question

filipbrinza-8179 avatar image
0 Votes"
filipbrinza-8179 asked filipbrinza-8179 answered

Powershell provide SendAs permissions using activedirectory without powershell exchange

Hello could you please help me to correct the script. For the moment it re-write previous access (doesn't update/add new access) that was granted, what result in only last user from the list get access

 $MailboxToGivePermissionTo = Read-host "Enter mailbox where user/s need to have access to (mailboxname not emial address)"
 $useraccess = Read-host "Enter username (username like 'matobez' or full name. Or leave blanc if you wish to use users list"
 [string]$SendAsACLGuid="ab721a54-1e2f-11d0-9819-00aa0040529b"
 $Userlist = get-content "\\somepath\usersSA.txt"
 if ($useraccess -eq ""){
     Foreach ($user in $Userlist) {
         $mailbox = get-aduser -Filter {Name -eq $MailboxToGivePermissionTo}
         $userwillgetaccess = get-aduser -identity $user -properties *| select -expand DistinguishedName
         $TargetACL= get-acl "AD:$($userwillgetaccess)"
         $SendAsObjectGuid=New-Object Guid $SendAsACLGuid
         $IdentitySid = [System.Security.Principal.SecurityIdentifier] (($userwillgetaccess | Get-ADUser).Sid)
         $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
         $Type = [System.Security.AccessControl.AccessControlType] "Allow"
         $ACE = new-object System.DirectoryServices.ActiveDirectoryAccessRule $IdentitySid,$ADRights,$Type,$SendAsObjectGuid
         $TargetACL.AddAccessRule($ACE)
         Set-ACL -AclObject $TargetACL -Path "AD:$($mailbox.DistinguishedName)"
         Write-Output "Sendas access to $MailboxToGivePermissionTo provided for $user"
     }
 }
 if ($useraccess -ne ""){
     $mailbox = get-aduser -Filter {Name -eq $MailboxToGivePermissionTo}
     $userwillgetaccess = get-aduser -identity $useraccess -properties *| select -expand DistinguishedName
     $TargetACL= get-acl "AD:$($userwillgetaccess)"
     $SendAsObjectGuid=New-Object Guid $SendAsACLGuid
     $IdentitySid = [System.Security.Principal.SecurityIdentifier] (($userwillgetaccess | Get-ADUser).Sid)
     $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
     $Type = [System.Security.AccessControl.AccessControlType] "Allow"
     $ACE = new-object System.DirectoryServices.ActiveDirectoryAccessRule $IdentitySid,$ADRights,$Type,$SendAsObjectGuid
     $TargetACL.AddAccessRule($ACE)
     Set-ACL -AclObject $TargetACL -Path "AD:$($mailbox.DistinguishedName)"
 }
windows-server-powershelloffice-exchange-server-administrationwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
1 Vote"
piaudonn answered

Line 9 and line 21, you seem to get the wrong DACL. You get the one of the source instead of a target. Shouldn't it be:

 $TargetACL= get-acl "AD:$($mailbox)"

Also, this code is a bit rustic :) It could use a bit of Function and error management :) But eh, it does the job!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

filipbrinza-8179 avatar image
1 Vote"
filipbrinza-8179 answered

yes indeed thats was the reason, thank you very much. Yes the code is horrible, but it is in the developement phase, will be changed and beutyfied :D

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.