Posts Tagged ‘permission’

Hi Folks,

today’s challenge was to bulk set calendar rights in a multilingual environment (with powershell).
On the net you can find some articles that address similar problems, but no real solution.

Download the follwing scripts as txt here.

Here my quick an dirty script:

# Set default as LimitedDetails for all calendars.
# Will get the language forch each users calendar Folder
# TEST WITH ONE ORE MORE USERS
# foreach($mbx in Get-Mailbox -identity USER | where-object {$_.displayname -like "*test user*"})


foreach($mbx in Get-Mailbox -ResultSize Unlimited | where-object {$_.displayname -notmatch "discovery"})

{
$Calfolder = $Mbx.Name
$Calfolder += ':\'
$CalFolder += [string](Get-mailboxfolderstatistics $Mbx -folderscope calendar).Name
$mbx = $CalFolder
$test = Get-MailboxFolderPermission -Identity $mbx -erroraction silentlycontinue
if($test -ne $null)
{
Set-MailboxFolderPermission -Identity $mbx -User Default -AccessRights LimitedDetails | out-null
}
}

If you want to create all new mailboxes with special permissions you nee to configure the Cmdlet Extension Agent
To enable the agent this you have to the following steps:

  • Create an XML file named ScriptingAgentConfig.xml  and save it in your Exchange’s Default Directory on EVERY Exchange Server in your organization
    e.g. C:\Program Files\Microsoft\Exchange Server\V15\Bin\CmdletExtensionAgents

    <?xml version=”1.0″ encoding=”utf-8″ ?>
    <Configuration version=”1.0″>

    <Feature Name=”MailboxProvisioning” Cmdlets=”New-Mailbox”>
    <ApiCall Name=”OnComplete”>
    if($succeeded)
    {
    start-sleep -s 10
    $mbx =  (Get-User $provisioningHandler.UserSpecifiedParameters[“Name”]).distinguishedName
    Set-MailboxFolderPermission -Identity $mbx”:\Calendar” -User “Default” -AccessRights LimitedDetails
    }
    </ApiCall>
    </Feature>

    <Feature Name=”MailboxProvisioning” Cmdlets=”Enable-Mailbox”>
    <ApiCall Name=”OnComplete”>
    if($succeeded)
    {
    start-sleep -s 5
    $user = Get-User -Identity $provisioningHandler.UserSpecifiedParameters[“Identity”]
    $mbx = Get-Mailbox -Identity $user.DistinguishedName
    Set-MailboxFolderPermission -Identity $mbx”:\Calendar” -User “Default” -AccessRights LimitedDetails
    }
    </ApiCall>
    </Feature>

    </Configuration>

 

  • Use the Exchange Management Shell and run the following command on EVERY Exchange server in your organization:
    Enable-CmdletExtensionAgent “Scripting Agent”
  • Create new user

Cheers,

Chris

Hey Folks,
here is an example to easy set ACLs on a Windows fileserver by importing path an permissions from a CSV file:

$Permissions = Import-Csv e:\permissions.csv -delimiter '|'
ForEach ($line in $Permissions)
{
 $acl = Get-Acl $line.Path
 $acl.SetAccessRuleProtection($True, $False)
 $rule = New-Object System.Security.AccessControl.
FileSystemAccessRule($line.Group,"Modify","ContainerInherit, ObjectInherit",
 "None", "Allow")
#-------------------------------------------------------------
# The above line can be edited like the reference at the end.
#-------------------------------------------------------------
 $acl.AddAccessRule($rule)
 Set-Acl $line.Path $acl
 }

The CSV has to look like this:

Path|Group
e:\folder1\subfolder1|domain\group1
e:\folder1|subfolder2|domain\group2
e:\folder2|subfolder1|domain\group3
e:\folder2|subfolder2|domain\group4

Reference Table:

Subfolders and Files only InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly
This Folder, Subfolders and Files    InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.None
This Folder, Subfolders and Files InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit
This folder and subfolders InheritanceFlags.ContainerInherit, PropagationFlags.None
Subfolders only InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly
This folder and files InheritanceFlags.ObjectInherit, PropagationFlags.None
This folder and files InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit

Source: http://powershell.nicoh.me/powershell-1/files-and-folders/set-folders-acl-owner-and-ntfs-rights

Cheers, Chris

Yesterday I got a problem while migrating a fileserver cluster from Windows 2003 to Windows 2008 R2.

We wanted to migrate a big fileserver cluster with several volumes by mirroring the SAN LUNs, break the mirrors and mount them to the new Windows 2008 R2 fileserver.

After mounting the partitions to the new cluster we set up a new virtual fileserver and created some shares. With one partition/share we run in the following error:

The shared ressource is not available.

After some investigation we figured out that the SYSTEM group doesn’t had permissions on the partition at root level so the cluster service running with local system account can’t initialize the share.

After adding SYSTEM at root level with full access sharing of this partition was possible:

Cheers,

Chris

If you want to discover where a specific user has Full Access you can use this PowerShell command:

Get-Mailbox | Get-MailboxPermission -User user@domain.com | where { ($_.AccessRights -eq “FullAccess”) }

Cheers,

Chris

A few days ago a customer asked for changing permissions to show only free/busy information for some conferencing rooms. To meet this requirement I used the following PowerShell command:

Set-MailboxFolderPermission -identity ressourcemailbox:\calendar -accessrights availabilityonly -user default

If configured like this, a default user can only see free/busy information for the room ressource. Attendees see the full description in their personal calendar.

Cheers,

Chris