Exchange Server Share

… Information sharing on Exchange Server …

Posts Tagged ‘Active Directory

How To: Find All Mailboxes with Send-As Permission Assigned

Again, here is a frequently asked question, How to find all the mailboxes with Send-As permission assigned? This would be useful for review and auditing purpose.

 

Let’s take an example..

I have given Send-As permission to Tank, Amit M (User ID: ESS-Test\atank) account on below users.

Miller, Alex T
Ross, Colin T

image

 

Now, use below command to get list of all mailboxes with some Send-As permission assigned on them.

Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”)} | FT -Wrap

image

But, you would have noticed that it shows Send-As permissions assigned to SELF on all mailboxes also.

You can eliminate SELF permissions for all mailboxes from your output with below command.

Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT -Wrap

image

Now, let’s say some of the inherited Send-As permission comes into output which you can eliminate it with below command.

Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT -Wrap

 

You can filter your output as per your requirement, like for a server or database, for a OU or for particular Recipient type.

To filter your output for all users on a server, here is an example.

Get-Mailbox -Server “ESS-Exch702” | Get-ADPermission | where { ($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | ft -wrap

In same way you can use below switches to filter your output.

-Database
-RecipientTypeDetails
-OrganizationalUnit

 

To generate report in Spread Sheet you can export result in CSV formatted file.

Get-Mailbox | Get-ADPermission | where { ($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | Select Identity, User, Deny | Export-CSV test.csv

image

Advertisements

Written by Amit Tank

September 1, 2008 at 8:50 am

Exchange 2007 & Display Name Format

Here is another good question asked on TechNet forum about “Exchange 2007 & Display Name” – How to change the display name format from <First Name> <Initial> <Last Name> to <Last Name>, <First Name> <Initial> in Exchange 2007 user/mailbox creation process?”

 

Let’s start with some Exchange 2003 background…

Exchange 2003:

We use Active Directory Users & Computers (ADU&C) to create users/mailboxes. By default name & display name formats are “<First Name> <Initial>. <Last Name>” in ADU&C creation process but it can be changed to “<Last Name>, <First Name> <Initial>” by setting createDialog attribute of the user-Display object under CN=DisplaySpecifiers, CN=409 object (409 represent U.S. English language) in the configuration naming context by using ADSIEDIT.msc to value %<sn>, %<givenname> %<initials>.

Procedure is explained here: How to change display names of Active Directory users

image

After setting createDialog value while creating user/mailbox when we enter First name, Last name & Initials fields, it takes Full name in <Last Name>, <First Name> <Initial> format automatically (we don’t have to enter it manually) .

image

Display name sets same as Full Name automatically when you create any users.

image

 

Now, let’s talk about Exchange 2007.

Exchange 2007:

When we create mailbox for new user in Exchange Server 2007 Exchange Management Console, it does not recognize the value of the createDialog attribute of user-Display object of a displaySpecifier class and stays with default format <FN> <I> <LN>.

Dave explained here that it is by design and limitation of EMC. Workaround is to create users with ADU&C MMC and later create mailboxes for those users with EMC.

Changing the display name of active directory users.

 

Now, some questions come here…

1. How do I change Name & Display Name of existing users, if I already created some of the users with EMC?

Here is an example where users are already created in <FN> <I>. <LN> format with Exchange 2007 – EMC.

image

You don’t have to worry about changing all those one by one since PowerShell is your friend. Here is the script which changes the name & display name format of all mailbox users to <LN>, <FN> <I>.

To run PowerShell scripts you need to change Execution Policy in EMS.

Go to Exchange Management Shell and execute below command to set execution policy so you can run the ps1 scripts.

Set-ExecutionPolicy RemoteSigned

image

Now, save below script in C:\Scripts\Pre-Users.ps1 file.

=====================Pre-User.ps1=====================

# Pre-Users.ps1 - Change the name & display name of existing users.
# Created by - Amit Tank
$Users = Get-User -ResultSize unlimited | where {$_.RecipientTypeDetails -eq "UserMailbox"}
ForEach ($User in $Users)
{
$DName = $User.LastName + ", " + $User.FirstName + " " + $user.Initials
$DName = $Dname.Trim()
Set-User $User -Name $DName -DisplayName $DName
Get-User $User | FT Name, DisplayName
$DName = $Null
}

image

Go to Exchange Management Shell and execute the script with ./Pre-Users.ps1 command.

image 

Well, all Name & Display Name are set in <LN>, <FN> <I> format.

Depending on the format of Room/Shared mailboxes in your organization you can change name & display name of those also. You need to change below line in the script based on your requirement.

$Users = Get-User -ResultSize unlimited | where {$_.RecipientTypeDetails
-eq “RoomMailbox”}

$Users = Get-User -ResultSize unlimited | where {$_.RecipientTypeDetails
-eq “SharedMailbox”}

2. What should I do if I want to create users/mailboxes with EMC/EMS with  correct format?

EMC:

Make a practice or document it in user/mailbox creation process manual of your organization that “Name” filed should be given in <LN>, <FN> <I> format manually (EMC sets Display Name same as a Name).

image

image

EMS:

Same as EMC, Make a practice or document it in user/mailbox creation process manual of your organization that “Name” & “Display Name” should be given in <LN>, <FN> <I> format by specifying -Name & -DisplayName switches.

New-Mailbox -Alias HWood -Database “First Storage Group\Mailbox Database” -Name “Wood, Haley V” -OrganizationalUnit “ESS-Test.com/Users” -FirstName Haley -LastName Wood -Initial V -DisplayName “Wood, Haley V” -UserPrincipalName HWood@ESS-Test.com

image

3. How do I make sure that new users/mailboxes will be created with correct format?

Well, you can schedule a PowerShell script which runs every night and verifies the mailboxes which are created in last 24 hours and correct the format if it is not in correct one.

Create below two files in C:\Scripts folder on your Exchange server.

=============UserName.CMD=============

Powershell -command "& {C:\Scripts\UserName.ps1 }"

 

image

=====================UserName.PS1=====================

# UserName.ps1 - Change the name & display name of users which are created in last 24 hours.
# Created by - Amit Tank
 
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin
 
$Users = Get-User -ResultSize Unlimited | where {($_.WhenCreated -gt (get-date).adddays(-1)) -and ($_.RecipientTypeDetails -eq "UserMailbox")}
ForEach ($User in $Users)
{
$DName = $User.LastName + ", " + $User.FirstName + " " + $user.Initials
$DName = $Dname.Trim()
Set-User $User -Name $DName -DisplayName $DName
Get-User $User | FT Name, DisplayName
$DName = $Null
}

image

Now create a Task in windows task scheduler to run this script at 12:00AM midnight.

image

All set, now this automation will take care about newly created mailboxes every night.

eg. I have below user created with wrong name & display name format which has taken care by this midnight scheduled script.

image

image

You may also add a code in PowerShell script to trigger a mail to administrator for the confirmation that script has run and changed the display names successfully.

Written by Amit Tank

August 17, 2008 at 3:34 pm