I like the best practices when it comes to assigning groups and users to resources, but unfortunately you can't see at first glance which user actually has access, or which user is in a chain of nested groups. Therefore I have written a small script which can recursively trigger groups, permissions on folders and mailboxes. Not a big deal, but sometimes quite helpful. Here is a screenshot:
Here is the script. Simply copy it into a .PS1 file and execute it. If mailboxes are to be queried, the script must be executed in the Exchange Management Shell, otherwise the normal Active Directory snap-ins are sufficient.
<#
————————————————————————————–
Script for recursively resolving groups
www.frankysweb.deby Frank Zöchling
Version 0.1————————————————————————————–
#># Build menu
write-host ""
write-host "Visit my website: www.FrankysWeb.de" -foregroundcolor green
write-host ""
write-host "For which type should groups be resolved?"
write-host ""
write-host " 1 - Group"
write-host " 2 - Folder"
write-host " 3 - Mailbox"
write-host ""
write-host " 0 - Exit"
write-host ""# Query option
do {
try {
$numOk = $true
[int]$option = Read-host "Select option"
} # end try
catch {$numOK = $false}
} # end do
until (($option -ge 0 -and $option -lt 4) -and $numOK)#———————————————————
$ErrorActionPreference = "Silentlycontinue"
# Option 1 (group)
if ($option -eq 1)
{write-host ""
$group = read-host "Specify group"
$members = Get-ADGroupMember "$group" -recursive
$users =@()
foreach ($member in $members)
{
$Name = $member.name
$Sam = $member.SamAccountname
$dn = $member.distinguishedName
$users += new-object PSObject -property @{Name="$name";sAMAccountName="$sam";distinguishedName="$dn"}
}
$users | sort-object Name -unique | ft -autosize
}# Option 2 (folder)
if ($option -eq 2)
{
write-host ""
$folder = read-host "Specify folder"
$acl = get-acl $folder
$acl = $acl.access
$acl = $acl | where {$_.IdentityReference -notmatch "NT-AUTHORITY" -and $_.IdentityReference -notmatch "PREFINED"}
$users =@()
foreach ($entry in $acl)
{
[string]$group = $entry.IdentityReference
$group = $group.split("\")[1]
$rights = $entry.FileSystemRights
$members = Get-ADGroupMember "$group" -recursiveforeach ($member in $members)
{
$Name = $member.name
$Sam = $member.SamAccountname
$dn = $member.distinguishedName
$users += new-object PSObject -property @{Name="$name";sAMAccountName="$sam";distinguishedName="$dn";Rights="$rights"}
}
}
$users | sort-object Rights | ft -autosize
}# Option 3 (P.O. Box)
if ($option -eq 3)
{
write-host ""
$mailbox = read-host "Specify mailbox"
$acl = Get-MailboxPermission $mailbox | where {$_.AccessRights -eq "FullAccess" -and $_.User -notmatch "NT-Authority"}
$users =@()
foreach ($entry in $acl)
{
[string]$group = $entry.User
$group = $group.split("\")[1]
$members = Get-ADGroupMember "$group" -recursiveforeach ($member in $members)
{
$Name = $member.name
$Sam = $member.SamAccountname
$dn = $member.distinguishedName
$users += new-object PSObject -property @{Name="$name";sAMAccountName="$sam";distinguishedName="$dn"}
}
}
$users | sort-object Name -unique | ft -autosize
}# Option 0 (Exit)
if ($option -eq 0)
{
write-host ""
write-host "Finished."
write-host ""
}
By the way, the object "$users" always contains the resolved users, if you want to extend the script...
Mega cool Franky,
hast Du noch eine Idee wie man die Gruppen alle in eine Datei packen kann um sie dann alle auszulesen?
Den Dateiexport habe ich bereits eingebunden.
Gruß,
ChrisIO