Active Directory
A set of directory-based technologies included in Windows Server.
6,454 questions
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello could you please help me to correct the script. For the moment it re-write previous access (doesn't update/add new access) that was granted, what result in only last user from the list get access
$MailboxToGivePermissionTo = Read-host "Enter mailbox where user/s need to have access to (mailboxname not emial address)"
$useraccess = Read-host "Enter username (username like 'matobez' or full name. Or leave blanc if you wish to use users list"
[string]$SendAsACLGuid="ab721a54-1e2f-11d0-9819-00aa0040529b"
$Userlist = get-content "\\somepath\usersSA.txt"
if ($useraccess -eq ""){
Foreach ($user in $Userlist) {
$mailbox = get-aduser -Filter {Name -eq $MailboxToGivePermissionTo}
$userwillgetaccess = get-aduser -identity $user -properties *| select -expand DistinguishedName
$TargetACL= get-acl "AD:$($userwillgetaccess)"
$SendAsObjectGuid=New-Object Guid $SendAsACLGuid
$IdentitySid = [System.Security.Principal.SecurityIdentifier] (($userwillgetaccess | Get-ADUser).Sid)
$ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$Type = [System.Security.AccessControl.AccessControlType] "Allow"
$ACE = new-object System.DirectoryServices.ActiveDirectoryAccessRule $IdentitySid,$ADRights,$Type,$SendAsObjectGuid
$TargetACL.AddAccessRule($ACE)
Set-ACL -AclObject $TargetACL -Path "AD:$($mailbox.DistinguishedName)"
Write-Output "Sendas access to $MailboxToGivePermissionTo provided for $user"
}
}
if ($useraccess -ne ""){
$mailbox = get-aduser -Filter {Name -eq $MailboxToGivePermissionTo}
$userwillgetaccess = get-aduser -identity $useraccess -properties *| select -expand DistinguishedName
$TargetACL= get-acl "AD:$($userwillgetaccess)"
$SendAsObjectGuid=New-Object Guid $SendAsACLGuid
$IdentitySid = [System.Security.Principal.SecurityIdentifier] (($userwillgetaccess | Get-ADUser).Sid)
$ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$Type = [System.Security.AccessControl.AccessControlType] "Allow"
$ACE = new-object System.DirectoryServices.ActiveDirectoryAccessRule $IdentitySid,$ADRights,$Type,$SendAsObjectGuid
$TargetACL.AddAccessRule($ACE)
Set-ACL -AclObject $TargetACL -Path "AD:$($mailbox.DistinguishedName)"
}
Line 9 and line 21, you seem to get the wrong DACL. You get the one of the source instead of a target. Shouldn't it be:
$TargetACL= get-acl "AD:$($mailbox)"
Also, this code is a bit rustic :) It could use a bit of Function and error management :) But eh, it does the job!
yes indeed thats was the reason, thank you very much. Yes the code is horrible, but it is in the developement phase, will be changed and beutyfied :D