Get-onPremSendAs.ps1
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 |
<#
.SYNOPSIS This function utilizes exchange on premises and searches for all send as rights across all recipients. .DESCRIPTION This function utilizes exchange on premises and searches for all send as rights across all recipients. .PARAMETER originalDLConfiguration The mail attribute of the group to search. .PARAMETER collectedData .OUTPUTS Returns a list of all objects with send-As rights and exports them. .EXAMPLE get-o365dlconfiguration -groupSMTPAddress Address -collectedData DATA #> Function Get-onPremSendAs { [cmdletbinding()] Param ( [Parameter(Mandatory = $true)] $originalDLConfiguration, [Parameter(Mandatory=$false)] $collectedData=$NULL ) #Output all parameters bound or unbound and their associated values. write-functionParameters -keyArray $MyInvocation.MyCommand.Parameters.Keys -parameterArray $PSBoundParameters -variableArray (Get-Variable -Scope Local -ErrorAction Ignore) #Declare function variables. [array]$functionSendAsRights=@() $functionRecipients=$NULL $functionQueryName=("*"+$originalDLConfiguration.sAMAccountName+"*") [array]$functionSendAsIdentities=@() [int]$functionCounter=0 Out-LogFile -string "********************************************************************************" Out-LogFile -string "BEGIN Get-onPremSendAs" Out-LogFile -string "********************************************************************************" if ($collectedData -eq $NULL) { #Start function processing. try { out-logfile -string "Gathering all on premises recipients." $functionRecipients = invoke-command {get-recipient -resultsize unlimited} } catch { out-logfile -string "Error attempting to invoke command to gather all recipients." out-logfile -string $_ -isError:$TRUE } try { out-logfile -string "Test for send as rights." $ProgressDelta = 100/($functionRecipients.count); $PercentComplete = 0; $MbxNumber = 0 foreach ($recipient in $functionRecipients) { $MbxNumber++ write-progress -activity "Processing Recipient" -status $recipient.primarySMTPAddress -PercentComplete $PercentComplete $PercentComplete += $ProgressDelta if ($functionCounter -gt 1000) { #Implement function counter for long running operations - pause for 5 seconds every 1000 queries. start-sleepProgress -sleepString "Throttling for 5 seconds at 1000 operations." -sleepSeconds 5 $functionCounter=0 } else { $functionCounter++ } $functionSendAsRights+= invoke-command {$blockName=$args[1];Get-ADPermission -identity $args[0] | where {($_.ExtendedRights -like "*send-as*") -and -not ($_.User -like "nt authority\self") -and ($_.isInherited -eq $false) -and ($_.user -like $blockName)}}-ArgumentList $recipient.identity,$functionQueryName #$functionSendAsRights+= invoke-command {Get-ADPermission -identity $args[0] | where {($_.ExtendedRights -like "*send-as*") -and -not ($_.User -like "nt authority\self") -and ($_.isInherited -eq $false)}}-ArgumentList $recipient.identity,$functionQueryName } } catch { out-logfile -string "Error attempting to invoke command to gather all send as permissions." out-logfile -string $_ -isError:$TRUE } #At this point we have a filter list of ACLs. #The query above uses a like for the user name - which means we need to validate for sure that we're talking about thes ame user. foreach ($sendAsRight in $functionSendAsRights) { #Since each permission is in domain\samAccountName format split the string. if ($sendAsRight.user -notlike "*S-1-5-21*") { #Need to ignore anything that looks like a SID / orphaned entry. $stringTest = $sendAsRight.user.split("\") #Test the second half of the string for a direct eq to samAccountName. if ($stringTest[1] -eq $originalDLConfiguration.samAccountName) { out-logfile -string ("Send as permission matching group found - recording."+$sendAsRight.identity) $functionSendAsIdentities+=$sendAsRight.identity } } } write-progress -activity "Processing Recipient" -completed } elseif ($collectedData -ne $NULL) { out-logfile -string "Test for send as rights." $functionSendAsIdentities = $collectedData | where {$_.user.contains($originalDLConfiguration.samaccountname)} } else { out-logFile -string "The administrator has specified to use pre-collected data." } Out-LogFile -string "********************************************************************************" Out-LogFile -string "END Get-onPremSendAs" Out-LogFile -string "********************************************************************************" if ($functionSendAsIdentities.count -gt 0) { out-logfile -string $functionSendAsIdentities return $functionSendAsIdentities } } |