Powershell provide SendAs permissions using activedirectory without powershell exchange

filip brinza 26 Reputation points
2021-11-09T12:36:00.367+00:00

Hello could you please help me to correct the script. For the moment it re-write previous access (doesn't update/add new access) that was granted, what result in only last user from the list get access 

$MailboxToGivePermissionTo = Read-host "Enter mailbox where user/s need to have access to (mailboxname not emial address)"
$useraccess = Read-host "Enter username (username like 'matobez' or full name. Or leave blanc if you wish to use users list"
[string]$SendAsACLGuid="ab721a54-1e2f-11d0-9819-00aa0040529b"
$Userlist = get-content "\\somepath\usersSA.txt"
if ($useraccess -eq ""){
    Foreach ($user in $Userlist) {
        $mailbox = get-aduser -Filter {Name -eq $MailboxToGivePermissionTo}
        $userwillgetaccess = get-aduser -identity $user -properties *| select -expand DistinguishedName
        $TargetACL= get-acl "AD:$($userwillgetaccess)"
        $SendAsObjectGuid=New-Object Guid $SendAsACLGuid
        $IdentitySid = [System.Security.Principal.SecurityIdentifier] (($userwillgetaccess | Get-ADUser).Sid)
        $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
        $Type = [System.Security.AccessControl.AccessControlType] "Allow"
        $ACE = new-object System.DirectoryServices.ActiveDirectoryAccessRule $IdentitySid,$ADRights,$Type,$SendAsObjectGuid
        $TargetACL.AddAccessRule($ACE)
        Set-ACL -AclObject $TargetACL -Path "AD:$($mailbox.DistinguishedName)"
        Write-Output "Sendas access to $MailboxToGivePermissionTo provided for $user"
    }
}
if ($useraccess -ne ""){
    $mailbox = get-aduser -Filter {Name -eq $MailboxToGivePermissionTo}
    $userwillgetaccess = get-aduser -identity $useraccess -properties *| select -expand DistinguishedName
    $TargetACL= get-acl "AD:$($userwillgetaccess)"
    $SendAsObjectGuid=New-Object Guid $SendAsACLGuid
    $IdentitySid = [System.Security.Principal.SecurityIdentifier] (($userwillgetaccess | Get-ADUser).Sid)
    $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
    $Type = [System.Security.AccessControl.AccessControlType] "Allow"
    $ACE = new-object System.DirectoryServices.ActiveDirectoryAccessRule $IdentitySid,$ADRights,$Type,$SendAsObjectGuid
    $TargetACL.AddAccessRule($ACE)
    Set-ACL -AclObject $TargetACL -Path "AD:$($mailbox.DistinguishedName)"
}
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,822 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,335 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,355 questions
0 comments
Accepted answer
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2021-11-09T14:45:36.84+00:00

    Line 9 and line 21, you seem to get the wrong DACL. You get the one of the source instead of a target. Shouldn't it be: 

    $TargetACL= get-acl "AD:$($mailbox)"

    Also, this code is a bit rustic :) It could use a bit of Function and error management :) But eh, it does the job!

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. filip brinza 26 Reputation points
    2021-11-09T14:54:09.89+00:00

    yes indeed thats was the reason, thank you very much. Yes the code is horrible, but it is in the developement phase, will be changed and beutyfied :D

    1 person found this answer helpful.
    0 comments