If you'd prefer, you can drop the quotes and replace the comma with a `t, then you can copy/paste from the PowerShell console into Excel.
$ous = (Get-ADOrganizationalUnit -SearchBase "OU=Microsoft Exchange Hosted Organizations,DC=yomamma,DC=com" -Filter { (ObjectClass -eq 'organizationalunit') -and (Name -notlike 'Hosted Organization Security Groups') -and (Name -Notlike 'Microsoft Exchange Hosted Organizations') })
foreach ($ou in $ous) {
'"' + $ou.Name + '",' + (Get-Mailbox -Organization $ou.Name -Filter {( Name -notlike 'Administrator' -and Name -notlike 'DiscoverySearch*' )} -ResultSize unlimited).count
}
Related
I am trying to run a command where I get all active directory users in the parent OU (Users) and filter out the child OU's (Admin accounts, service accounts, disabled accounts) as well as filter out any user account that does not have a surname in the surname field.
At the moment I have
Get-ADUser -Filter{enabled -eq $true} -SearchBase 'OU=Users,OU=Company,DC=CompanyName,DC=local' | Where-Object { $_.DistinguishedName -notlike "*,$Disabled" } | Where {$_.Surname -notlike "$Null"} | select samAccountName
When I add another child OU after 'Disabled' there is an error
Where-Object : A positional parameter cannot be found that accepts argument 'Where'.
Please may someone advise on how to filter out additional child OU's?
Good day Smoore
The problem is you are using multiple Where-object cmdlets but you only need one and separate them using () and adding the -and option, also to refer to $null value you don't need to use the "" marks
Get-ADUser -Filter {Enabled -eq $true} -SearchBase "OU=Users,OU=Company,DC=CompanyName,DC=local" | Where-Object {($_.DistinguishedName -notlike "*,$Disabled*") -and ($_.Surname -notlike $Null)} | select samAccountName
With this options you should be able to get all the users you want
Have a nice day!
I would use a regex -notmatch so it would be possible to combine all OU Distinguished names in just one variable.
Something like this:
$Admins = 'OU=Administrators,OU=Company,DC=CompanyName,DC=local'
$Service = 'OU=ServiceAccounts,OU=Company,DC=CompanyName,DC=local'
$Disabled = 'OU=DisabledUsers,OU=Company,DC=CompanyName,DC=local'
# build a regex string from the above OU DistinguishedNames
$Exclude = '({0}|{1}|{2})$' -f [regex]::Escape($Admins), [regex]::Escape($Service), [regex]::Escape($Disabled)
Get-ADUser -Filter 'Enabled -eq $true' -SearchBase 'OU=Users,OU=Company,DC=CompanyName,DC=local' |
Where-Object { ![string]::IsNullOrWhiteSpace($_.Surname) -and $_.DistinguishedName -notmatch $Exclude } |
Select-Object SamAccountName
As per your comment:
$Admins = 'OU=Administrators,OU=Company,DC=CompanyName,DC=local'
$Service = 'OU=ServiceAccounts,OU=Company,DC=CompanyName,DC=local'
$Disabled = 'OU=DisabledUsers,OU=Company,DC=CompanyName,DC=local'
# the group you want to add the users to
$TargetGroup = 'Company Team'
# build a regex string from the above OU DistinguishedNames
$Exclude = '({0}|{1}|{2})$' -f [regex]::Escape($Admins), [regex]::Escape($Service), [regex]::Escape($Disabled)
$users = Get-ADUser -Filter 'Enabled -eq $true' -SearchBase 'OU=Users,OU=Company,DC=CompanyName,DC=local' |
Where-Object { ![string]::IsNullOrWhiteSpace($_.Surname) -and $_.DistinguishedName -notmatch $Exclude }
# get the AD group as object
$GroupObject = Get-ADGroup -Filter "Name -eq '$TargetGroup'"
# now add these users that have Surnames to the security group all in one go
try {
Write-Host "Adding $(#($users).Count) users to group $TargetGroup"
$GroupObject | Add-ADGroupMember -Members $users -ErrorAction Stop -Verbose
}
catch {
Write-Warning "Error: $($_.Exception.Message)"
}
# or if you prefer loop through the users and add each one individually then use this instead
# foreach ($user in $users) {
# try {
# Write-Host "Adding user $($users.Name) to group $TargetGroup"
# $GroupObject | Add-ADGroupMember -Members $user -ErrorAction Stop -Verbose
# }
# catch {
# Write-Warning "Error adding user $($users.Name) to group $($TargetGroup): $($_.Exception.Message)"
# }
# }
Basically what i'm trying to achieve here is an output with 4 column/list (in this case i'm exporting as a text)
Get-MailboxPermission gives me a property of identity, user, accessrights but it doesn't give me a property of "Manager". I need to identify where that particular user reports to. So, i tried PSCustomObject and hoping i can put the results in an array. See script below
$GETMAILBOXPERM = Get-Content C:\Users\Account\Desktop\MailboxUsers\MAILBOXESUSERS.txt | ForEach-Object {Get-MailboxPermission $_ |
where {
($_.User -notlike ‘*NT AUTHORITY*’) -and
($_.User -notlike ‘*S-1-5-21-*’) -and
($_.User -notlike ‘*NAMPRD08*’) -and
($_.User -notlike ‘*PRDTSB01*’) -and
($_.User -notlike ‘*0365Admin*’) -and
($_.User -notlike ‘*Discovery Management*’) -and
($_.User -notlike ‘*NAMPR08A005*’) -and
($_.User -notlike ‘*NT AUTHORITY*’)
}
}
$Results = foreach( $Mailbox in (get-content C:\Users\Account\Desktop\MailboxUsers\MAILBOXESUSERS.txt))
{
$Users = Get-User $Mailbox
if ($Users){
foreach ($User in $Users){
[pscustomobject]#{
DisplayName = $User.name
Account = $GETMAILBOXPERM.user
Manager = $User.manager
Access = $GETMAILBOXPERM.accessrights
}
}
}
}
$Results | Format-List -Property DisplayName, Account, Manager, Access | Out-File C:\Users\Account\Desktop\MailboxUsers\mailbox4.txt
Here's the output in text file. I get the DisplayName and Manager right but the Account and Access just doesn't seem to loop from the text file.
DisplayName : MAILBOX1
Account : {user1#domain.ca, user2#domain.ca, user3#domain.ca, user4#domain.ca...}
Manager : MANAGER1
Access : {FullAccess, FullAccess, FullAccess, FullAccess...}
DisplayName : MAILBOX2
Account : {user1#domain.ca, user2#domain.ca, user3#domain.ca, user4#domain.ca...}
Manager : MANAGER2
Access : {FullAccess, FullAccess, FullAccess, FullAccess...}
The user manager attribute is normally in ADDS, not Exchange. Yet, that text file seems to be where you are getting this from vs dynamically from ADDS.
Why are you using Format-List?
PowerShell will automatically format as a list the moment you columns exceed 5.
This is untested, since I do not have an environment to try it on, but a refactor of what you have here. Give it a shot.
$GetMailboxPerm = Get-Content -Path 'C:\Users\Account\Desktop\MailboxUsers\MAILBOXESUSERS.txt' |
ForEach-Object {Get-MailboxPermission $PSitem |
where {
($PSitem.User -notlike ‘*NT AUTHORITY*|
*S-1-5-21-*|
*NAMPRD08*|
*PRDTSB01*|*0365Admin*|
*Discovery Management*|
*NAMPR08A005*|
*NT AUTHORITY*’)
}
}
foreach( $Mailbox in (Get-Content -Path 'C:\Users\Account\Desktop\MailboxUsers\MailboxUsers.txt'))
{
$Users = Get-User $Mailbox
if ($Users)
{
foreach ($User in $Users)
{
[pscustomobject]#{
DisplayName = $User.name
Account = $GetMailboxPerm.user
Manager = $User.manager
Access = $GetMailboxPerm.accessrights
} | Out-File -FilePath 'C:\Users\Account\Desktop\MailboxUsers\mailbox4.txt' -Append
}
}
}
$computers = Get-ADComputer -Filter * -Properties * | Where-Object {$_.Name -like "LT*" -or $_.Name -like "PC*" -or $_.Name -like "MC*"} | Select name,lastlogondate
"You have [{0}] computers in domain [{1}]" -f $computers.count, (get-addomain).dnsroot
$today = Get-Date
$monthago = $today.AddDays(-30)
"Looking for systems that have not logged in since $monthago"
foreach ($computer in $computers)
{
if ($computer.lastlogondate -lt $monthago)
{"Computer [$computer] suspect"
"last logon $($computer.lastlogondate)"
""}
}
returns the following result:
Computer [#{name=lt020367; lastlogondate=10/23/2019 11:45:38}] suspect
last logon 10/23/2019 11:45:38
Can someone possibly tell me why my output is resulting in [#{ and how to resolve?
by get-adcomputer [...] | Select name,lastlogondate you are creating an object. To output properties of those objects, simply use:
"Computer [$($computer.name)] suspect"
"last logon $($computer.lastlogondate)"
By the way:
Getting all * properties is not ideal. Always filter as early as you can: -properties lastlogondate (name is always returned). Same goes for -filter "name -like 'LT*' -or name -like 'PC*' -or name -like 'MC*'".
Also be careful as lastlogondate of computer objects in AD is not synced between domain controllers.
I was wondering if this script could be changed into one for only active users?
import-module ActiveDirectory
Start-Transcript -Path "C:\test\teetest.txt"
$groups = Get-ADGroup -filter {(name -like "runners*") -or (name -like "helpers*")
foreach($group in $groups)
{
$countUser = (Get-ADGroupMember $group.DistinguishedName).count
Write-Host "The group $($group.Name) has $countUser user(s)."
}
Stop-Transcript
Any help would be appreciated.
If I understand your question correctly and by active users you mean groups with at least 1 member(i.e. greater than 0). You could just filter out results using Where-Object cmdlet. Like so:
$groups = Get-ADGroup -filter {(name -like "runners*") -or (name -like "helpers*") -Properties Members | Where-Object { $_.Members.Count –gt 0 }
Yes, you can add a filter to only get the number of active Members in the Group.
Since Get-ADGroupMember doesn't supply all properties for the Users you have to do another lookup for each of them:
$countUser = (Get-ADGroupMember $group.DistinguishedName | % { Get-ADuser -Identity $_ -Property Enabled | Where-Object {$_.Enabled -eq $true}}).count
Explanation:
% { Get-ADuser -Identity $_ -Property Enabled - Get the Informations for each User found in the Group with the Enabled Property added to it
Where-Object {$_.Enabled -eq $true} - Filters the users that are enabled
I think this may be because the Get-ADGroupMember not just returns user objects with a limited set of properties, but can also return groups and computers.
Since you are only looking for users that are direct descendents of the groups 'runners*' or 'helpers*', it is better to limit the objects returned by the Get-ADGroupMember cmdlet to be users only.
Below I do this by adding Where-Object { $_.objectClass -eq "user" }.
Next, to ensure the .Count property can be used I would suggest to enclose the thing in a #() so the returned value actually is an array and therefore has the Count property.
For a script like this, I also suggest NOT to try and put it all in one single line, because that makes spotting mistakes (like forgetting a closing bracket) more difficult.
Try this:
Start-Transcript -Path "C:\test\teetest.txt"
$groups = Get-ADGroup -Filter {(name -like "runners*") -or (name -like "helpers*")}
foreach($group in $groups) {
$countUser = 0
Get-ADGroupMember $group.DistinguishedName | Where-Object { $_.objectClass -eq "user" } |
ForEach-Object {
if ((Get-ADuser -Identity $_.DistinguishedName).Enabled) { $countUser++ }
}
Write-Host "The group $($group.Name) has $countUser user(s)."
}
Stop-Transcript
Replace the $countUser statement alone with below example.
For only Enabled User Accounts
$countUserEnabled = (get-aduser -filter *|where {$_.enabled -eq "True"}).count
For only Disabled User Accounts
$countUserDisabled = (get-aduser -filter *|where {$_.enabled -ne "False"}).count
I am trying to automate permissions on an Exchange Server.
In our environment there is a need to share all mailboxes inbetween a group of users (all users except few filtered-out ones).
Get-Mailbox -ResultSize unlimited -filter {Alias -notlike 'admin*' -And Alias -notlike 'user1*' -And Alias -notlike 'user2*' -And Alias -notlike 'user3*' -And Alias -notlike 'user4*' -And Alias -notlike 'user5*' -And Alias -notlike 'user6*' -And Alias -notlike 'user7*' -And Alias -notlike 'user8*'} | foreach-Object { Add-MailboxPermission -Identity $_.Alias -User $_.Alias -AccessRights FullAccess -InheritanceType All}
Currently each Alias gets FullAccess to itself.. How can I achieve giving permissions to all filtered users?
Adding a code here.
$MailboxeAlias = Get-Mailbox -ResultSize unlimited -Filter {Alias -notlike 'admin*' -And Alias -notlike 'user1*'}
ForEach ($Mailbox in $MailboxeAlias)
{
$GroupUsers = Get-ADGroupMember "Groupname" | select Samaccountname
Foreach ($User in $GroupUsers)
{
Add-MailboxPermission -Identity $Mailbox -User $User.SamAccountName -AccessRights FullAccess -InheritanceType All}
}
With that code you get all the mailboxes and for each mailbox then you query the users in a group you want to have access to that and for each user in that group you run the permission command.
I don't know if it works as it is or maybe you need to make some fixes.