The Google Apps Email Settings API describes creating and retrieving Send-as aliases, but not how to delete them. Is it possible to do this via the API, or is there a workaround?
I'm using the Directory API to add and delete user aliases, which takes care of whether someone can receive at an alias, but I'm stuck on how to remove their Send-as alias.
The ability to delete send-as aliases has been added to the API, though I haven't tested it myself - https://developers.google.com/gmail/api/v1/reference/users/settings/sendAs/delete
There is no sendas delete method. Users must manually delete the sendas from the UI.
The Directory API has a method to "delete all aliases". Not sure if that includes "sendas" alias but might be worth checking.
Related
I am very new to AD and to powershell and I can't quite figure this out.
Lets suppose I have this folder "\\server\Departament\ExampleFolder" and I don't have any permissions to read, I can't even see who the owner is. Get-Acl returns me an error UnauthorizedAccessException because well, I don't have any permission to do so.
I need to create a script that finds the owner of this folder and sends a email asking for access permissions.
My question is this: There is anyway I can find the folder owner using AD without having any permission to the folder?
The owner it's in the same ad domain as me (at least it should be)
The answer is no.
If you look at the NTFS File Permissions table, you will need at least the Special Permission: Read Permissions privilege in order to read the permissions including folder ownership. If you don't have the general Read permissions or Special Permission: Read Permissions privilege, then you can't see folder ownership at all.
There is no way around it or tricks... because security is... well... security and that's how it works.
you must first take ownership to see who has access, although overwriting means you will never who used to have ownership. if you are the network admin administering access to these files then you can click on change, navigate to the location of that server admin, and apply, then push down to all child objects (NOTE do not push the NTFS permissions JUST the owner)
i do believe that MS should allow you to view owner of a folder even without read, but not the full permissions list or of course, no files. but allowing you to view owner means you could then ask that owner for access without any security breaches to the files themselves
I'm trying to answer what I hope is a simple question. I have a device enrolled in AzureAD and autopiloted. Using the IntuneManagementExtenstion I'd like to acquire the FULL user name of the user currently logged in to use elsewhere in scripts. I cannot see a way of doing it.
All the example I can find return either the short name, or the AzureAD domain and the user name for example:
Tenant is mytestdomain.onmicrosoft.com
User is mytestuser#mytestdomain.com
most methods if you just google or search stackoverflow will return either:
AzureAD\mytestuser
or
mytestuser
I need one that returns the full mytestuser#mytestdomain.com. This is because the tenant has several vanity names so I need to determine which one is logged in (for example mytestuser#mytestdomain.com is a different user account to mytestuser#mytestdomain2.com or mytestuser#mytestdomain3.com). Therefore, I can't just append my tenant name on the end of the output other methods.
Any thoughts appreciated. Methods that require installation of msol/azuread modules don't seem to work as they require user login, which defeats the point, and as it's being run by the intune management extension, the user can't interact anyway.
Thanks
I'm a little busy to test this right now, but it should do the trick.
You can have Intune run a Powershell script. This command will return the full user account name in the format you've described.
whoami.exe /UPN
Since you've stated you want the user who is logged in already. When you are configuring the settings in Intune, make sure to select the option to "Run this script using the logged on credentials".
This line will return UPN from domain join info in registry.
Must be run with admin priveleges
[string]$($1='Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\';if(Test-Path -Path $1){(Get-ItemProperty -Path ('{0}\{1}' -f ($1,(Get-ChildItem -Path $1).Name.Split('\')[-1])) -Name 'UserEmail' | Select-Object -ExpandProperty 'UserEmail')}else{''})
Is it possible to get a list of who has permissions to a folder in a user's mailbox in exchange 2007?
As far as I know it is not possible via exchange management shell. It is possible however in E2k10+ using the Get-MailboxFolderPermission. This is not available in E2k07.
If it is not possible in powershell, is there any other softwares available that can accomplish this.
You can use the EWS managed API with PowerShell to get the folder delegates for the mailbox. Glen Scales has some excellent articles on using this API with PowerShell, including one on getting delegate informtion:
http://gsexdev.blogspot.com/2012/03/ews-managed-api-and-powershell-how-to.html#!/2012/03/ews-managed-api-and-powershell-how-to.html
I just tried on Exchange 2007, and it works:
$permissions = Get-Mailbox $first.$last | Get-MailboxPermissions
I need to compare AD users permissions (one user can "unset" an attribute and another cannot, both can change it).
How can I dump/compare user account "effective permissions" which I find when I go to user account > Security > Advanced > Effective Permissions (and select an user account) with powershell?
Using Quest Free PowerShell Commands for Active Directory is simple:
Get-QadPermission useraccountname -Inherited
or better way:
Get-QADUser -Name useraccountname -SecurityMask DACL | Get-QADPermission -Inherited -SchemaDefault
This return all effective permission Inherited or Explicit assigned for the user 'useraccountname'
The comparison can be made with compare-object.
A very simple example:
compare-object (Get-QADPermission userA -Inherited | select Rights) (Get-QADPermission userB -Inherited | select rights)
We were in a similar situation once and needed to know who all could delete one of our main OUs, so we figured that maybe we should dump the ACL on the OU and look for everyone who had delete permissions on the object. Of course dsacls was very helpful in this regard and we could dump the ACL on it easily.
But then, as we started looking at the ACL, we found that it had almost 60 permission entries, including about half a dozen deny entries, some of which were direct and others inherited. We initially didn't consider the denies and came up with a list of about 200 users who could delete the OU, but that did not seem right (; it seemed too high.) Then, we realized that we had to intersect the denies with the allows!
So we flattened all deny permissions, and all allow permissions, but then we had to figure out which of these denies would apply, since some of them were inherited, and I believe the inherited ones don't negate any direct allows, so that took some more pain-staking work, and while doing it we realized that some of those inherited permissions did not apply to the object, so we had to start from scratch!
Finally, we almost gave up, and when I asked one of our Enterprise Admins, he said what we needed to do was determine Effective Permissions on our OU, and he pointed us to the Effective Permissions Tab in the Active Directory Users and Computers snap-in.
So we launched ADUC and navigated to the Effective Permissions Tab, and figured it would be a matter of clicking OK somewhere. However, we soon realized that it needed us to enter each person's name individually. Now, we have almost 2000 people in our environment, so there was no way we could put in 2000 people's names one by one. The other thing was that even for a single person, it would show us all the effective permissions for that person, and in technical terms, which we would have to further refine.
We then figured we'd give Powershell a shot, and looked at many options to do this using Powerhsell, but there was no easy to determine effective permissions in AD using Powershell, which was disappointing. In particular, we tried Quest's free PowerShell commands Get-QadPermission useraccountname and Get-QADUser -Name useraccountname, but we were disappointed to see that this only retrieved the list of all permissions specified for a given user. It did not reveal the Effective Permissions granted to a user. We found ourselves having to start with the results it brought back to then manually try and determine effective permissions, which was not worth our time.
So, we had almost given up hope, but before quitting we thought we would just Google "Active Directory Effective Permissions Tool" with the hope that there must be something out there that could do this for us. I am glad we did because we found a tool that could do exactly what we needed: figure out effective permissions on our OU and give us the ability to export these effective permissions -
http://www.paramountdefenses.com/goldfinger_capabilities_true_effective_permissions_for_active_directory.html
We found that this tool (called Gold Finger for AD) has the ability to determine Effective Permissions on Active Directory objects, and provide the output such that we could easily see the list of all users who had "effective permissions" for a specific right on an object. For instance, we were able to use it to determine and enumerate the list of all admins who had "effective delete access" rights on the OU we were interested in.
It has turned out to be quite helpful for us, and maybe it could be of help to you too. I just thought I would share this because I've been the dsacls route and I wouldn't want you to go through the same pain we did in trying to manually do this. Its just too painful to do do manually.
I work for a large company, which uses MS Exchange for Email. We have a distribution list for people to post questions, where anyone can answer. I am looking for a way to maintain a copy of this distribution list so that anyone can search it. Ideally, this would be searchable from within Outlook as well as by going to a webpage, but I will take either one. Someone has proposed to create a dummy email account, which just gets the distribution list traffic. Everyone interested in this distribution list could then attach this account. While this may work, there are several challenges with this approach:
1) It becomes problematic when you have several hundred people attaching a single email Inbox/account.
2). I need this account to be read-only, so someone doesn't accidentally delete an email from this account, thinking that it is in their personal account.
3). Our company has an auto-archive policy. This account would need to be exempt from that policy.
Any ideas?
Thanks
GS
The dummy mailbox is not a bad idea. You can give the people appropiate permissions to the Inbox folder of that mailbox.
To work around the permission issue you could either
1) create a transport agent which monitors the mailflow and dumps all messages to a database or CMS/SharePoint/whatever.
2) Create the dummy mailbox and setup a service which monitors this mailbox using push/pull/streaming notifications and dump the messages to a database/CMS/SharePoint/whatever.
The SharePoint solution would make the search option a piece of cake. But if you don't already have a SharePoint instance up and running this might be overkill.