I got a request the other day for a script that can export members of nested Active Directory groups.
They wanted the export to be more or less in the same format as a file structure.
The results are therefor returned as strings in the following format:
Group \ SubGroup1 \ SubGroup2 \ User1 (SamAccountName)
Group \ SubGroup1 \ SubGroup2 \ User2 (SamAccountName)
Group \ SubGroup1 \ SubGroup2 \ User3 (SamAccountName)
and so on. I thought that someone else might try to achieve a similiar task so I uploaded the code to PoshCode.org here.
Also, I wrote a quick and simple GUI for this, which is also available at PoshCode.org here, it looks like this:
The form makes it simpler for end users to use.
Both requires the Active Directory module and the GUI requires PowerShell v.3 or higher.
This can be quite hard in a large organisation. It’s one thing to migrate the ACLs to Office 365 one time, it’s another thing to keep them updated.
At least I was kind of lost on how to tackle this problem in the beginning.
This is probably not the perfect solution, but it saves us a lot of time!
Short version (everything in the list below is done by powershell):
The shared mailbox user account gets created by a powershell script that reads the output of the order form (which currently gets approved/created by helpdesk).
An access group gets created
An owner group gets created
The ACLs of the access group is changed so the owner group has access to change it’s members, and the “Managed By”-attribute is set.
The owner group becomes a member of another group, which gives access to a powershell form published in our Citrix-farm. This form is used for managing the membership of the mailbox access group.
The owner (typically the person who ordered the mailbox) gets added to Owner-group and Access-group.
Another script looks for new access groups and shared mailboxes, finds it in Exchange Online/Azure, creates the shared mailbox and assigns the “Full Access/Send As”-rights to the “access group”.
All the ACLs are verified to make sure everything went according to plan.
If everything has been done correctly, an e-mail gets sent to the members of the “owner-group” with a link to a guide explaining where to find the Citrix app (PowerShell form), how to add the new mailbox in outlook etc….
The PowerShell-form, when started by a user, finds all the “Owner-groups” the current user is a member of and lists the corresponding mailboxes in a droplist. When a mailbox is selected, it lists the members and allows the user to add new ones and remove current ones.
You search by entering a Name, E-mailaddress or SamAccountName, the search goes off “in real time” (OnChange), no search button.
Here’s a screenshot of the form when started:
This is how it looks when a mailbox is selected: (sorry for all the blurring…)
This allows any user to manage their own mailbox in an easy and userfriendly way, and they dont need to contact helpdesk everytime someone else needs access to the mailbox, or needs to be removed.
And that’s it! 🙂
I will try to do some blog posts on the steps involved in this process, at least those who were kind of tricky to achieve. (Setting ACLs in AD was not as straightforward as I thought…)
Any code that I think is applicable for someone else will of course be published!
During our migration to Office 365, we ran into an issue with creating Master Lists for the migration tool. The tool just creates one huge file with all of the users in it, but we want to migrate them based on different things like mailbox size, where in the organisation they are and so on.
When we have the users we want to migrate in a list, we need to split that list up for scaleability reasons (multiple migration tool servers), and since the files need to be formatted in a quite specific way, this was becoming a pain…
What better way to fix this problem than with a PowerShell form?
Just browse for the master tsv file, the columns found in the file will be automatically populated in the droplist. Choose which one you want to do the matching on (in our case targetaddress, same as e-mail/UPN):
Select the other settings, should be pretty obvious:
And hit “Build file(s)”, and watch it go:
If you just want to split the master file, that’s possible aswell, just tick that box and hit the Build-button:
I hope someone else might have use of this little form!
The code is available here and it requires at least PowerShell v3 to run properly.