I like the best practices when it comes to assigning groups and users to resources, but unfortunately you can't see at first glance which user actually has access, or which user is in a chain of nested groups. Therefore I have written a small script which can recursively trigger groups, permissions on folders and mailboxes. Not a big deal, but sometimes quite helpful. Here is a screenshot:
Here is the script. Simply copy it into a .PS1 file and execute it. If mailboxes are to be queried, the script must be executed in the Exchange Management Shell, otherwise the normal Active Directory snap-ins are sufficient.
<#
————————————————————————————–
Script for recursively resolving groups
www.frankysweb.deby Frank Zöchling
Version 0.1————————————————————————————–
#># Build menu
write-host „“
write-host „Besuchen Sie meine Website: www.FrankysWeb.de“ -foregroundcolor green
write-host „“
write-host „Für welchen Typ sollen Gruppen aufgelöst werden?“
write-host „“
write-host “ 1 – Gruppe“
write-host “ 2 – Ordner“
write-host “ 3 – Postfach“
write-host „“
write-host “ 0 – Beenden“
write-host „“# Query option
do {
try {
$numOk = $true
[int]$option = Read-host „Option wählen“
} # end try
catch {$numOK = $false}
} # end do
until (($option -ge 0 -and $option -lt 4) -and $numOK)#———————————————————
$ErrorActionPreference = „Silentlycontinue“
# Option 1 (group)
if ($option -eq 1)
{write-host „“
$group = read-host „Gruppe angeben“
$members = Get-ADGroupMember „$group“ -recursive
$users =@()
foreach ($member in $members)
{
$Name = $member.name
$Sam = $member.SamAccountname
$dn = $member.distinguishedName
$users += new-object PSObject -property @{Name=“$name“;sAMAccountName=“$sam“;distinguishedName=“$dn“}
}
$users | sort-object Name -unique | ft -autosize
}# Option 2 (folder)
if ($option -eq 2)
{
write-host „“
$folder = read-host „Ordner angeben“
$acl = get-acl $folder
$acl = $acl.access
$acl = $acl | where {$_.IdentityReference -notmatch „NT-AUTORITÄT“ -and $_.IdentityReference -notmatch „VORDEFINIERT“}
$users =@()
foreach ($entry in $acl)
{
[string]$group = $entry.IdentityReference
$group = $group.split(„\“)[1]
$rights = $entry.FileSystemRights
$members = Get-ADGroupMember „$group“ -recursiveforeach ($member in $members)
{
$Name = $member.name
$Sam = $member.SamAccountname
$dn = $member.distinguishedName
$users += new-object PSObject -property @{Name=“$name“;sAMAccountName=“$sam“;distinguishedName=“$dn“;Rights=“$rights“}
}
}
$users | sort-object Rights | ft -autosize
}# Option 3 (P.O. Box)
if ($option -eq 3)
{
write-host „“
$mailbox = read-host „Postfach angeben“
$acl = Get-MailboxPermission $mailbox | where {$_.AccessRights -eq „FullAccess“ -and $_.User -notmatch „NT-Autorität“}
$users =@()
foreach ($entry in $acl)
{
[string]$group = $entry.User
$group = $group.split(„\“)[1]
$members = Get-ADGroupMember „$group“ -recursiveforeach ($member in $members)
{
$Name = $member.name
$Sam = $member.SamAccountname
$dn = $member.distinguishedName
$users += new-object PSObject -property @{Name=“$name“;sAMAccountName=“$sam“;distinguishedName=“$dn“}
}
}
$users | sort-object Name -unique | ft -autosize
}# Option 0 (Exit)
if ($option -eq 0)
{
write-host „“
write-host „Beendet.“
write-host „“
}
By the way, the object "$users" always contains the resolved users, if you want to extend the script...