Activedirectory on Janik von Rotz https://janikvonrotz.ch/tags/activedirectory/ Recent content in Activedirectory on Janik von Rotz Hugo en Thu, 03 Apr 2014 09:01:03 +0000 Update SharePoint Token Lifetime to update AD permissions faster https://janikvonrotz.ch/2014/04/03/update-sharepoint-token-lifetime-to-update-ad-permissions-faster/ Thu, 03 Apr 2014 09:01:03 +0000 https://janikvonrotz.ch/2014/04/03/update-sharepoint-token-lifetime-to-update-ad-permissions-faster/ <p>Since SharePoint 2013 only supports claim based authentication I discovered that updates in SharePoint Active Directory groups do not take effect immediately.</p> <p>Thanks to <a href="http://blog.randomdust.com/index.php/2013/06/sharepoint-2013-claim-expiration-and-ad-sync/">Ryan McIntyre</a> there&rsquo;s a simple fix for that issue.</p> <p>By adjusting the lifetime of the claims token you can shorten the time it takes to update the Active Directory group changes.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#66d9ef">if</span>(<span style="color:#f92672">-not</span> (Get-PSSnapin <span style="color:#e6db74">&#34;Microsoft.SharePoint.PowerShell&#34;</span> -ErrorAction SilentlyContinue)){Add-PSSnapin <span style="color:#e6db74">&#34;Microsoft.SharePoint.PowerShell&#34;</span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># update SharePoint cache token lifetime</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$SPContentService = [<span style="color:#66d9ef">Microsoft.SharePoint.Administration.SPWebService</span>]::ContentService </span></span><span style="display:flex;"><span>$SPContentService.TokenTimeout = (New-TimeSpan -minutes <span style="color:#ae81ff">5</span>) </span></span><span style="display:flex;"><span>$SPContentService.Update() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># udpate SharePoint claims token lifetime</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$SPSecurityTokenServiceConfig = Get-SPSecurityTokenServiceConfig </span></span><span style="display:flex;"><span>$SPSecurityTokenServiceConfig.WindowsTokenLifetime = (New-TimeSpan <span style="color:#960050;background-color:#1e0010">–</span>minutes <span style="color:#ae81ff">5</span>) </span></span><span style="display:flex;"><span>$SPSecurityTokenServiceConfig.FormsTokenLifetime = (New-TimeSpan -minutes <span style="color:#ae81ff">5</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># if you happen to set a lifetime that is shorter than the expiration window user will be blocked from accessing the site.</span> </span></span><span style="display:flex;"><span>$SPSecurityTokenServiceConfig.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes <span style="color:#ae81ff">4</span>) </span></span><span style="display:flex;"><span>$SPSecurityTokenServiceConfig.Update() </span></span></code></pre></div><p>Get the latest version of this code snippet here: <a href="https://gist.github.com/9950021">https://gist.github.com/9950021</a></p> New Office 365 user can not be found in directory https://janikvonrotz.ch/2014/03/13/new-office-365-can-not-be-found-in-directory/ Thu, 13 Mar 2014 11:22:32 +0000 https://janikvonrotz.ch/2014/03/13/new-office-365-can-not-be-found-in-directory/ <p>As part of the user provisioning process in my company every user account gets an Office 365 license.</p> <p>2 days ago in the after noon I&rsquo;ve created an new user account, synced it with DirSync and applied an new Office 365 E1 license.</p> <p>When I&rsquo;ve tried access the SharePoint Online website via ADFS SSO, I received an error message like this:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>user@example.com can not be found in directory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Correlation ID: 812b329c-0ad4-702d-d866-1a5dd6a5d715 </span></span><span style="display:flex;"><span>Date and Time: 13/03/2014 08:58:17 </span></span><span style="display:flex;"><span>URL: https://example.vbluzern.com/?wa=wsignin1.0 </span></span><span style="display:flex;"><span>User: user@example.com </span></span><span style="display:flex;"><span>Issue Type: Partner User Invalid </span></span></code></pre></div><p>I tried everything to get rid of this error. Recreating the user account, disable, enable, assign another license, compare with working accounts, but nothing could solve this issue.</p> <p>However as I&rsquo;ve browsed in the Technet forums I came along this issue <!-- raw HTML omitted -->Partner User Invalid when creating a new user account.<!-- raw HTML omitted -->. They described almost the same issue as mine. In the last answer somebody proposed simply to wait 24 hours after assigning the license.</p> <p>And guess what! It worked!</p> <p>24 hours after I&rsquo;ve assigned the Office 365 license I could login with the new user account.</p> <p>Thank you Microsoft for these detailed error reports :)</p> Finally! Manage Exchange mailbox permissions with Active Directory groups https://janikvonrotz.ch/2014/01/27/finally-manage-exchange-mailbox-permissions-with-active-directory-groups/ Mon, 27 Jan 2014 19:04:37 +0000 https://janikvonrotz.ch/2014/01/27/finally-manage-exchange-mailbox-permissions-with-active-directory-groups/ <p>I&rsquo;ve tried many ways to assign permissions for an Active Directory group on a Exchange (2010) mailbox, but it&rsquo;s simply not possible.</p> <p>Fortunately nothing&rsquo;s impossible with PowerShell.</p> <p>The following script can handle this issue by:</p> <!-- raw HTML omitted --> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2014/01/Synchronize-Service-Mailbox-Access-Groups.jpg"><img src="https://janikvonrotz.ch/wp-content/uploads/2014/01/Synchronize-Service-Mailbox-Access-Groups-1024x413.jpg" alt="Synchronize Service Mailbox Access Groups"></a></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e">$Metadata = @{ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Title = &#34;Synchronize Service Mailbox Access Groups&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Filename = &#34;Sync-ServiceMailboxAccessGroups.ps1&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Description = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Tags = &#34;powershell, activedirectory, exchange, synchronization, access, mailbox, groups, permissions&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Project = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Author = &#34;Janik von Rotz&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> AuthorContact = &#34;https://janikvonrotz.ch&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> CreateDate = &#34;2014-01-27&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> LastEditDate = &#34;2014-01-27&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Url = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Version = &#34;0.0.0&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> License = @&#39; </span></span></span><span style="display:flex;"><span><span style="color:#75715e">This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/3.0/ch/ or </span></span></span><span style="display:flex;"><span><span style="color:#75715e">send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e">} </span></span></span><span style="display:flex;"><span><span style="color:#75715e">#&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Connect Exchange Server</span> </span></span><span style="display:flex;"><span>$ExchangeServer = (Get-RemoteConnection ex1).Name </span></span><span style="display:flex;"><span>$PSSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri <span style="color:#e6db74">&#34;https://</span>$ExchangeServer<span style="color:#e6db74">/PowerShell/&#34;</span> -Authentication Kerberos </span></span><span style="display:flex;"><span>Import-PSSession $PSSession </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$Config = @{ </span></span><span style="display:flex;"><span> OU = <span style="color:#e6db74">&#34;OU=Mailbox,OU=Exchange,OU=Services,OU=vblusers2,DC=vbl,DC=ch&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> ADGroupFilter = @{ </span></span><span style="display:flex;"><span> NamePrefix = <span style="color:#e6db74">&#34;EX_&#34;</span> </span></span><span style="display:flex;"><span> NameInfix = <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> NameSuffix = <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> ADGroup = @{ </span></span><span style="display:flex;"><span> NamePrefix = <span style="color:#e6db74">&#34;EX_&#34;</span> </span></span><span style="display:flex;"><span> PermissionSeperator = <span style="color:#e6db74">&#34;#&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> ADGroupMailboxReferenceAttribute = <span style="color:#e6db74">&#34;extensionAttribute1&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> MailBoxFilter = @{ </span></span><span style="display:flex;"><span> RecipientTypeDetails = <span style="color:#e6db74">&#34;UserMailbox&#34;</span> </span></span><span style="display:flex;"><span> ADGroupsAndUsers = <span style="color:#e6db74">&#34;F_Mitarbeiter&#34;</span>,<span style="color:#e6db74">&#34;F_Archivierte Benutzer&#34;</span> </span></span><span style="display:flex;"><span> ExcludeDisplayName = <span style="color:#e6db74">&#34;FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>} | %{New-Object PSObject -Property $_} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># get domain name</span> </span></span><span style="display:flex;"><span>$Domain = <span style="color:#e6db74">&#34;</span>$(((Get-ADDomain).Name).toupper())<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># get ad user objects</span> </span></span><span style="display:flex;"><span>$Config.MailBoxFilter.ADGroupsAndUsers = $Config.MailBoxFilter.ADGroupsAndUsers | %{ </span></span><span style="display:flex;"><span> Get-ADObject -Filter {(Name <span style="color:#f92672">-eq</span> $_) <span style="color:#f92672">-or</span> (ObjectGUID <span style="color:#f92672">-eq</span> $_)} | %{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.ObjectClass <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;user&#34;</span>){$_.DistinguishedName </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">elseif</span>($_.ObjectClass <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;group&#34;</span>){ Get-ADGroupMember $_.DistinguishedName -Recursive} </span></span><span style="display:flex;"><span> } | Get-ADUser -Properties Mail </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create mail list to filter mailboxes</span> </span></span><span style="display:flex;"><span>$Config.MailboxFilter.AllowedMails = $Config.MailBoxFilter.ADGroupsAndUsers | %{<span style="color:#e6db74">&#34;</span>$($_.Mail)<span style="color:#e6db74">&#34;</span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># create SamAccountName list to filter mailbox permissions</span> </span></span><span style="display:flex;"><span>$Config.ADGroupFilter.AllowedUsers = $Config.MailboxFilter.ADGroupsAndUsers | %{<span style="color:#e6db74">&#34;</span>$($Domain + $_.SamAccountName)<span style="color:#e6db74">&#34;</span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># get exisiting mailbox permission ad groups</span> </span></span><span style="display:flex;"><span>$ADGroups = Get-ADGroup -Filter * -SearchBase $Config.OU -Properties $Config.ADGroupMailboxReferenceAttribute | where{$_.Name.StartsWith($Config.ADGroupFilter.NamePrefix) <span style="color:#f92672">-and</span> $_.Name.Contains($Config.ADGroupFilter.NameInfix) <span style="color:#f92672">-and</span> $_.Name.EndsWith($Config.ADGroupFilter.NameSuffix)} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># sync mailbox access groups for each mailbox</span> </span></span><span style="display:flex;"><span>$Mailboxes = Get-Mailbox | where{$_.RecipientTypeDetails <span style="color:#f92672">-eq</span> $Config.MailBoxFilter.RecipientTypeDetails <span style="color:#f92672">-and</span> $Config.MailboxFilter.AllowedMails <span style="color:#f92672">-notcontains</span> $_.PrimarySmtpAddress.tolower() <span style="color:#f92672">-and</span> $Config.MailBoxFilter.ExcludeDisplayName <span style="color:#f92672">-notcontains</span> $_.DisplayName} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$RequiredADGroups = $Mailboxes | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># set variables</span> </span></span><span style="display:flex;"><span> $ADPermissionGroups = @() </span></span><span style="display:flex;"><span> $Mailbox = $_ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Parsing permissions on mailbox: </span>$($_.Alias)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get existing permission groups</span> </span></span><span style="display:flex;"><span> $ADPermissionGroups = $ADGroups | where{(iex <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`$</span><span style="color:#e6db74">_.</span>$($Config.ADGroupMailboxReferenceAttribute)<span style="color:#e6db74">&#34;</span>) <span style="color:#f92672">-eq</span> $Mailbox.Guid} </span></span><span style="display:flex;"><span> $ADExistingPermissionGroupTypes = $ADPermissionGroups| where{$_} | %{$_.Name.split(<span style="color:#e6db74">&#34;#&#34;</span>)[<span style="color:#ae81ff">1</span>]} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get existing and allowed mailbox permissions</span> </span></span><span style="display:flex;"><span> $MailboxPermissions = $Mailbox | Get-MailboxPermission | where{$Config.ADGroupFilter.AllowedUsers <span style="color:#f92672">-contains</span> $_.User} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create an ad group foreach permissiontype that is required</span> </span></span><span style="display:flex;"><span> $NewADPermissionGroupTypes = $MailboxPermissions | %{<span style="color:#e6db74">&#34;</span>$($_.AccessRights)<span style="color:#e6db74">&#34;</span>.split(<span style="color:#e6db74">&#34;, &#34;</span>) | where{$_} | %{$_} | %{$_ | where{$ADExistingPermissionGroupTypes <span style="color:#f92672">-notcontains</span> $_}}} </span></span><span style="display:flex;"><span> $NewADPermissionGroupTypes | Group | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create ad group name foreach permission type</span> </span></span><span style="display:flex;"><span> $Name = $config.ADGroup.NamePrefix + $Mailbox.Displayname + $Config.ADGroup.PermissionSeperator + $_.Name </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-PPEventLog -Message <span style="color:#e6db74">&#34;Add service mailbox access group: </span>$Name<span style="color:#e6db74">&#34;</span> -Source <span style="color:#e6db74">&#34;Synchronize Service Mailbox Access Groups&#34;</span> -WriteMessage </span></span><span style="display:flex;"><span> New-ADGroup -Name $Name -SamAccountName $Name -GroupCategory Security -GroupScope Global -DisplayName $Name -Path $Config.OU -Description <span style="color:#e6db74">&#34;Exchange Access Group for: </span>$($Mailbox.Displayname)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Get-ADGroup $Name </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># set the reference from the adgroup to the mailbox</span> </span></span><span style="display:flex;"><span> iex <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`$</span><span style="color:#e6db74">_.</span>$($Config.ADGroupMailboxReferenceAttribute)<span style="color:#e6db74"> = </span><span style="color:#ae81ff">`&#34;</span>$($Mailbox.Guid)<span style="color:#ae81ff">`&#34;</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Set-ADGroup -Instance $_ </span></span><span style="display:flex;"><span> $ADGroup = $_ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># add existing members to the permission group</span> </span></span><span style="display:flex;"><span> $MailboxPermissions | where{$_.AccessRights <span style="color:#f92672">-match</span> $ADGroup.Name.split(<span style="color:#e6db74">&#34;#&#34;</span>)[<span style="color:#ae81ff">1</span>]} | %{ </span></span><span style="display:flex;"><span> Add-ADGroupMember -Identity $ADGroup -Members ($_.User <span style="color:#f92672">-replace</span> <span style="color:#e6db74">&#34;</span>$Domain<span style="color:#e6db74">&#34;</span>,<span style="color:#e6db74">&#34;&#34;</span>) </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># output ad permission groups</span> </span></span><span style="display:flex;"><span> $_ </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># check members foreach permission group</span> </span></span><span style="display:flex;"><span> $ADPermissionGroups | where{$_} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get permission type</span> </span></span><span style="display:flex;"><span> $Permission = $_.Name.split(<span style="color:#e6db74">&#34;#&#34;</span>)[<span style="color:#ae81ff">1</span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get existin ad user groups</span> </span></span><span style="display:flex;"><span> $ADPermissionGroupUsers = $_ | Get-ADGroupMember -Recursive | select @{L=<span style="color:#e6db74">&#34;User&#34;</span>;E={$($Domain + $_.SamAccountName)}} </span></span><span style="display:flex;"><span> $MailboxUsers = $MailboxPermissions | where{$_.AccessRights <span style="color:#f92672">-match</span> $Permission} | select user </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># compare these groups and update members</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($ADPermissionGroupUsers){ </span></span><span style="display:flex;"><span> $PermissionDiff = Compare-Object -ReferenceObject $ADPermissionGroupUsers -DifferenceObject $MailboxUsers -Property User </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># add member</span> </span></span><span style="display:flex;"><span> $PermissionDiff | where{$_.SideIndicator <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;&lt;=&#34;</span>} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-PPEventLog -Message <span style="color:#e6db74">&#34;Add mailbox permission: </span>$Permission<span style="color:#e6db74"> for user: </span>$($_.User)<span style="color:#e6db74"> on mailbox: </span>$($Mailbox.Alias)<span style="color:#e6db74">&#34;</span> -Source <span style="color:#e6db74">&#34;Synchronize Service Mailbox Access Groups&#34;</span> -WriteMessage </span></span><span style="display:flex;"><span> Add-MailboxPermission -Identity $Mailbox.Alias -User $_.User -AccessRights $Permission </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># remove member</span> </span></span><span style="display:flex;"><span> $PermissionDiff | where{$_.SideIndicator <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;=&gt;&#34;</span>} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-PPEventLog -Message <span style="color:#e6db74">&#34;Remove mailbox permission: </span>$Permission<span style="color:#e6db74"> for user: </span>$($_.User)<span style="color:#e6db74"> on mailbox: </span>$($Mailbox.Alias)<span style="color:#e6db74">&#34;</span> -Source <span style="color:#e6db74">&#34;Synchronize Service Mailbox Access Groups&#34;</span> -WriteMessage </span></span><span style="display:flex;"><span> Remove-MailboxPermission -Identity $Mailbox.Alias -User $_.User -AccessRights $Permission -Confirm:$false </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#output ad permission group to delete old ad permission groups</span> </span></span><span style="display:flex;"><span> $_ </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ADGroups | where{$RequiredADGroups <span style="color:#f92672">-notcontains</span> $_} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-PPEventLog -Message <span style="color:#e6db74">&#34;Remove service mailbox access group: </span>$Name<span style="color:#e6db74">&#34;</span> -Source <span style="color:#e6db74">&#34;Synchronize Service Mailbox Access Groups&#34;</span> -WriteMessage </span></span><span style="display:flex;"><span> Remove-ADGroup -Identity $_ -Confirm:$false </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Remove-PSSession $PSSession </span></span><span style="display:flex;"><span>Write-PPErrorEventLog -Source <span style="color:#e6db74">&#34;Synchronize Service Mailbox Access Groups&#34;</span> -ClearErrorVariable </span></span></code></pre></div><p>Latest version of this script: <!-- raw HTML omitted --><a href="https://gist.github.com/8653473">https://gist.github.com/8653473</a><!-- raw HTML omitted --></p> <!-- raw HTML omitted --> <p>To run this script properly and use commands as <code>Write-PPEventLog</code> I recommend you to install my project <!-- raw HTML omitted -->PowerShell Profile<!-- raw HTML omitted -->.</p> Update Obsolete User Principal Names in Office 365 Windows Azure Directory https://janikvonrotz.ch/2014/01/06/update-obsolete-user-principal-names-in-office-365-windows-azure-directory/ Mon, 06 Jan 2014 13:02:55 +0000 https://janikvonrotz.ch/2014/01/06/update-obsolete-user-principal-names-in-office-365-windows-azure-directory/ <p>It could happen that the directory sync service (DirSync) doesn&rsquo;t sync the users UserPrincipalName correctly.</p> <p>I had an issue where the UserPrincipalName from a user in the Office 365 windows azure directory has been made based on the user&rsquo;s sAMAccountname. This wouldn&rsquo;t be problem if as long the sAMAccountname is the as same as the UserPrincipalName, but as you can guess this is not everywhere the case.</p> <p>First I checked the attribute flow of the synchronization job and as you can in see in picture below the DirSync service will update the attribute first by the users DN, then by it&rsquo;s sAMAccountname and at least by the UserPrincipalName . <img src="https://janikvonrotz.ch/wp-content/uploads/2014/01/DirSync-UPN-Config-1024x558.jpg" alt="DirSync UPN Config"></p> <p>I&rsquo;m not quite shure wether the sync problem is caused by this configuration or not, but I don&rsquo;t recommend to edit these rules, in order the get the UserPrincipalName synced correctly.</p> <p>To update the UPN I&rsquo;ve written the following script, I&rsquo;ll compare the user attributes from the ActiveDirectory and the AzureDirectory. If a UPN doesn&rsquo;t match it&rsquo;ll be overwritten with the ActiveDirectory UPN.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># settings</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$OU = <span style="color:#e6db74">&#34;OU=vblusers2,DC=vbl,DC=ch&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># modules</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Import-Module MSOnline </span></span><span style="display:flex;"><span>Import-Module MSOnlineExtended </span></span><span style="display:flex;"><span>Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># main</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ADUsers = Get-ADUser -Filter * -SearchBase $OU -Properties GivenName, Surname, DisplayName </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$Credential = Import-PSCredential $(Get-ChildItem -Path $PSconfigs.Path -Filter <span style="color:#e6db74">&#34;Office365.credentials.config.xml&#34;</span> -Recurse).FullName </span></span><span style="display:flex;"><span>Connect-MsolService -Credential $Credential </span></span><span style="display:flex;"><span>$MsolUsers = Get-MsolUser -All </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$MsolUsers | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $MsolUser = $_ </span></span><span style="display:flex;"><span> $ADUsers | where{($_.GivenName <span style="color:#f92672">-eq</span> $MsolUser.FirstName) <span style="color:#f92672">-and</span> </span></span><span style="display:flex;"><span> ($_.Surname <span style="color:#f92672">-eq</span> $MsolUser.LastName) <span style="color:#f92672">-and</span> </span></span><span style="display:flex;"><span> ($_.DisplayName <span style="color:#f92672">-eq</span> $MsolUser.DisplayName) <span style="color:#f92672">-and</span> </span></span><span style="display:flex;"><span> ($_.UserPrincipalName <span style="color:#f92672">-ne</span> $MsolUser.UserPrincipalName) </span></span><span style="display:flex;"><span> } | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Change UserPrincipalName for: </span>$($MsolUser.UserPrincipalName)<span style="color:#e6db74"> to: </span>$($_.UserPrincipalName)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Set-MsolUserPrincipalName -UserPrincipalName $MsolUser.UserPrincipalName -NewUserPrincipalName $_.UserPrincipalName </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><!-- raw HTML omitted --> <!-- raw HTML omitted --> <!-- raw HTML omitted --> <p>Latest version of this script: <!-- raw HTML omitted --><a href="https://gist.github.com/8281095">https://gist.github.com/8281095</a><!-- raw HTML omitted --></p> Update SharePoint ActiveDirectory Group Displayname https://janikvonrotz.ch/2013/12/16/update-sharepoint-activedirectory-group-displayname/ Mon, 16 Dec 2013 17:00:39 +0000 https://janikvonrotz.ch/2013/12/16/update-sharepoint-activedirectory-group-displayname/ <p>When the name of an Active Directory group has been changed, this change won&rsquo;t affect the display name showed in the SharePoint permission editor.</p> <p>To update the the name for all Active Directory groups you can run this snippet on the SharePoint server:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> ((Get-PSSnapin <span style="color:#e6db74">&#39;Microsoft.SharePoint.PowerShell&#39;</span> -ErrorAction SilentlyContinue) <span style="color:#f92672">-eq</span> $null){Add-PSSnapin <span style="color:#e6db74">&#39;Microsoft.SharePoint.PowerShell&#39;</span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$SPSiteFilter = <span style="color:#e6db74">&#34;https://sharepoint.domain.ch&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Get-SPSite | where{$SPSiteFilter <span style="color:#f92672">-contains</span> $_.Url} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $_.rootweb.siteusers | where{($_.DisplayName <span style="color:#f92672">-ne</span> $_.UserLogin) <span style="color:#f92672">-and</span> $_.IsDomainGroup} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Change: </span>$($_.DisplayName)<span style="color:#e6db74"> to: </span>$($_.UserLogin)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $_.DisplayName = $_.UserLogin </span></span><span style="display:flex;"><span> $_.Name = $_.UserLogin </span></span><span style="display:flex;"><span> $_.Update() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>This snippet is part of my SharePoint default settings script: <!-- raw HTML omitted --><a href="https://gist.github.com/7871902">https://gist.github.com/7871902</a><!-- raw HTML omitted --></p> Change Active Directory User Password Expiration Mode https://janikvonrotz.ch/2013/12/11/change-active-directory-user-password-expiration-mode/ Wed, 11 Dec 2013 17:35:45 +0000 https://janikvonrotz.ch/2013/12/11/change-active-directory-user-password-expiration-mode/ <p>To change an Active Directory users password expiration mode you can use this PowerShell snippet:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Get-ADGroupMember <span style="color:#e6db74">&#34;Group1&#34;</span> -Recursive | </span></span><span style="display:flex;"><span>Get-ADUser -Properties PasswordNeverExpires | </span></span><span style="display:flex;"><span>where {$_.enabled <span style="color:#f92672">-eq</span> $true <span style="color:#f92672">-and</span> $_.PasswordNeverExpires <span style="color:#f92672">-eq</span> $false} | </span></span><span style="display:flex;"><span>select -First <span style="color:#ae81ff">50</span> | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host $_.UserPrincipalName </span></span><span style="display:flex;"><span> Set-ADUser $_ -PasswordNeverExpires $true </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Latest version of this snippet: <!-- raw HTML omitted --><a href="https://gist.github.com/7913696">https://gist.github.com/7913696</a><!-- raw HTML omitted --><!-- raw HTML omitted --></p> Get Active Directory User Membership Groups Recursively https://janikvonrotz.ch/2013/12/11/get-active-directory-user-membership-groups-recursively/ Wed, 11 Dec 2013 11:46:37 +0000 https://janikvonrotz.ch/2013/12/11/get-active-directory-user-membership-groups-recursively/ <p>To get a users member shipments recursively I&rsquo;ve written an extended function based on the already existing function <code>Get-ADPrincipalGroupMembership</code> it simply loops through the users member shipments and outputs the data in tree styled list.</p> <p>This function is part of my <!-- raw HTML omitted -->PowerShell Profile project<!-- raw HTML omitted -->. Install this framework to get the latest version of this function.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e">$Metadata = @{ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Title = &#34;Get Active Directory Principal Group Membership Recurse&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Filename = &#34;Get-ADPrincipalGroupMembershipRecurse.ps1&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Description = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Tags = &#34;powershell, activedirectory, get, prinicipal, group, membership, recurse&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Project = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Author = &#34;Janik von Rotz&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> AuthorContact = &#34;https://janikvonrotz.ch&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> CreateDate = &#34;2013-12-11&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> LastEditDate = &#34;2013-12-11&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Url = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Version = &#34;1.0.0&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> License = @&#39; </span></span></span><span style="display:flex;"><span><span style="color:#75715e">This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/3.0/ch/ or </span></span></span><span style="display:flex;"><span><span style="color:#75715e">send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e">} </span></span></span><span style="display:flex;"><span><span style="color:#75715e">#&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">function</span> Get-ADPrincipalGroupMembershipRecurse{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e">.</span><span style="color:#e6db74">SYNOPSIS</span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Get Active Directory principal group membership recursively. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">.</span><span style="color:#e6db74">DESCRIPTION</span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Get Active Directory principal group membership recursively. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">.PARAMETER ADUser </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Active Directory user to report. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">.PARAMETER ADGroup </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Looping parameter not required! </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">.PARAMETER ADGroup </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Looping parameter not required! </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">.</span><span style="color:#e6db74">EXAMPLE</span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> PS C:&gt; Get-ADPrincipalGroupMembershipRecurse -ADUser (Get-ADUser user1) | Out-GridView </span></span></span><span style="display:flex;"><span><span style="color:#75715e">#&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> [CmdletBinding()] </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">param</span>( </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> [Parameter(<span style="color:#a6e22e">Mandatory</span>=$false)] </span></span><span style="display:flex;"><span> [ValidateNotNullOrEmpty()] </span></span><span style="display:flex;"><span> $ADUser, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> [Parameter(<span style="color:#a6e22e">Mandatory</span>=$false)] </span></span><span style="display:flex;"><span> [ValidateNotNullOrEmpty()] </span></span><span style="display:flex;"><span> $ADGroup, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> [Parameter(<span style="color:#a6e22e">Mandatory</span>=$false)] </span></span><span style="display:flex;"><span> $Level = <span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># modules</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># main</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># loop select for user parameter</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($ADUser){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get membership groups of user and run this function</span> </span></span><span style="display:flex;"><span> $ADGroups = Get-ADPrincipalGroupMembership $ADUser | %{ </span></span><span style="display:flex;"><span> Get-ADPrincipalGroupMembershipRecurse -ADGroup $_ -Level ($Level+<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get max number of levels</span> </span></span><span style="display:flex;"><span> $Levels = ($ADGroups | %{$_.Level} | measure -Maximum).Maximum + <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># display the results in columns</span> </span></span><span style="display:flex;"><span> $ADGroups | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create a column item</span> </span></span><span style="display:flex;"><span> $Item = New-Object <span style="color:#960050;background-color:#1e0010">–</span>TypeName PSObject </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create a column for each level</span> </span></span><span style="display:flex;"><span> $Index = <span style="color:#ae81ff">1</span>;<span style="color:#66d9ef">while</span>($Index <span style="color:#f92672">-ne</span> $Levels){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># place the value in the right level</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.Level <span style="color:#f92672">-eq</span> $Index){ </span></span><span style="display:flex;"><span> $Item | Add-Member <span style="color:#960050;background-color:#1e0010">–</span>MemberType NoteProperty <span style="color:#960050;background-color:#1e0010">–</span>Name <span style="color:#e6db74">&#34;Level </span>$Index<span style="color:#e6db74">&#34;</span> <span style="color:#960050;background-color:#1e0010">–</span>Value $_.Name </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">else</span>{ </span></span><span style="display:flex;"><span> $Item | Add-Member <span style="color:#960050;background-color:#1e0010">–</span>MemberType NoteProperty <span style="color:#960050;background-color:#1e0010">–</span>Name <span style="color:#e6db74">&#34;Level </span>$Index<span style="color:#e6db74">&#34;</span> <span style="color:#960050;background-color:#1e0010">–</span>Value <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $Index += <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#output</span> </span></span><span style="display:flex;"><span> $Item </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># loop select for group parameter</span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">elseif</span>($ADGroup){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># show a progress</span> </span></span><span style="display:flex;"><span> Write-Progress -Activity <span style="color:#e6db74">&#34;Collecting Data&#34;</span> -Status <span style="color:#e6db74">&#34;</span>$($_.Name)<span style="color:#e6db74">&#34;</span> -PercentComplete (Get-Random -Minimum <span style="color:#ae81ff">1</span> -Maximum <span style="color:#ae81ff">100</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># return the item and its level</span> </span></span><span style="display:flex;"><span> $_ | select Name,@{L=<span style="color:#e6db74">&#34;Level&#34;</span>;E={$Level}} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># check for further membershipments of this group and loop this function</span> </span></span><span style="display:flex;"><span> Get-ADPrincipalGroupMembership $_ | %{ </span></span><span style="display:flex;"><span> Get-ADPrincipalGroupMembershipRecurse -ADGroup $_ -Level ($Level+<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><!-- raw HTML omitted --> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/12/Get-Active-Directory-User-Membership-Groups-Recursively-Output-Example.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/12/Get-Active-Directory-User-Membership-Groups-Recursively-Output-Example.png" alt="Get Active Directory User Membership Groups Recursively - Output Example"></a></p> Assign Temporary Administrator Rights for ActiveDirectory Users via SharePoint list https://janikvonrotz.ch/2013/11/18/assign-temporary-administrator-rights-for-activedirectory-users-via-sharepoint-list/ Mon, 18 Nov 2013 16:55:32 +0000 https://janikvonrotz.ch/2013/11/18/assign-temporary-administrator-rights-for-activedirectory-users-via-sharepoint-list/ <p>In my company the user only have user rights on their computers. As you should know you&rsquo;ll face many problems with this restriction.</p> <p>Many users want to install third party software on their computers or add a printer at home. To reduce argues and make the user happy, I&rsquo;ll assign administrator rights for a temporary time.</p> <p>Based on a predefined GPO and based on a list showing which user has administrator rights in a specified time period, my PowerShell script creates new temporary GPO to assign local administrator rights.</p> <p>After the specified time period the scripts deletes the temporary GPO in order to remove the local admin rights.</p> <p>Here is the template of the predefined GPO:</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/11/Tempor%C3%A4re-Administratorrechte.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/11/Tempor%C3%A4re-Administratorrechte.png" alt="Temporäre Administratorrechte"></a></p> <p>User &ldquo;test&rdquo; is placeholder for the real user.</p> <p>The list containing the users is stored on SharePoint site:</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/11/Tempor%C3%A4re-Administratorrechte-1.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/11/Tempor%C3%A4re-Administratorrechte-1.png" alt="Temporäre Administratorrechte 1"></a></p> <p>The scripts reads from the SharePoint list with predefined credentials and remote configuration file wich is part of my PowerShell Profile project (check out the requirements on the bottom).</p> <p>Watch out to store the computer object in a OU instead of an container, it&rsquo;s not possible to assign GPOs to an AD container!</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e">$Metadata = @{ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Title = &#34;Assign Temporary Administrator Rights&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Filename = &#34;Assign-TemporaryAdministratorRights.ps1&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Description = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Tags = &#34;powershell, script, activedirectory, assign, temporary, administrator, rights, computer&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Project = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Author = &#34;Janik von Rotz&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> AuthorContact = &#34;https://janikvonrotz.ch&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> CreateDate = &#34;2013-11-15&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> LastEditDate = &#34;2013-11-18&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Url = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Version = &#34;1.0.0&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> License = @&#39; </span></span></span><span style="display:flex;"><span><span style="color:#75715e">This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/3.0/ch/ or </span></span></span><span style="display:flex;"><span><span style="color:#75715e">send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e">} </span></span></span><span style="display:flex;"><span><span style="color:#75715e">#&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">try</span>{ </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># modules</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> Import-Module GroupPolicy </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># settings</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># var #Username# replaces username, var #Computername# replaces computername</span> </span></span><span style="display:flex;"><span> $GPOTemplate = <span style="color:#e6db74">&#34;Windows User #Username# - #Computername# Lokaler Administrator&#34;</span> </span></span><span style="display:flex;"><span> $TempFolder = <span style="color:#e6db74">&#34;C:export&#34;</span> </span></span><span style="display:flex;"><span> $SPWebUrl = (Get-SPUrl <span style="color:#e6db74">&#34;https://sharepoint.vbl.ch/finanzen/it/Abteilungssite/SitePages/Homepage.aspx&#34;</span>).Url </span></span><span style="display:flex;"><span> $SPListName = <span style="color:#e6db74">&#34;Temporäre Adminrechte&#34;</span> </span></span><span style="display:flex;"><span> $RemoteConnectionKey = <span style="color:#e6db74">&#34;sp1&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># main</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $Computer = Get-RemoteConnection -Name $RemoteConnectionKey </span></span><span style="display:flex;"><span> $Credential = Import-PSCredential -Path (Get-ChildItem $PSconfigs.Path -Filter <span style="color:#e6db74">&#34;SharePoint.credential.config.xml&#34;</span> -Recurse).FullName </span></span><span style="display:flex;"><span> $Session = New-PSSession -ComputerName $Computer.Name -Credential $Credential -ConfigurationName microsoft.powershell </span></span><span style="display:flex;"><span> $Computer.SnapIns | %{ Invoke-Command -Session $Session -ScriptBlock {<span style="color:#66d9ef">param</span> ($Name) Add-PSSnapin -Name $Name} -ArgumentList $_} </span></span><span style="display:flex;"><span> [<span style="color:#66d9ef">ScriptBlock</span>]$ScriptBlock = [<span style="color:#66d9ef">scriptblock</span>]::Create(<span style="color:#e6db74">@&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Get-SPWeb &#39;</span>$SPWebUrl<span style="color:#e6db74">&#39; | %{ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> `</span>$_<span style="color:#e6db74">.Lists[&#39;</span>$SPListName<span style="color:#e6db74">&#39;].GetItems() | %{ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> `</span>$(New-Object PSObject -Property @{ </span></span><span style="display:flex;"><span> Mail = `$_[<span style="color:#e6db74">&#34;Title&#34;</span>].toString() </span></span><span style="display:flex;"><span> Computer = `$_[<span style="color:#e6db74">&#34;Computer&#34;</span>].toString() </span></span><span style="display:flex;"><span> From = `$_[<span style="color:#e6db74">&#34;From&#34;</span>].toString() </span></span><span style="display:flex;"><span> To = `$_[<span style="color:#e6db74">&#34;To&#34;</span>].toString() </span></span><span style="display:flex;"><span> })<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> } </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;@</span>) </span></span><span style="display:flex;"><span> $Config = Invoke-Command -Session $Session -ScriptBlock $ScriptBlock </span></span><span style="display:flex;"><span> Remove-PSSession $Session </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> $Config = @( </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> $(New-Object PSObject -Property @{ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Mail = &#34;name.surname@domain.ch&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Computer = &#34;tpbmar1&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> From = &#34;18.11.2013&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> To = &#34;25.11.2013&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> }), </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> $(New-Object PSObject -Property @{ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Mail = &#34;name.surname@vbl.ch&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Computer = &#34;tpfit9&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> From = &#34;15.11.2013&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> To = &#34;21.11.2013&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> }), </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> ) </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> #&gt;</span> </span></span><span style="display:flex;"><span> $Config | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get settings</span> </span></span><span style="display:flex;"><span> $ADComputer = Get-ADComputer $_.Computer </span></span><span style="display:flex;"><span> $ADUser = Get-ADUser -Filter <span style="color:#e6db74">&#34;mail -eq &#39;</span>$($_.Mail)<span style="color:#e6db74">&#39;&#34;</span> | select -first <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> $GPOName = ($GPOTemplate <span style="color:#f92672">-replace</span> <span style="color:#e6db74">&#34;#Username#&#34;</span>, $ADUser.Name <span style="color:#f92672">-replace</span> <span style="color:#e6db74">&#34;#Computername#&#34;</span>, $ADComputer.Name) </span></span><span style="display:flex;"><span> $SourceGPO = Get-GPO $GPOTemplate </span></span><span style="display:flex;"><span> $TargetOU = $ADComputer.DistinguishedName <span style="color:#f92672">-replace</span> <span style="color:#e6db74">&#34;CN=</span>$($ADComputer.Name)<span style="color:#e6db74">,&#34;</span>,<span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> $FromDate = Get-Date $_.From </span></span><span style="display:flex;"><span> $ToDate = Get-Date $_.To </span></span><span style="display:flex;"><span> $Date = $(Get-Date) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create temp folder</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>(<span style="color:#f92672">-not</span> (Test-Path $TempFolder)){New-Item -Path $TempFolder -ItemType Directory} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get gpo</span> </span></span><span style="display:flex;"><span> $GPO = Get-GPO -Name $GPOName -ErrorAction SilentlyContinue </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create if not exist</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>(<span style="color:#f92672">-not</span> $GPO <span style="color:#f92672">-and</span> $Date <span style="color:#f92672">-gt</span> $FromDate <span style="color:#f92672">-and</span> $Date <span style="color:#f92672">-lt</span> $ToDate){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create new gpo</span> </span></span><span style="display:flex;"><span> $GPO = New-GPO -Name $GPOName </span></span><span style="display:flex;"><span> $GPO | New-GPLink -Target $TargetOU </span></span><span style="display:flex;"><span> $GPO | Set-GPPermissions <span style="color:#f92672">-Replace</span> -PermissionLevel None -TargetName <span style="color:#e6db74">&#34;Authentifizierte Benutzer&#34;</span> -TargetType Group </span></span><span style="display:flex;"><span> $GPO | Set-GPPermissions -PermissionLevel GpoApply -TargetName $ADComputer.Name -TargetType Computer </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># backup template gpo</span> </span></span><span style="display:flex;"><span> $GPOBackup = $SourceGPO | Backup-GPO -Path $TempFolder </span></span><span style="display:flex;"><span> $PathToXML = Join-Path $TempFolder (<span style="color:#e6db74">&#34;{&#34;</span> + $GPOBackup.Id + <span style="color:#e6db74">&#34;}DomainSysvolGPOMachinePreferencesGroupsGroups.xml&#34;</span>) </span></span><span style="display:flex;"><span> $PathToFolder = Join-Path $TempFolder (<span style="color:#e6db74">&#34;{&#34;</span> + $GPOBackup.Id + <span style="color:#e6db74">&#34;}&#34;</span>) </span></span><span style="display:flex;"><span> [<span style="color:#66d9ef">xml</span>]$GroupXML = Get-Content $PathToXML </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># update template gpo settings</span> </span></span><span style="display:flex;"><span> $GroupXML.Groups.Group.Properties.Members.Member.name = $(Get-ADDomain).NetBIOSName + <span style="color:#e6db74">&#34;&#34;</span> +$ADUser.SamAccountName </span></span><span style="display:flex;"><span> $GroupXML.Groups.Group.Properties.Members.Member.sid = <span style="color:#e6db74">&#34;</span>$($ADUser.SID)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> $GroupXML.Save($PathToXML) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># import to new gpo</span> </span></span><span style="display:flex;"><span> Import-GPO -BackupId $GPOBackup.Id -TargetGuid $GPO.Id -path $TempFolder </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># clean up tempfolder</span> </span></span><span style="display:flex;"><span> Remove-Item $PathToFolder -Force -confirm:$false -Recurse </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-PPEventLog -Message <span style="color:#e6db74">&#34;Added temporary administrator rights for: </span>$($_.Mail)<span style="color:#e6db74"> on computer: </span>$($_.Computer)<span style="color:#e6db74">&#34;</span> -Source <span style="color:#e6db74">&#34;Assign Temporary Administrator Rights&#34;</span> -WriteMessage </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># delete gpo</span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">elseif</span>($GPO <span style="color:#f92672">-and</span> $Date <span style="color:#f92672">-gt</span> $ToDate ){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $GPO | Remove-GPO </span></span><span style="display:flex;"><span> Write-PPEventLog -Message <span style="color:#e6db74">&#34;Removed temporary administrator rights for: </span>$($_.Mail)<span style="color:#e6db74"> on computer: </span>$($_.Computer)<span style="color:#e6db74">&#34;</span> -Source <span style="color:#e6db74">&#34;Assign Temporary Administrator Rights&#34;</span> -WriteMessage </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>}<span style="color:#66d9ef">catch</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-PPErrorEventLog -Source <span style="color:#e6db74">&#34;Assign Temporary Administrator Rights&#34;</span> </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Run this script as a hourly or daily scheduled task.</p> <p>Latest version of this script: <!-- raw HTML omitted --><a href="https://gist.github.com/7487228">https://gist.github.com/7487228</a><!-- raw HTML omitted --></p> <p>Requirements to run this script:</p> <!-- raw HTML omitted --> Manage Security Groups in a organizational Strcture https://janikvonrotz.ch/2013/10/28/manage-security-groups-in-a-organizational-strcture/ Mon, 28 Oct 2013 16:22:20 +0000 https://janikvonrotz.ch/2013/10/28/manage-security-groups-in-a-organizational-strcture/ <p>As in on of my last <!-- raw HTML omitted -->post<!-- raw HTML omitted --> I&rsquo;ve showed you my approach to manage distribution groups in the hierarchical structure of an ActiveDirectory installation. In the mean time I&rsquo;ve adapted a similiar approach for the security groups.</p> <p>Here is an example of the structure:</p> <p><!-- raw HTML omitted -->Existing OU structure and groups:<!-- raw HTML omitted --></p> <!-- raw HTML omitted --> <!-- raw HTML omitted --> <!-- raw HTML omitted --> <p>And here after executing the management script:</p> <p><!-- raw HTML omitted -->New Security groups :<!-- raw HTML omitted --></p> <!-- raw HTML omitted --> <p>The rules</p> <!-- raw HTML omitted --> <p>As always you can manage special settings with Exclude-Filters and simple Tasks.</p> <p>And here&rsquo;s the script:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e">$Metadata = @{ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Title = &#34;Update ActiveDirectory Security Groups&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Filename = &#34;Update-ADSecurityGroups.ps1&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Description = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Tags = &#34;powershell, activedirectory, security, groups, update&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Project = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Author = &#34;Janik von Rotz&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> AuthorContact = &#34;https://janikvonrotz.ch&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> CreateDate = &#34;2013-10-07&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> LastEditDate = &#34;2013-10-24&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Url = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Version = &#34;1.1.0&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> License = @&#39; </span></span></span><span style="display:flex;"><span><span style="color:#75715e">This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/3.0/ch/ or </span></span></span><span style="display:flex;"><span><span style="color:#75715e">send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e">} </span></span></span><span style="display:flex;"><span><span style="color:#75715e">#&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># modules</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span>Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ExcludeADUsers = <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span>$ExcludeADGroups = <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$OUConfigs = @( </span></span><span style="display:flex;"><span> @{ </span></span><span style="display:flex;"><span> OU = <span style="color:#e6db74">&#34;OU=vblusers2,DC=vbl,DC=ch&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> GroupSuffix = <span style="color:#e6db74">&#34; Abteilung&#34;</span> </span></span><span style="display:flex;"><span> GroupMemberPrefix = <span style="color:#e6db74">&#34;F_&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> ParentGroupSuffix = <span style="color:#e6db74">&#34; Abteilungen&#34;</span> </span></span><span style="display:flex;"><span> ParentGroupMemberSuffix = <span style="color:#e6db74">&#34; Abteilung&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> ExcludeOUs = <span style="color:#e6db74">&#34;Extern&#34;</span>,<span style="color:#e6db74">&#34;ServiceAccounts&#34;</span>,<span style="color:#e6db74">&#34;Services&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> ExcludeADUsers = <span style="color:#e6db74">&#34;&#34;</span> + $ExcludeADUsers </span></span><span style="display:flex;"><span> ExcludeADGroups = <span style="color:#e6db74">&#34;F_Verwaltungsrat&#34;</span> + $ExcludeADGroups </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$Tasks = @( </span></span><span style="display:flex;"><span> @{ </span></span><span style="display:flex;"><span> Name = <span style="color:#e6db74">&#34;SP_Home#Read&#34;</span>; </span></span><span style="display:flex;"><span> Options = @(<span style="color:#e6db74">&#34;CleanGroup&#34;</span>,<span style="color:#e6db74">&#34;UpdateFromGroups&#34;</span>,<span style="color:#e6db74">&#34;ProcessUsers&#34;</span>); </span></span><span style="display:flex;"><span> AddGroups = @(<span style="color:#e6db74">&#34;Technik Abteilungen&#34;</span>,<span style="color:#e6db74">&#34;Betrieb Abteilungen&#34;</span>,<span style="color:#e6db74">&#34;Personal Abteilungen&#34;</span>,<span style="color:#e6db74">&#34;Finanzen Abteilungen&#34;</span>,<span style="color:#e6db74">&#34;Direktion Abteilungen&#34;</span>,<span style="color:#e6db74">&#34;F_TermUser&#34;</span>) </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> @{ </span></span><span style="display:flex;"><span> Name = <span style="color:#e6db74">&#34;SP_Home#Edit&#34;</span>; </span></span><span style="display:flex;"><span> Options = @(<span style="color:#e6db74">&#34;CleanGroup&#34;</span>,<span style="color:#e6db74">&#34;UpdateFromGroups&#34;</span>,<span style="color:#e6db74">&#34;RemoveGroups&#34;</span>,<span style="color:#e6db74">&#34;ProcessUsers&#34;</span>); </span></span><span style="display:flex;"><span> AddGroups = @(<span style="color:#e6db74">&#34;SP_Home#Read&#34;</span>); </span></span><span style="display:flex;"><span> RemoveGroups = @(<span style="color:#e6db74">&#34;SPO_365E1License&#34;</span>,<span style="color:#e6db74">&#34;F_TermUser&#34;</span>,<span style="color:#e6db74">&#34;F_Service Benutzer&#34;</span>) </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$OUConfigs | %{ </span></span><span style="display:flex;"><span> $OUConfig = $_ </span></span><span style="display:flex;"><span> Get-ADOrganizationalUnit -Filter <span style="color:#e6db74">&#34;*&#34;</span> -SearchBase $_.OU | </span></span><span style="display:flex;"><span> where{$ThisOU = $_; <span style="color:#f92672">-not</span> ($OUConfig.ExcludeOUs | where{$ThisOU.DistinguishedName <span style="color:#f92672">-match</span> $_})} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $OUconfig.OU = $_ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $ParentGroupName = ($_.Name + $OUconfig.ParentGroupSuffix) </span></span><span style="display:flex;"><span> $ParentGroupMembers = Get-ADOrganizationalUnit -Filter * -SearchBase $_.DistinguishedName | %{Get-ADGroup -SearchScope OneLevel -Filter * -SearchBase $_.DistinguishedName | where{$_.Name.EndsWith($OUconfig.ParentGroupMemberSuffix)}} | select -Unique </span></span><span style="display:flex;"><span> $ParentGroup = Get-ADGroup -SearchScope OneLevel -Filter {SamAccountName <span style="color:#f92672">-eq</span> $ParentGroupName <span style="color:#f92672">-and</span> GroupCategory <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;Security&#34;</span>} -SearchBase $_.DistinguishedName </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $GroupName = ($_.Name + $OUconfig.GroupSuffix) </span></span><span style="display:flex;"><span> $GroupMembers = Get-ADGroup -SearchScope OneLevel -Filter * -SearchBase $_.DistinguishedName | where{$_.Name.StartsWith($OUconfig.GroupMemberPrefix) <span style="color:#f92672">-and</span> ($OUconfig.ExcludeADGroups <span style="color:#f92672">-notcontains</span> $_.Name)} </span></span><span style="display:flex;"><span> $Group = Get-ADGroup -SearchScope OneLevel -Filter{SamAccountName <span style="color:#f92672">-eq</span> $GroupName <span style="color:#f92672">-and</span> GroupCategory <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;Security&#34;</span>} -SearchBase $_.DistinguishedName </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($ParentGroupMembers <span style="color:#f92672">-and</span> $ParentGroup){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Update members in parent group: </span>$($ParentGroup.Name)<span style="color:#e6db74">.&#34;</span> | %{$Message += <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n</span><span style="color:#e6db74">&#34;</span> + $_; Write-Host $_} </span></span><span style="display:flex;"><span> Get-ADGroupMember -Identity $ParentGroup | %{Remove-ADGroupMember -Identity $ParentGroup -Members $_ -Confirm:$false} </span></span><span style="display:flex;"><span> $ParentGroupMembers | %{Add-ADGroupMember -Identity $ParentGroup -Members $_} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">elseif</span>($ParentGroupMembers <span style="color:#f92672">-and</span> $ParentGroupMembers.count <span style="color:#f92672">-gt</span> <span style="color:#ae81ff">1</span>){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Add parent group: </span>$ParentGroupName<span style="color:#e6db74">.&#34;</span> | %{$Message += <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n</span><span style="color:#e6db74">&#34;</span> + $_; Write-Host $_} </span></span><span style="display:flex;"><span> New-ADGroup -Name $ParentGroupName -SamAccountName $ParentGroupName -GroupCategory Security -GroupScope Global -DisplayName $ParentGroupName -Path $($OU.DistinguishedName) -Description <span style="color:#e6db74">&#34;Department group for </span>$($OU.Name)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> $ParentGroupMembers | %{Add-ADGroupMember -Identity $ParentGroupName -Members $_} </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($Group <span style="color:#f92672">-and</span> $GroupMembers){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#&#34;Update members in group: $($Group.Name).&#34; | %{$Message += &#34;`n&#34; + $_; Write-Host $_}</span> </span></span><span style="display:flex;"><span> $GroupMembersIS = Get-ADGroupMember -Identity $Group | %{<span style="color:#e6db74">&#34;</span>$($_.DistinguishedName)<span style="color:#e6db74">&#34;</span>} </span></span><span style="display:flex;"><span> $GroupMemberTO = $GroupMembers | %{<span style="color:#e6db74">&#34;</span>$($_.DistinguishedName)<span style="color:#e6db74">&#34;</span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Get-ADGroupMember -Identity $Group | where{(<span style="color:#f92672">-not</span> $_.Name.StartsWith($OUconfig.GroupMemberPrefix)) <span style="color:#f92672">-or</span> ($GroupMemberTO <span style="color:#f92672">-notcontains</span> $_.DistinguishedName)} | %{ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Remove member: </span>$($_.Name)<span style="color:#e6db74"> from group: </span>$($Group.Name)<span style="color:#e6db74">.&#34;</span> | %{$Message += <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n</span><span style="color:#e6db74">&#34;</span> + $_; Write-Host $_} </span></span><span style="display:flex;"><span> Remove-ADGroupMember -Identity $Group -Members $_ -Confirm:$false </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $GroupMembers | where{($GroupMembersIS <span style="color:#f92672">-notcontains</span> $_.DistinguishedName)} | %{ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Add member: </span>$($_.Name)<span style="color:#e6db74"> to group: </span>$($Group.Name)<span style="color:#e6db74">.&#34;</span> | %{$Message += <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n</span><span style="color:#e6db74">&#34;</span> + $_; Write-Host $_} </span></span><span style="display:flex;"><span> Add-ADGroupMember -Identity $Group -Members $_ </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">elseif</span>($GroupMembers){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Add group: </span>$GroupName<span style="color:#e6db74">.&#34;</span> | %{$Message += <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n</span><span style="color:#e6db74">&#34;</span> + $_; Write-Host $_} </span></span><span style="display:flex;"><span> New-ADGroup -Name $GroupName -SamAccountName $GroupName -GroupCategory Security -GroupScope Global -DisplayName $GroupName -Path $($OU.DistinguishedName) -Description <span style="color:#e6db74">&#34;Department group for </span>$($OU.Name)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> $GroupMembers | %{Add-ADGroupMember -Identity $GroupName -Members $_} </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$Tasks | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $ADGroup = Get-ADGroup -Identity $_.Name </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.Options <span style="color:#f92672">-match</span> <span style="color:#e6db74">&#34;CleanGroup&#34;</span>){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Remove members from: </span>$($_.Name)<span style="color:#e6db74">.&#34;</span> | %{$Message += <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n</span><span style="color:#e6db74">&#34;</span> + $_; Write-Host $_} </span></span><span style="display:flex;"><span> Get-ADGroupMember -Identity $ADGroup | %{Remove-ADGroupMember -Identity $ADGroup -Members $_ -Confirm:$false} </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.Options <span style="color:#f92672">-match</span> <span style="color:#e6db74">&#34;UpdateFromGroups&#34;</span>){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.Options <span style="color:#f92672">-match</span> <span style="color:#e6db74">&#34;ProcessUsers&#34;</span>){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Add users from: </span>$($_.AddGroups)<span style="color:#e6db74"> to: </span>$($_.Name)<span style="color:#e6db74">.&#34;</span> | %{$Message += <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n</span><span style="color:#e6db74">&#34;</span> + $_; Write-Host $_} </span></span><span style="display:flex;"><span> $_.AddGroups | %{Get-ADGroupMember $_ -Recursive | Get-ADUser | where {($_.Enabled <span style="color:#f92672">-eq</span> $true) <span style="color:#f92672">-and</span> ($ExcludeADUsers <span style="color:#f92672">-notcontains</span> $_.UserPrincipalName)}} | select -Unique | %{Add-ADGroupMember -Identity $ADGroup -Members $_} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">else</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Add groups: </span>$($_.AddGroups)<span style="color:#e6db74"> to: </span>$($_.Name)<span style="color:#e6db74">.&#34;</span> | %{$Message += <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n</span><span style="color:#e6db74">&#34;</span> + $_; Write-Host $_} </span></span><span style="display:flex;"><span> $_.AddGroups | %{Add-ADGroupMember -Identity $ADGroup -Members $_} </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.Options <span style="color:#f92672">-match</span> <span style="color:#e6db74">&#34;RemoveGroups&#34;</span>){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.Options <span style="color:#f92672">-match</span> <span style="color:#e6db74">&#34;ProcessUsers&#34;</span>){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Remove users from: </span>$($_.RemoveGroups)<span style="color:#e6db74"> to: </span>$($_.Name)<span style="color:#e6db74">.&#34;</span> | %{$Message += <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n</span><span style="color:#e6db74">&#34;</span> + $_; Write-Host $_} </span></span><span style="display:flex;"><span> $ADGroupMembers = Get-ADGroupMember -Identity $ADGroup </span></span><span style="display:flex;"><span> $_.RemoveGroups | %{Get-ADGroupMember $_ -Recursive | Get-ADUser | where {($ADGroupMembers <span style="color:#f92672">-match</span> $_) <span style="color:#f92672">-and</span> ($_.Enabled <span style="color:#f92672">-eq</span> $true) <span style="color:#f92672">-and</span> ($ExcludeADUsers <span style="color:#f92672">-notcontains</span> $_.UserPrincipalName)}} | select -Unique | %{Remove-ADGroupMember -Identity $ADGroup -Members $_ -Confirm:$false} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">else</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Remove groups: </span>$($_.RemoveGroups)<span style="color:#e6db74"> to: </span>$($_.Name)<span style="color:#e6db74">.&#34;</span> | %{$Message += <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n</span><span style="color:#e6db74">&#34;</span> + $_; Write-Host $_} </span></span><span style="display:flex;"><span> $_.RemoveGroups | %{Remove-ADGroupMember -Identity $ADGroup -Members $_ -Confirm:$false} </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Write-PPEventLog $($MyInvocation.InvocationName + <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">`n`n</span><span style="color:#e6db74">&#34;</span> + $Message ) </span></span><span style="display:flex;"><span>Send-PPErrorReport -FileName <span style="color:#e6db74">&#34;activedirectory.mail.config.xml&#34;</span> -ScriptName $MyInvocation.InvocationName </span></span><span style="display:flex;"><span>Write-PPErrorEventLog -ScriptPath $MyInvocation.InvocationName -ClearErrorVariable </span></span></code></pre></div><!-- raw HTML omitted --> Archive ActiveDirectory Users and their Mailbox https://janikvonrotz.ch/2013/10/14/archive-activedirectory-users-and-their-mailbox/ Mon, 14 Oct 2013 17:04:19 +0000 https://janikvonrotz.ch/2013/10/14/archive-activedirectory-users-and-their-mailbox/ <p>One of my company&rsquo;s requirements is the retention time of 10 years for user accounts and their mailbox data, I have to admit, this might not be common or even recommended. However I have to deal with it.</p> <p>One problem to face is the availabilty of user account names, by the number of about 500 employees there&rsquo;s a hight change that two or even more people are having the same name.</p> <p>To clean up the available names in the system I&rsquo;ve written a script that renames a users identity and the mailboxes address. So let&rsquo;s see what this script does:</p> <!-- raw HTML omitted --> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># settings</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span>$ExchangeServer = <span style="color:#e6db74">&#34;vblw2k8mail05&#34;</span> </span></span><span style="display:flex;"><span>$FilterRecipientTypeDetails = @(<span style="color:#e6db74">&#34;UserMailbox&#34;</span>,<span style="color:#e6db74">&#34;RemoteUserMailbox&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># functions</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">function</span> Rename-ADUserAndMailbox{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">param</span>( </span></span><span style="display:flex;"><span> [Parameter(<span style="color:#a6e22e">Mandatory</span>=$true)] </span></span><span style="display:flex;"><span> $ADUser, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> [Parameter(<span style="color:#a6e22e">Mandatory</span>=$true)] </span></span><span style="display:flex;"><span> $MailBox </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $ArchivedIdentity = ($($ADUser.SID).tostring() <span style="color:#f92672">-replace</span> <span style="color:#e6db74">&#34;-&#34;</span>,<span style="color:#e6db74">&#34;&#34;</span>).substring(<span style="color:#ae81ff">20</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>(<span style="color:#f92672">-not</span> (Get-ADUser -Filter{SamAccountName <span style="color:#f92672">-eq</span> $ArchivedIdentity} -ErrorAction SilentlyContinue)){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $NewName = <span style="color:#e6db74">&#34;</span>$($ADUser.Name)<span style="color:#e6db74"> </span>$($ADUser.SID)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> $NewUserPrincipalName = <span style="color:#e6db74">&#34;</span>$($ADUser.UserPrincipalName.split(<span style="color:#e6db74">&#39;@&#39;</span>)[<span style="color:#ae81ff">0</span>])<span style="color:#e6db74"> </span>$($ADUser.SID)<span style="color:#e6db74">@</span>$($ADUser.UserPrincipalName.split(<span style="color:#e6db74">&#39;@&#39;</span>)[<span style="color:#ae81ff">1</span>])<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> $NewSamAccountName = ($($ADUser.SID).tostring() <span style="color:#f92672">-replace</span> <span style="color:#e6db74">&#34;-&#34;</span>,<span style="color:#e6db74">&#34;&#34;</span>).substring(<span style="color:#ae81ff">20</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Rename Name </span>$($ADUser.Name)<span style="color:#e6db74"> to </span>$NewName<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Rename-ADObject $ADUser -NewName $NewName </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Rename UserPrincipalName </span>$($ADUser.UserPrincipalName)<span style="color:#e6db74"> to </span>$NewUserPrincipalName<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Get-ADUser $ADUser.SamAccountName | Set-ADUser -UserPrincipalName $NewUserPrincipalName -Description <span style="color:#e6db74">&#34;archived&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Rename SamAccountName </span>$($ADUser.SamAccountName)<span style="color:#e6db74"> to </span>$NewSamAccountName<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Get-ADUser $ADUser.SamAccountName | Set-ADUser -SamAccountName $NewSamAccountName </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $NewPrimarySmtpAddress = <span style="color:#e6db74">&#34;</span>$($ADUser.UserPrincipalName.split(<span style="color:#e6db74">&#39;@&#39;</span>)[<span style="color:#ae81ff">0</span>])$($ADUser.SID)<span style="color:#e6db74">@</span>$($ADUser.UserPrincipalName.split(<span style="color:#e6db74">&#39;@&#39;</span>)[<span style="color:#ae81ff">1</span>])<span style="color:#e6db74">&#34;</span> <span style="color:#f92672">-replace</span> <span style="color:#e6db74">&#34;-&#34;</span>,<span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> $OldPrimarySmtpAddress = $Mailbox.PrimarySmtpAddress </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($Mailbox.psObject.TypeNames <span style="color:#f92672">-contains</span> <span style="color:#e6db74">&#34;Deserialized.Microsoft.Exchange.Data.Directory.Management.RemoteMailbox&#34;</span>){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $NewRemoteRoutingAddress = <span style="color:#e6db74">&#34;</span>$($Mailbox.RemoteRoutingAddress.split(<span style="color:#e6db74">&#34;@&#34;</span>)[<span style="color:#ae81ff">0</span>])$($ADUser.SID)<span style="color:#e6db74">@</span>$($Mailbox.RemoteRoutingAddress.split(<span style="color:#e6db74">&#34;@&#34;</span>)[<span style="color:#ae81ff">1</span>])<span style="color:#e6db74">&#34;</span> <span style="color:#f92672">-replace</span> <span style="color:#e6db74">&#34;-&#34;</span>,<span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> $OldRemoteRoutingAddress = $Mailbox.RemoteRoutingAddress </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Get-RemoteMailbox $ADuser.Name | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Rename PrimarySmtpAddress for </span>$($_.PrimarySmtpAddress)<span style="color:#e6db74"> to </span>$NewPrimarySmtpAddress<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Set-RemoteMailbox $_.Alias -PrimarySmtpAddress $NewPrimarySmtpAddress; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Rename RemoteRoutingAddress for </span>$($_.RemoteRoutingAddress)<span style="color:#e6db74"> to </span>$NewRemoteRoutingAddress<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Set-RemoteMailbox $_.Alias -RemoteRoutingAddress $NewRemoteRoutingAddress </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Remove default mail addresses </span>$OldRemoteRoutingAddress<span style="color:#e6db74">, </span>$PrimarySmtpAddress<span style="color:#e6db74"> on </span>$($_.Alias)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Set-RemoteMailbox $_.Alias -EmailAddresses @{remove = $OldRemoteRoutingAddress, $OldPrimarySmtpAddress} </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">elseif</span>($Mailbox.psObject.TypeNames <span style="color:#f92672">-contains</span> <span style="color:#e6db74">&#34;Deserialized.Microsoft.Exchange.Data.Directory.Management.Mailbox&#34;</span>){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Get-Mailbox $ADuser.Name | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Rename PrimarySmtpAddress for </span>$($_.PrimarySmtpAddress)<span style="color:#e6db74"> to </span>$NewPrimarySmtpAddress<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Set-Mailbox $_.Alias -PrimarySmtpAddress $NewPrimarySmtpAddress </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Remove default mail addresses </span>$PrimarySmtpAddress<span style="color:#e6db74"> on </span>$($Mailbox.Alias)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Set-Mailbox $_.Alias -EmailAddresses @{remove = $OldPrimarySmtpAddress} </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># modules</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span>Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># main</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># open remote connection</span> </span></span><span style="display:flex;"><span>$PSSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri <span style="color:#e6db74">&#34;https://</span>$ExchangeServer<span style="color:#e6db74">/PowerShell/&#34;</span> -Authentication Kerberos </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># import</span> </span></span><span style="display:flex;"><span>Import-PSSession $PSSession -AllowClobber </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$Mailboxes = Get-Mailbox </span></span><span style="display:flex;"><span>$RemoteMailboxes = Get-RemoteMailbox </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># disable mailbox and remote mailbox</span> </span></span><span style="display:flex;"><span>Get-ADUser -Filter{Enabled <span style="color:#f92672">-eq</span> $false} -Properties mail | where{$_.mail <span style="color:#f92672">-ne</span> $null} | </span></span><span style="display:flex;"><span> %{$ADUser = $_; $Mailboxes | where{$_.Name <span style="color:#f92672">-eq</span> $ADuser.Name <span style="color:#f92672">-and</span> $_.HiddenFromAddressListsEnabled <span style="color:#f92672">-eq</span> $false <span style="color:#f92672">-and</span> $FilterRecipientTypeDetails <span style="color:#f92672">-contains</span> $_.RecipientTypeDetails}} |%{ </span></span><span style="display:flex;"><span> Write-host <span style="color:#e6db74">&#34;Hide mailbox </span>$($_.Name)<span style="color:#e6db74"> from address lists.&#34;</span>; </span></span><span style="display:flex;"><span> Set-Mailbox $_.Name -HiddenFromAddressListsEnabled:$true; </span></span><span style="display:flex;"><span> Rename-ADUserAndMailbox -ADUser $ADUser -MailBox $_ </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># disable remote mailbox</span> </span></span><span style="display:flex;"><span>Get-ADUser -Filter{Enabled <span style="color:#f92672">-eq</span> $false} -Properties mail | where{$_.mail <span style="color:#f92672">-ne</span> $null} | </span></span><span style="display:flex;"><span> %{$ADUser = $_; $RemoteMailboxes | where{$_.Name <span style="color:#f92672">-eq</span> $ADuser.Name <span style="color:#f92672">-and</span> $_.HiddenFromAddressListsEnabled <span style="color:#f92672">-eq</span> $false <span style="color:#f92672">-and</span> $FilterRecipientTypeDetails <span style="color:#f92672">-contains</span> $_.RecipientTypeDetails}} | %{ </span></span><span style="display:flex;"><span> Write-host <span style="color:#e6db74">&#34;Hide remotemailbox </span>$($_.Name)<span style="color:#e6db74"> from address lists.&#34;</span>; </span></span><span style="display:flex;"><span> Set-RemoteMailbox $_.Name -HiddenFromAddressListsEnabled:$true; </span></span><span style="display:flex;"><span> Rename-ADUserAndMailbox -ADUser $ADUser -MailBox $_ </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># destroy pssession</span> </span></span><span style="display:flex;"><span>Remove-PSSession $PSSession </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span>($error){ </span></span><span style="display:flex;"><span> Send-PPErrorReport -FileName <span style="color:#e6db74">&#34;activedirectory.mail.config.xml&#34;</span> -ScriptName $MyInvocation.InvocationName </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Latest version of this script: <!-- raw HTML omitted --><a href="https://gist.github.com/6780143">https://gist.github.com/6780143</a><!-- raw HTML omitted --></p> <p>As always I recommand you to install my project <!-- raw HTML omitted -->PowerShell Profile<!-- raw HTML omitted --> to run this script properly.</p> Project: Setup Windows 7 Kiosk https://janikvonrotz.ch/2013/10/04/project-setup-windows-7-kiosk/ Fri, 04 Oct 2013 16:01:56 +0000 https://janikvonrotz.ch/2013/10/04/project-setup-windows-7-kiosk/ <p>The goal of this project is a simple Windows 7 Kiosk installation with nothing else as the newest version of internet explorer installed. A user should not be allowed to do something than can malfunction the system or even elevating the user privileges. I want to show you in this post which GroupPolicies I&rsquo;ve used and what configurations I made to set up this type of installation.</p> <p>First I want to commit my principles for working with ActiveDirectory and Group Policies:</p> <!-- raw HTML omitted --> <!-- raw HTML omitted --> <p>The logged in user can&hellip;</p> <!-- raw HTML omitted --> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-7-Kiosk-Setup.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-7-Kiosk-Setup.png" alt="Windows 7 Kiosk - Setup"></a></p> <!-- raw HTML omitted --> <p>The setup of the windows workstation is very simple:</p> <!-- raw HTML omitted --> <p>The Group Policy Management Console is equipped with newest Windows 7 AMDX templates.</p> <!-- raw HTML omitted --> <p>The following section shows the policies I&rsquo;ve used to restrict the access to the computer and it&rsquo;s programs.</p> <!-- raw HTML omitted --> <p><!-- raw HTML omitted -->Desktop background<!-- raw HTML omitted --></p> <p>Add a desktop wallpaper.</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Desktopbackground.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Desktopbackground.png" alt="Windows - Desktopbackground"></a></p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Taskbar-Result.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Taskbar-Result.png" alt="Windows - Taskbar Result"></a></p> <p><!-- raw HTML omitted -->Remove Desktop Icons<!-- raw HTML omitted --></p> <p>Remove the default desktop icons.</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Remove-Desktop-Icons.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Remove-Desktop-Icons.png" alt="Windows - Remove Desktop Icons"></a></p> <p><!-- raw HTML omitted -->Remove System Buttons<!-- raw HTML omitted --></p> <p>Remove the start system buttons and the options showed after click Ctrl + Alt + Delete.</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Remove-System-Buttons.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Remove-System-Buttons.png" alt="Windows - Remove System Buttons"></a></p> <p><!-- raw HTML omitted -->Restricted Start Menu<!-- raw HTML omitted --></p> <p>Remove  the all items in the windows start menu.</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Restricted-Start-Menu.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Restricted-Start-Menu.png" alt="Windows - Restricted Start Menu"></a></p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Start-Menu-Result.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Start-Menu-Result.png" alt="Windows - Start Menu Result"></a></p> <p><!-- raw HTML omitted -->Restricted Taskbar<!-- raw HTML omitted --></p> <p>Denie any possiblity to customize the windows taskbar.</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Restricted-Taskbar.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Restricted-Taskbar.png" alt="Windows - Restricted Taskbar"></a></p> <p><!-- raw HTML omitted -->SharePoint Icon<!-- raw HTML omitted --></p> <p>Adds a simple icon to the desktop.</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-SharePoint-Icon.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-SharePoint-Icon.png" alt="Windows - SharePoint Icon"></a></p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Icon-Result.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Windows-Icon-Result.png" alt="Windows - Icon Result"></a></p> <!-- raw HTML omitted --> <p><!-- raw HTML omitted -->Delete Cache<!-- raw HTML omitted --></p> <p>Delete the browser cache on exit.</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Internet-Explorer-Delete-Cache.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Internet-Explorer-Delete-Cache.png" alt="Internet Explorer - Delete Cache"></a></p> <p><!-- raw HTML omitted -->Disable Save Passwords<!-- raw HTML omitted --></p> <p>Internet explorer is not allowed to prompt for saving password information.</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Internet-Explorer-Disable-Save-Passwords.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Internet-Explorer-Disable-Save-Passwords.png" alt="Internet Explorer - Disable Save Passwords"></a></p> <p><!-- raw HTML omitted -->Hide Menus<!-- raw HTML omitted --></p> <p>Hide internet explorer menus.</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Internet-Explorer-Hide-Menus.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Internet-Explorer-Hide-Menus.png" alt="Internet Explorer - Hide Menus"></a></p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2013/10/Internet-Explorer-Result.png"><img src="https://janikvonrotz.ch/wp-content/uploads/2013/10/Internet-Explorer-Result.png" alt="Internet Explorer - Result"></a></p> Find dead SharePoint ActiveDirectory Groups https://janikvonrotz.ch/2013/09/25/find-dead-sharepoint-activedirectory-groups/ Wed, 25 Sep 2013 15:33:07 +0000 https://janikvonrotz.ch/2013/09/25/find-dead-sharepoint-activedirectory-groups/ <p>The are three ways to handle access rights in SharePoint.</p> <!-- raw HTML omitted --> <p>I personally recommend to use the first suggestion. Managing the access rights in one system is much easier to administrate, no switching or log off for administration work.</p> <p>In our SharePoint installation I create for each securable resource and rights type a ActiveDirectory group and assign them organization groups.</p> <p>A huge disadvantage of this strategy is that after a period of adding ActiveDirectory groups it&rsquo;s hard to know which of those groups are really required.</p> <p>I could handle this issue with a simple script which compares all SharePoint ActiveDirectory groups and the All ActiveDirectory groups from a specific OU against.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$Domain = <span style="color:#e6db74">&#34;</span>$((Get-ADDomain).Name)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ADGroups = Get-ADGroup -Filter <span style="color:#e6db74">&#34;*&#34;</span> -SearchBase <span style="color:#e6db74">&#34;OU=SharePoint,OU=Services,OU=vblusers2,DC=vbl,DC=ch&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$SPGroups = ( </span></span><span style="display:flex;"><span> Get-SPWebs | %{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.HasUniqueRoleAssignments){ </span></span><span style="display:flex;"><span> $Url = $_.Url </span></span><span style="display:flex;"><span> $_.RoleAssignments | Where{$_.Member.IsDomainGroup} | %{ $_ | Select-Object @{Name = <span style="color:#e6db74">&#34;Member&#34;</span>; Expression = {$_.member <span style="color:#f92672">-replace</span> ($Domain + <span style="color:#e6db74">&#34;\&#34;</span>),<span style="color:#e6db74">&#34;&#34;</span>}}, @{Name = <span style="color:#e6db74">&#34;Url&#34;</span>; Expression = {$Url}},@{Name = <span style="color:#e6db74">&#34;Type&#34;</span>; Expression = {<span style="color:#e6db74">&#34;Website&#34;</span>}}} </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> )+( </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Get-SPLists | %{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.HasUniqueRoleAssignments){ </span></span><span style="display:flex;"><span> $Url = ([<span style="color:#66d9ef">uri</span>]$_.Parentweb.Url).Scheme + <span style="color:#e6db74">&#34;://&#34;</span> + ([<span style="color:#66d9ef">uri</span>]$_.Parentweb.Url).host + $_.DefaultViewUrl </span></span><span style="display:flex;"><span> $_.RoleAssignments | Where{$_.Member.IsDomainGroup} | %{ $_ | Select-Object @{Name = <span style="color:#e6db74">&#34;Member&#34;</span>; Expression = {$_.member <span style="color:#f92672">-replace</span> ($Domain + <span style="color:#e6db74">&#34;\&#34;</span>),<span style="color:#e6db74">&#34;&#34;</span>}}, @{Name = <span style="color:#e6db74">&#34;Url&#34;</span>; Expression = {$Url}},@{Name = <span style="color:#e6db74">&#34;Type&#34;</span>; Expression = {<span style="color:#e6db74">&#34;List&#34;</span>}}} </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ADGroups | where{ <span style="color:#f92672">-not</span> (($SPGroups | select Member) <span style="color:#f92672">-match</span> $_.Name)} | select name </span></span></code></pre></div><p><a href="https://gist.github.com/6699783">https://gist.github.com/6699783</a></p> <!-- raw HTML omitted --> <!-- raw HTML omitted --> Office365 and ADFS: Activate licenses for users depending on AD group membership https://janikvonrotz.ch/2013/08/13/office365-and-adfs-activate-licenses-for-users-depending-on-ad-group-membership/ Tue, 13 Aug 2013 07:48:44 +0000 https://janikvonrotz.ch/2013/08/13/office365-and-adfs-activate-licenses-for-users-depending-on-ad-group-membership/ <p>On Office365 the users have to be licensed in order to get access to the Office365 application. I&rsquo;ve developed a PowerShell script which add a license depending on the group membership in the ActiveDirectory.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e">$Metadata = @{ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Title = &#34;Set Office365 Licenses by ActiveDirectory Group Membership&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Filename = &#34;Set-O365UserLicensesByADGroup.ps1&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Description = @&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e">Adding license to a Office365 user as long the user is in the correct ActiveDirectory group </span></span></span><span style="display:flex;"><span><span style="color:#75715e">or in the white list, the users is active, the user has a mailbox. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">The script will remove inactive licenses or if necessary replace them. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#34;@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Tags = &#34;powershell, activedirectory, office365, user, license, activation&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Project = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Author = &#34;Janik von Rotz&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> AuthorContact = &#34;https://janikvonrotz.ch&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> CreateDate = &#34;2013-08-13&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> LastEditDate = &#34;2013-09-30&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Url = &#34;https://gist.github.com/janikvonrotz/6218401&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Version = &#34;3.0.0&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> License = @&#39; </span></span></span><span style="display:flex;"><span><span style="color:#75715e">This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/3.0/ch/ or </span></span></span><span style="display:flex;"><span><span style="color:#75715e">send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e">} </span></span></span><span style="display:flex;"><span><span style="color:#75715e">#&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># settings</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$UsageLocation = <span style="color:#e6db74">&#34;CH&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$WhiteList = @{ </span></span><span style="display:flex;"><span> UserPrincipalName = <span style="color:#e6db74">&#34;admin@vbluzern.onmicrosoft.com&#34;</span> </span></span><span style="display:flex;"><span> License = <span style="color:#e6db74">&#34;vbluzern:STANDARDPACK&#34;</span> </span></span><span style="display:flex;"><span>}, </span></span><span style="display:flex;"><span>@{ </span></span><span style="display:flex;"><span> UserPrincipalName = <span style="color:#e6db74">&#34;bison.testoff368@vbl.ch&#34;</span> </span></span><span style="display:flex;"><span> License = <span style="color:#e6db74">&#34;vbluzern:STANDARDPACK&#34;</span> </span></span><span style="display:flex;"><span>}, </span></span><span style="display:flex;"><span>@{ </span></span><span style="display:flex;"><span> UserPrincipalName = <span style="color:#e6db74">&#34;bison.test07@vbl.ch&#34;</span> </span></span><span style="display:flex;"><span> License = <span style="color:#e6db74">&#34;vbluzern:STANDARDPACK&#34;</span> </span></span><span style="display:flex;"><span>}, </span></span><span style="display:flex;"><span>@{ </span></span><span style="display:flex;"><span> UserPrincipalName = <span style="color:#e6db74">&#34;bison.test@vbl.ch&#34;</span> </span></span><span style="display:flex;"><span> License = <span style="color:#e6db74">&#34;vbluzern:STANDARDPACK&#34;</span> </span></span><span style="display:flex;"><span>}, </span></span><span style="display:flex;"><span>@{ </span></span><span style="display:flex;"><span> UserPrincipalName = <span style="color:#e6db74">&#34;bison.testoff367@vbl.ch&#34;</span> </span></span><span style="display:flex;"><span> License = <span style="color:#e6db74">&#34;vbluzern:STANDARDPACK&#34;</span> </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$LicenseConfig = @{ </span></span><span style="display:flex;"><span> Name = <span style="color:#e6db74">&#34;SharePoint Online Plan 1&#34;</span> </span></span><span style="display:flex;"><span> License = <span style="color:#e6db74">&#34;vbluzern:SHAREPOINTSTANDARD&#34;</span> </span></span><span style="display:flex;"><span> ADGroupSID = <span style="color:#e6db74">&#34;S-1-5-21-1744926098-708661255-2033415169-37562&#34;</span> <span style="color:#75715e"># SPO_SharePointOnlinePlan1License</span> </span></span><span style="display:flex;"><span> Rule = <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span>}, </span></span><span style="display:flex;"><span>@{ </span></span><span style="display:flex;"><span> Name = <span style="color:#e6db74">&#34;Enterprise Plan 1&#34;</span> </span></span><span style="display:flex;"><span> License = <span style="color:#e6db74">&#34;vbluzern:STANDARDPACK&#34;</span> </span></span><span style="display:flex;"><span> ADGroupSID = <span style="color:#e6db74">&#34;S-1-5-21-1744926098-708661255-2033415169-36657&#34;</span> <span style="color:#75715e"># SPO_365E1License</span> </span></span><span style="display:flex;"><span> Rule = <span style="color:#e6db74">&#34;MailBoxExistOnline&#34;</span> </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># modules</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span>Import-Module MSOnline </span></span><span style="display:flex;"><span>Import-Module MSOnlineExtended </span></span><span style="display:flex;"><span>Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># main</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># import credentials</span> </span></span><span style="display:flex;"><span>$Credential = Import-PSCredential $(Get-ChildItem -Path $PSconfigs.Path -Filter <span style="color:#e6db74">&#34;Office365.credentials.config.xml&#34;</span> -Recurse).FullName </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Write-Host <span style="color:#e6db74">&#34;Get Office365 users&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># connect to office365</span> </span></span><span style="display:flex;"><span>Connect-MsolService -Credential $Credential </span></span><span style="display:flex;"><span>$MsolUsers = Get-MsolUser -All </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Write-Host <span style="color:#e6db74">&#34;Get ExchangeOnline mailboxes&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># import session</span> </span></span><span style="display:flex;"><span>$s = New-PSSession -ConfigurationName Microsoft.Exchange ` </span></span><span style="display:flex;"><span> -ConnectionUri https<span style="color:#960050;background-color:#1e0010">:</span>//ps.outlook.com/powershell ` </span></span><span style="display:flex;"><span> -Credential $(Get-Credential -Credential $Credential) ` </span></span><span style="display:flex;"><span> -Authentication Basic ` </span></span><span style="display:flex;"><span> -AllowRedirection </span></span><span style="display:flex;"><span>$EOMailboxes = Invoke-Command -Session $s -ScriptBlock{Get-MailBox} | select UserPrincipalName | %{<span style="color:#e6db74">&#34;</span>$($_.UserPrincipalName)<span style="color:#e6db74">&#34;</span>} </span></span><span style="display:flex;"><span><span style="color:#75715e"># remove session&#34;</span> </span></span><span style="display:flex;"><span>Remove-PSSession $s </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># combine users and their license</span> </span></span><span style="display:flex;"><span>$LicenseAndUser = ($LicenseConfig | </span></span><span style="display:flex;"><span> %{$License = $_ ; Get-ADGroupMember $_.ADGroupSID -Recursive | Get-ADUser | where{$_.Enabled <span style="color:#f92672">-eq</span> $true} | </span></span><span style="display:flex;"><span> %{$_ | select UserPrincipalName, @{Name = <span style="color:#e6db74">&#34;License&#34;</span>; Expression = {$License.License}}, @{Name = <span style="color:#e6db74">&#34;Rule&#34;</span>; Expression = {$License.Rule}}} </span></span><span style="display:flex;"><span> }) + ($WhiteList | select @{Name = <span style="color:#e6db74">&#34;UserPrincipalName&#34;</span>; Expression = {$_.UserPrincipalName}}, </span></span><span style="display:flex;"><span> @{Name = <span style="color:#e6db74">&#34;License&#34;</span>; Expression = {$_.License}}, </span></span><span style="display:flex;"><span> @{Name = <span style="color:#e6db74">&#34;Rule&#34;</span>; Expression = {<span style="color:#e6db74">&#34;&#34;</span>}}) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">foreach</span>($User <span style="color:#66d9ef">in</span> $MsolUsers){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># first check whitelist</span> </span></span><span style="display:flex;"><span> $Config = $LicenseAndUser | where{$_.UserPrincipalName <span style="color:#f92672">-eq</span> $User.UserPrincipalName} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>(($Config) <span style="color:#f92672">-and</span> ((($Config.Rule <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;MailBoxExistOnline&#34;</span>) <span style="color:#f92672">-and</span> ($EOMailboxes <span style="color:#f92672">-contains</span> $User.UserPrincipalName)) <span style="color:#f92672">-or</span> ($Config.Rule <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;&#34;</span>))){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($User.IsLicensed <span style="color:#f92672">-and</span> ($User.Licenses.AccountSkuId <span style="color:#f92672">-ne</span> $Config.License)){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Replace Office365 license: </span>$($User.Licenses.AccountSkuId)<span style="color:#e6db74"> with: </span>$($Config.License)<span style="color:#e6db74"> for user: </span>$($User.UserPrincipalName)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> $User.Licenses | %{Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $_.AccountSkuId} </span></span><span style="display:flex;"><span> Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $Config.License </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">elseif</span>($User.IsLicensed){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;User: </span>$($User.UserPrincipalName)<span style="color:#e6db74"> is already licensed with: </span>$($Config.License)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">else</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Set Office365 license: </span>$($Config.License)<span style="color:#e6db74"> for user: </span>$($User.UserPrincipalName)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Set-MsolUser -UserPrincipalName $User.UserPrincipalName -UsageLocation $UsageLocation </span></span><span style="display:flex;"><span> Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $Config.License </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">else</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($User.IsLicensed){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Remove Office365 license: </span>$($User.Licenses.AccountSkuId)<span style="color:#e6db74"> from user: </span>$($User.UserPrincipalName)<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> $User.Licenses | %{Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $_.AccountSkuId} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">else</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;User: </span>$($User.UserPrincipalName)<span style="color:#e6db74"> is not allowed&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span>($error){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Send-PPErrorReport -FileName <span style="color:#e6db74">&#34;DirSync.mail.config.xml&#34;</span> -ScriptName $MyInvocation.InvocationName </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>You&rsquo;ll get your <code>Office365AccountName</code> with this Office365 command <code>Get-MsolAccountSku</code></p> <p>Link to the newest version of this script: <!-- raw HTML omitted --><a href="https://gist.github.com/janikvonrotz/6218401">https://gist.github.com/janikvonrotz/6218401</a><!-- raw HTML omitted --></p> Manage Users in ActiveDirectory with PowerShell https://janikvonrotz.ch/2013/08/09/manage-users-in-activedirectory-with-powershell/ Fri, 09 Aug 2013 10:18:06 +0000 https://janikvonrotz.ch/2013/08/09/manage-users-in-activedirectory-with-powershell/ <p>The PowerShell ActiveDirectory modules from Microsoft are definitely a pain. That&rsquo;s why Quest (Dell) has developed a bunch of <!-- raw HTML omitted -->CMDlets <!-- raw HTML omitted -->to make the user management through PowerShell a lot easier.</p> <p>I would like to show you how I create and update my AD users.</p> <p>As base there&rsquo;s always a CSV file like this one: <!-- raw HTML omitted -->TemplateADUsers<!-- raw HTML omitted --></p> <!-- raw HTML omitted --> <p>To a new user I&rsquo;ll use this script:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Import-Module Quest.ActiveRoles.ArsPowerShellSnapIn </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ADUsers = Import-CSV <span style="color:#e6db74">&#34;ADUsers.csv&#34;</span> -Delimiter <span style="color:#e6db74">&#34;;&#34;</span> </span></span><span style="display:flex;"><span>$ADUsers | <span style="color:#66d9ef">foreach</span>{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>(!(Get-QADUser $_.Name)){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Creating User&#34;</span> $_.Name </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create a new user</span> </span></span><span style="display:flex;"><span> New-QADUser -Name $_.Name ` </span></span><span style="display:flex;"><span> -DisplayName $_.DisplayName ` </span></span><span style="display:flex;"><span> -FirstName $_.givenName ` </span></span><span style="display:flex;"><span> -LastName $_.LastName ` </span></span><span style="display:flex;"><span> -Company $_.company ` </span></span><span style="display:flex;"><span> -PostalCode $_.postalCode ` </span></span><span style="display:flex;"><span> -PostOfficeBox $_.postOfficeBox ` </span></span><span style="display:flex;"><span> -StreetAddress $_.streetAddress ` </span></span><span style="display:flex;"><span> -WebPage $_.wWWHomePage ` </span></span><span style="display:flex;"><span> -City $_.l ` </span></span><span style="display:flex;"><span> -Department $_.department ` </span></span><span style="display:flex;"><span> -Manager $_.manager ` </span></span><span style="display:flex;"><span> -Title $_.title ` </span></span><span style="display:flex;"><span> -Email $_.mail ` </span></span><span style="display:flex;"><span> -UserPrincipalName $_.mail ` </span></span><span style="display:flex;"><span> -ParentContainer $_.OU ` </span></span><span style="display:flex;"><span> -samAccountName $_.samAccountName ` </span></span><span style="display:flex;"><span> -UserPassword $_.Password ` </span></span><span style="display:flex;"><span> -ObjectAttributes @{ </span></span><span style="display:flex;"><span> extensionAttribute1= $_.extensionAttribute1; </span></span><span style="display:flex;"><span> extensionAttribute2 = $_.extensionAttribute2; </span></span><span style="display:flex;"><span> extensionAttribute3 = $_.extensionAttribute3; </span></span><span style="display:flex;"><span> co = $_.co </span></span><span style="display:flex;"><span> c = $_.c </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }` | </span></span><span style="display:flex;"><span> Set-QADUser -PasswordNeverExpires $true | </span></span><span style="display:flex;"><span> Out-Null </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># update group memberships</span> </span></span><span style="display:flex;"><span> $ADMemberOfs = $_.MemberOf -split <span style="color:#e6db74">&#34;,&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">foreach</span>( $ADMemberOf <span style="color:#66d9ef">in</span> $ADMemberOfs){ </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Add User </span>$($_.Name)<span style="color:#e6db74"> to the group </span>$ADMemberOf<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Add-QADMemberOf $_.Name -Group $ADMemberOf | Out-Null </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">else</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host $_.Name <span style="color:#e6db74">&#34;Already exist&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><!-- raw HTML omitted --> <p>To update the users attributes I made this handy script:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Import-Module Quest.ActiveRoles.ArsPowerShellSnapIn </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ADUsers = Import-CSV <span style="color:#e6db74">&#34;ADUsers.csv&#34;</span> -Delimiter <span style="color:#e6db74">&#34;;&#34;</span> </span></span><span style="display:flex;"><span>$ADUsers | <span style="color:#66d9ef">foreach</span>{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>((Get-QADUser $_.Name)){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">&lt;# change Attributes </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Write-Host &#34;Updating User&#34; $_.Name </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Set-QADUser -Identity $_.Name ` </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> -Company $_.company ` </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> | Out-Null </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> #&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># update group memberships</span> </span></span><span style="display:flex;"><span> $ADMemberOfs = $_.MemberOf -split <span style="color:#e6db74">&#34;,&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">foreach</span>( $ADMemberOf <span style="color:#66d9ef">in</span> $ADMemberOfs){ </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Add User </span>$($_.Name)<span style="color:#e6db74"> to the group </span>$ADMemberOf<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> Add-QADMemberOf $_.Name -Group $ADMemberOf | Out-Null </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">else</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host $_.Name <span style="color:#e6db74">&#34;doesnt&#39; exist&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><!-- raw HTML omitted --> Handling user password change and expiration issues with Office365 and ADFS - Part 1 https://janikvonrotz.ch/2013/08/08/handling-user-password-change-and-expiration-issues-with-office365-and-adfs-part-1/ Thu, 08 Aug 2013 14:41:37 +0000 https://janikvonrotz.ch/2013/08/08/handling-user-password-change-and-expiration-issues-with-office365-and-adfs-part-1/ <p>Recently I&rsquo;ve setup a Office365 Service with ADFS (Active Directory Federation Service) and a DirSync Server.</p> <p>Sadly I forgot about a huge disadvantage in this architecture, due to using ADFS as an authentication provider, it&rsquo;s not possible to change a users password. The communication form the local ActiveDirectory environment to the cloud based Office365 services is only one directional.</p> <p>That&rsquo;s why there are only 2 options yet to handle the user password change and expiration:</p> <!-- raw HTML omitted --> <p>At this time option 1 is active in my environment and option 2 is my goal.</p> <p>In this post series want to show you the solution I&rsquo;ve developed.</p> <p>Let&rsquo;s start with password expiration. Because Office365 doesn&rsquo;t handle password expiration, that&rsquo;s why I have to use another channel to show the users on which date their passwords expire:  Let&rsquo;s do it with an bulk e-mail job.</p> <!-- raw HTML omitted --> <p>This part isn&rsquo;t a lot of effort. There are 2 requirements, one is a must and the other is optional:</p> <!-- raw HTML omitted --> <p>Now the script:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e">$Metadata = @{ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Title = &#34;Send Password Expiration Reminder&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Filename = &#34;Send-PasswordExpirationReminder.ps1&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Description = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Tags = &#34;powershell, script, jobs&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Project = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Author = &#34;Janik von Rotz&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> AuthorContact = &#34;http://.janikvonrotz.ch&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> CreateDate = &#34;2013-08-08&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> LastEditDate = &#34;2013-11-25&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Version = &#34;2.1.0&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> License = @&#39; </span></span></span><span style="display:flex;"><span><span style="color:#75715e">This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/ or </span></span></span><span style="display:flex;"><span><span style="color:#75715e">send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e">} </span></span></span><span style="display:flex;"><span><span style="color:#75715e">#&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">try</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># modules</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------# </span> </span></span><span style="display:flex;"><span> Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># settings</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------# </span> </span></span><span style="display:flex;"><span> $TriggerDays = <span style="color:#ae81ff">25</span>, <span style="color:#ae81ff">10</span>, <span style="color:#ae81ff">5</span>, <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> $SendLinkOnDays = <span style="color:#ae81ff">25</span>,<span style="color:#ae81ff">10</span>, <span style="color:#ae81ff">5</span>, <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> $DaysBeforeDisablingUsersWithPasswordNeverExpires = <span style="color:#ae81ff">180</span> </span></span><span style="display:flex;"><span> $ADGroup = <span style="color:#e6db74">&#34;S-1-5-21-1744926098-708661255-2033415169-36648&#34;</span> <span style="color:#75715e"># Memberof GroupName should be &#34;SPO_PasswordNotification&#34; </span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># main</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get mail config </span> </span></span><span style="display:flex;"><span> $Mail = Get-PPConfiguration $PSconfigs.Mail.<span style="color:#66d9ef">Filter</span> | %{$_.Content.Mail | where{$_.Name <span style="color:#f92672">-eq</span> <span style="color:#e6db74">&#34;PasswordReminder&#34;</span>}} | select -first <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># get days until password expires</span> </span></span><span style="display:flex;"><span> $MaxDays = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($MaxDays <span style="color:#f92672">-le</span> <span style="color:#ae81ff">0</span>){<span style="color:#66d9ef">throw</span> <span style="color:#e6db74">&#34;Domain &#39;MaximumPasswordAge&#39; password policy is not configured.&#34;</span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Set days when an email should be sent to inform the users</span> </span></span><span style="display:flex;"><span> $TriggerDays = <span style="color:#ae81ff">25</span>, <span style="color:#ae81ff">10</span>, <span style="color:#ae81ff">5</span>, <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> $SendLinkOnDays = <span style="color:#ae81ff">25</span>,<span style="color:#ae81ff">10</span>, <span style="color:#ae81ff">5</span>, <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">foreach</span>($TriggerDay <span style="color:#66d9ef">in</span> $TriggerDays){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Memberof GroupName should be &#34;SPO_PasswordNotification&#34; </span> </span></span><span style="display:flex;"><span> Get-ADGroupMember $ADGroup -Recursive | </span></span><span style="display:flex;"><span> Get-ADUser -Properties Enabled, lastLogonTimestamp, PasswordNeverExpires, PasswordLastSet, Mail, DisplayName | </span></span><span style="display:flex;"><span> Select *, @{L = <span style="color:#e6db74">&#34;PasswordExpires&#34;</span>;E = { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($_.PasswordNeverExpires){ </span></span><span style="display:flex;"><span> $DaysBeforeDisablingUsersWithPasswordNeverExpires - ((Get-Date) - ($_.PasswordLastSet)).Days </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">else</span>{ </span></span><span style="display:flex;"><span> $MaxDays - ((Get-Date) - ($_.PasswordLastSet)).Days </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }} | </span></span><span style="display:flex;"><span> where{($_.Enabled <span style="color:#f92672">-eq</span> $true) <span style="color:#f92672">-and</span> ($_.PasswordExpires <span style="color:#f92672">-eq</span> $TriggerDay)} | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># set subject</span> </span></span><span style="display:flex;"><span> $Subject = <span style="color:#e6db74">&#34;Passwort Erinnerung: </span>$($_.DisplayName)<span style="color:#e6db74"> ihr Passwort läuft in </span>$($_.PasswordExpires)<span style="color:#e6db74"> Tagen ab&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $BodyFont = <span style="color:#e6db74">&#34;font-size: 11pt; font-family: Calibri&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create mail message</span> </span></span><span style="display:flex;"><span> $Body = <span style="color:#e6db74">&#34;&lt;p style = &#34;&#34;</span>$BodyFont<span style="color:#e6db74">&#34;&#34;&gt;Guten Tag </span>$($_.DisplayName)<span style="color:#e6db74"> &lt;br/&gt; &lt;br/&gt; Ihr Passwort läuft am </span>$(Get-Date (Get-Date).AddDays($_.PasswordExpires) -Format D)<span style="color:#e6db74"> ab.&lt;/b&gt;&lt;/p&gt;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($SendLinkOnDays <span style="color:#f92672">-contains</span> $TriggerDay){ </span></span><span style="display:flex;"><span> $Body += <span style="color:#e6db74">&#34;&lt;p style = &#34;&#34;</span>$BodyFont<span style="color:#e6db74">&#34;&#34;&gt;Bitte ändern Sie das Passwort bevor es abläuft. Rufen Sie dazu die folgende Seite auf: &lt;a href=&#34;&#34;https://vbluzern.sharepoint.com/Support/_layouts/15/start.aspx#/SitePages/Passwortwechsel.aspx&#34;&#34; target=&#34;&#34;_blank&#34;&#34;&gt;Link&lt;/a&gt;&lt;/p&gt;&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> $Body += <span style="color:#e6db74">&#34;&lt;p style = &#34;&#34;</span>$BodyFont<span style="color:#e6db74">&#34;&#34;&gt;ACHTUNG! Dieses E-Mail wurde von einem unbeaufsichtigtem Konto verschickt, Antworten an den Sender dieser E-Mail werden nicht bearbeitet.&lt;/p&gt;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># send mail</span> </span></span><span style="display:flex;"><span> Write-PPEventLog <span style="color:#e6db74">&#34;</span>$($MyInvocation.InvocationName)<span style="color:#ae81ff">`n`n</span><span style="color:#e6db74">Send password reminder to </span>$($_.Mail)<span style="color:#e6db74">&#34;</span> -WriteMessage -Source <span style="color:#e6db74">&#34;Send Password Expiration Reminder&#34;</span> </span></span><span style="display:flex;"><span> Send-MailMessage -To $_.Mail -From $mail.FromAddress -Subject $Subject -Body $Body -SmtpServer $Mail.OutSmtpServer -BodyAsHtml -Priority High -Encoding ([<span style="color:#66d9ef">System.Text.Encoding</span>]::UTF8) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>}<span style="color:#66d9ef">catch</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-PPErrorEventLog -Source <span style="color:#e6db74">&#34;Send Password Expiration Reminder&#34;</span> -ClearErrorVariable </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p><a href="https://gist.github.com/6184059">https://gist.github.com/6184059</a></p> <p>For the memberof Group I recommend to use the SID instead of the DN. I&rsquo;ll show you how the get the SID:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>PS C:Userssa-spadmin&gt; (Get-QADGroup <span style="color:#e6db74">&#34;SPO_PasswordNotification&#34;</span>).Sid </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> BinaryLength AccountDomainSid Value </span></span><span style="display:flex;"><span> ------------ ---------------- ----- </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">28</span> S-<span style="color:#ae81ff">1</span>-<span style="color:#ae81ff">5</span>-<span style="color:#ae81ff">21</span>-<span style="color:#ae81ff">1744926098</span>-<span style="color:#ae81ff">708661255</span>-<span style="color:#ae81ff">2033415169</span> S-<span style="color:#ae81ff">1</span>-<span style="color:#ae81ff">5</span>-<span style="color:#ae81ff">21</span>-<span style="color:#ae81ff">1744926098</span>-<span style="color:#ae81ff">708661255</span>-<span style="color:#ae81ff">2033415169</span>-<span style="color:#ae81ff">36648</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>PS C:Userssa-spadmin&gt; Get-QADUser -MemberOf <span style="color:#e6db74">&#34;S-1-5-21-1744926098-708661255-2033415169-36648&#34;</span> </span></span></code></pre></div><!-- raw HTML omitted --> <p>Part two: <!-- raw HTML omitted --><a href="https://janikvonrotz.ch/2013/09/23/handling-user-password-change-and-expiration-issues-withoffice365-and-adfs-part-2/">https://janikvonrotz.ch/2013/09/23/handling-user-password-change-and-expiration-issues-withoffice365-and-adfs-part-2/</a><!-- raw HTML omitted --></p> Active Directory User Reporting https://janikvonrotz.ch/2013/07/25/active-directory-user-reporting/ Thu, 25 Jul 2013 10:49:32 +0000 https://janikvonrotz.ch/2013/07/25/active-directory-user-reporting/ <p>This is a simple example of how to create a report of your Active Directory users. The first command imports the PowerShell Active Directory module, which should be installed by default, otherwhise do this:</p> <p><img src="https://janikvonrotz.ch/wp-content/uploads/2013/07/2013-07-25-11_43_24-Windows-Funktionen.png" alt="Install PowerShell Active Directory Module"></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>Import-Module ActiveDirectory </span></span><span style="display:flex;"><span>Get-ADUser -Filter {EmailAddress <span style="color:#f92672">-like</span> <span style="color:#e6db74">&#34;*&#34;</span>} -Properties * | select DisplayName, GivenName, Name, Surname, mail, SamAccountName, Department, Title, extensionAttribute1, extensionAttribute2 | Out-GridView </span></span></code></pre></div><p>And the second command creates a simple report.</p>