I'm trying to write powershell script which hides user from exchange lists.
I was able to find following command:
Set-Mailbox -Identity [user id here] -HiddenFromAddressListsEnabled $true
And it doesn't give me an error message, and when I run the command twice, I get following warning:
WARNING: The command completed successfully but no settings of '[user id here]' have been modified.
Which probably means that the command did actually work.
but when I go to Exchange Management Console, and open user profile, "hide user from exchange address lists" check box is off.
What could be the reason?
I use this as a daily scheduled task to hide users disabled in AD from the Global Address List
$mailboxes = get-user | where {$_.UserAccountControl -like '*AccountDisabled*' -and $_.RecipientType -eq 'UserMailbox' } | get-mailbox | where {$_.HiddenFromAddressListsEnabled -eq $false}
foreach ($mailbox in $mailboxes) { Set-Mailbox -HiddenFromAddressListsEnabled $true -Identity $mailbox }
You can use the following script, just replace DOMAIN with the name of your domain. When executed it will prompt you for a userlogin then hide that user's account from the address lists.
$name=Read-Host "Enter login name of user to hide"
Set-Mailbox -Identity DOMAIN\$name -HiddenFromAddressListsEnabled $true
Brian.
I was getting the exact same error, however I solved it by running $false first and then $true.
You will have to pass one of the valid Identity values like DN, domain\user etc to the Set-Mailbox cmdlet. Currently you are not passing anything.
"WARNING: The command completed successfully but no settings of '[user id here]' have been modified."
This warning means the setting was already set like what you want it to be. So it didn't change anything for that object.
For Office 365 users or Hybrid exchange, go to using Internet Explorer or Edge, go to the exchange admin center, choose hybrid, setup, chose the right button for hybrid or exchange online.
To connect:
Connect-EXOPSSession
To see the relevant mailboxes:
Get-mailbox -filter {ExchangeUserAccountControl -eq 'AccountDisabled'
-and RecipientType -eq 'UserMailbox' -and RecipientTypeDetails -ne 'SharedMailbox' }
To block based on the above idea of 0KB size:
Get-mailbox -filter {ExchangeUserAccountControl -eq 'AccountDisabled'
-and RecipientTypeDetails -ne 'SharedMailbox' -and RecipientType -eq 'UserMailbox' } | Set-Mailbox -MaxReceiveSize 0KB
-HiddenFromAddressListsEnabled $true
Related
I'm trying to enable Authenticated SMTP in Exchange Online via PowerShell.
I was semi successful with my attempts.
$Users = Get-CASMailbox -ResultSize unlimited
$Users | where {$_.SmtpClientAuthenticationDisabled -eq $true} | Set-CASMailbox -SmtpClientAuthenticationDisabled $False
This resulted in about 75% of the users having SMTP Authentication activated. But weirdly not all of them.
$Users = Get-CASMailbox -ResultSize unlimited
$Users | where {$_.SmtpClientAuthenticationDisabled -eq $true -or $null -or ""} | Set-CASMailbox -SmtpClientAuthenticationDisabled $False
Showed the same results.
As did:
$Users = Get-CASMailbox -ResultSize unlimited
$Users | where {$_.ImapEnabled -eq $true} | Set-CASMailbox -SmtpClientAuthenticationDisabled $False
So apparently this has nothing to do with the state of SmtpClientAuthenticationDisabled since I tried all possible states and used ImapEnabled -eq $true as a condition which is $true for every user.
I just started working with PowerShell and only have some basic programming knowledge. This setting has to be changed for about 80 accounts right now, but in a week or two about 4000 accounts will be synchronized with AzureAD and therefore Exchange Online. So far I haven't received an answer from the company which synchronizes the accounts on wether or not it's possible to set the state of SmtpClientAuthenticationDisabled when the synchronization happens. I expect that I will have to do it myself.
All users have an active Office 365 Licence and an active Exchange Online Plan.
Does anyone have some insight as to why only most but no all of the users accept this setting?
Edit:
When trying to execute your suggested script or when trying to execute my own commands I run into the issue that '$user' returns '$null' which I don't understand.
Setting SmtpClientAuthenticationDisabled for failed, error: Cannot bind argument to parameter 'Identity' because it is null.
This also happens when im only executing this:
$Users = Get-CASMailbox -ResultSize Unlimited
foreach($user in $users) {Write-Host "$($user.DisplayName)"}
It just returns nothing.
I think there is something fundamental that I don't understand.
If I just list the contents of '$users' PowerShell returns a list of all the users with the related settings like 'SmtpClientAuthenticationDisabled'.
If you want your complete organization to use the same setting, you should leave the values of the users $null. Instead set the TransportConfig.
Get-TransportConfig
Then check the value. If it is set to 'False', all users with a $null-value for SmtpClientAuthenticationDisabled will have the default setting of 'False'.
If set to 'True', change to 'False' instead:
Set-TransportConfig -SmtpClientAuthenticationDisabled $false
To answer your original question, of why the users are not updated properly. I think it has something to do with the fact that 'SmtpClientAuthenticationDisabled' is not a filterable attribute in the first place. So you will always have to query your complete dataset, which is not very elegant.
You could do something like the following to check and see what happens exactly:
$Users = Get-CASMailbox -ResultSize Unlimited
foreach($user in $Users){
if($user.SmtpClientAuthenticationDisabled -eq $null -or $user.SmtpClientAuthenticationDisabled -eq $true){
try{
Set-CASMailbox -Identity $user.ExchangeObjectId.guid -SmtpClientAuthenticationDisabled $false -ErrorAction Stop
Write-Host "$($user.DisplayName) succesfully set to correct state" -ForegroundColor Green
}catch{
Write-Host "Setting SmtpClientAuthenticationDisabled for $($user.DisplayName) failed, error: $_" -ForegroundColor Red
}
}else{
Write-Host "$($user.DisplayName) already has the correct state: $($user.SmtpClientAuthenticationDisabled)" -ForegroundColor Green
}
}
But personally I would change the above script to use it to set all values to $null:
Set-CASMailbox -Identity $user.ExchangeObjectId.guid -SmtpClientAuthenticationDisabled $null -ErrorAction Stop
I’m looking for a powershell exchange script to remove Full access permissions of all disabled users on all shared mailboxes in a specific OU.
This is what I got so far
Remove-MailboxPermission -Identity Sharedmailbox -AccessRights Fullaccess -InheritanceType all -user DisabledUser -Confirm:$false | where {$_.UseraccountControl -like "*accountdisabled*"}
Its seems to work but I’m not sure about the last piece of het script if it will check for “accountdisabled”
Then I created a variable so it will check only one specific OU
$ou = Get-ADUser -SearchBase "OU=Functional Mailboxes,OU=Generalaccounts,DC=DOMAIN,DC=COM" -Filter * foreach ($user in $ou)
Remove-MailboxPermission -Identity "$ou" -AccessRights Fullaccess -InheritanceType all -Confirm:$false | where {$_.UseraccountControl -like "*accountdisabled*"}
The script is checking the right OU but I'm still looking for the last part where it will automatically remove full access permissions of the disabled users ONLY.
Can someone show me the way?
Instead of trying to screen for disabled users after removing the mailbox permissions (which is what your Remove-MailboxPermission ... | Where-Object ... appears to be intended to do - except that the way you wrote it, it's only checking for disabled state after removing the permissions), try selecting for the disabled accounts first, then passing only the disabled accounts to Remove-MailboxPermission:
Get-ADUser -SearchBase ... -filter {Enabled -eq $false} | Remove-Mailbox ...
(replacing ... with the appropriate SearchBase or parameters for Remove-Mailbox, using $_ for the identity of the ADUser whose mailbox permissions you're removing.)
We sync our local AD to Office 365.
I have been asked to get the out-of-office reply for users who are:
Disabled
Still have an Exchange mailbox.
I have some of the command but cannot figure out how to make it work:
$disabled = Get-ADUser -SearchBase "ou=Employees,ou=accounts,dc=domain,dc=local" -Filter { UserAccountControl -eq 514 } -Properties mail | Select-Object mail
foreach ($mail in $disabled) {
Get-MailboxAutoreplyConfiguration -Identity $mail
}
I believe this can be achieved without the call to AD via Get-ADUser cmdlet to get the list of disabled accounts. You can check the result of Get-Mailbox for the property ExchangeUserAccountControl. If the value is AccountDisabled then the account should be disabled in AD.
So that means you can do this :
Get-Mailbox -ResultSize Unlimited |
Where {
$_.recipienttype -eq "UserMailbox" -and ` # make sure we only get user mailboxes
$_.recipienttypedetails -eq "UserMailbox" -and ` # make sure we only get licenced mailboxes only, no shared mailboxes, no room mailboxes, etc
$_.exchangeuseraccountcontrol -like "*accountdisabled*" # make sure we only get disabled user accounts
} |
Get-MailboxAutoreplyConfiguration | # we can pipe user mailbox object directly into this cmdlet (no need to go into a foreach loop)
Format-List identity,autoreplystate,internalmessage,externalmessage # you can remove this and replace with Select then send to Csv or wherever you need
That last line with Format-List is just for viewing (and should be changed if you want to send data to a file, for example), this data can have large output depending if a user has internal or external messages set or not.
Please note that the above will return list of all Active Mailboxes in your Office365 tenant that :
have an Office365 UserMailbox (should be licensed mailbox)
is Disabled in Active Directory (AD account has Enabled : $False)
You can tell if the AutoReply messages are Active by looking at the autoreplystate value. It will either be Enabled or Disabled. So you can even add another Where clause to filter down to only those mailboxes that have autoreplystate : Enabled to only view mailboxes that have active auto replies set (based on your description, this was not clear if it was required or not).
The company I am working for would like a splash screen that I did to pop up when ever a user changes password (90 day rule at present), this is mainly due to a external requirement.
One of the snags I have is that the system has no email to show me that a user is expiring, I am looking at a couple of things
A log output of expired accounts and locked accounts, ignoring accounts not logged on disabled accounts system etc.
On the 90 day policy a splash screen pops up with the t$c with an accept or decline window (they see this when they first turn the PC and pops up just before the logon box on basically saying by accepting you agree to have read blah and blah)
I do not know how to get either this to run as one script or have two separate scripts,
Any input greatly appreciated
Import-Module ActiveDirectory # Required for PowerShell 2.0 only
$a = (Get-Date).Date.AddDays(-89)
# The following line will build the variable based upon the noted criteria
$b = Get-ADUser `
-Property Name, SamAccountName, PasswordLastSet, CannotChangePassword, PasswordNeverExpires `
-Filter { (PasswordLastSet -lt $a) -and (PasswordNeverExpires -eq $false) } |
Where-Object { $_.CannotChangePassword -eq $false }
# The following line will display/export the data logging the accounts to be changed
# please note the Out-File path and change to suit your needs.
$b | Format-Table Name, PasswordLastSet, CannotChangePassword, PasswordNeverExpires -AutoSize |
Out-File -FilePath "C:\passwordchanges.txt"
# The following line will actually flag the accounts to require a password change
# (after -WhatIf is removed)
$b.SamAccountName | ForEach-Object {
Set-ADUser -Identity $_ -ChangePasswordAtLogon $true -WhatIf
}
I've been tasked with finding service accounts (in our shop, that's user accounts starting with 'svc-' in the username) that have expiring passwords. Normally service accounts should not have expiring passwords, so I'm trying to find service accounts incorrectly created so they can be fixed.
I've been using Search-ADAccount and I'm having parameter issues. If I use this:
Search-ADAccount -PasswordNeverExpires | Where {$_.SamAccountName -like 'SVC-*'}
then I get long lists of results, none of which have expiring passwords. But if I'm including the -PasswordNeverExpires parameter, then I'm filtering out any accounts which do have expiring passwords, no?
I've also tried this:
Search-ADAccount | Where {$_.SamAccountName -like 'SVC-*' -and $_.PasswordNeverExpires -like 'FALSE' }
but I only get an error: "Parameter set cannot be resolved using the specified named parameters." That sounds like Search-ADAccount requires certain parameters, but I don't see in the help files which parameters are required.
It's counter-intuitive (to me) that Search-ADAccount has a parameter which can search for one Boolean condition (TRUE) but not the other.
Get-ADUser doesn't seem to have any password configuration info.
Yes, Trondh. That's it. I first looked at Get-ADUser, but the help files didn't mention anything about the PasswordNeverExpires parameter, and piping a single result into Get-Member didn't reveal any relevant property to search against.
In sum, this is the one-liner that worked:
Get-ADUser -filter {PasswordNeverExpires -eq $False} | Where {$_.SamAccountName -like 'SVC-*'}
Thanks again.
I would just use get-aduser (need to clean up the filter param, I just banged this together in my head):
$adusers = Get-ADUser -Filter * -Properties * | where {$_.PasswordNeverExpires -eq $false}
did you try $_.PasswordNeverExpires -eq $false?