[英]Powershell - Exchange - Remove almost all mailbox rights
My original question was a bit complex.我原来的问题有点复杂。 However some cool memebers did manage to help me.
然而,一些很酷的成员确实设法帮助了我。
I got the following piece of code from Vesper:我从 Vesper 得到以下代码:
$mailbox=get-mailbox $username
$perms=get-mailboxpermission $mailbox | where {$_.isinherited -eq $false -and $_.user.toString() -ne "NT AUTHORITY\SELF"}
$perms | remove-mailboxpermission $mailbox -confirm:$false
When I run these commands in a Exchange powershell one by one it works beautifully.当我在 Exchange powershell 中一一运行这些命令时,它运行得非常好。 However when I try to run my complete script with that snippet in it I receive the following error:
但是,当我尝试运行包含该片段的完整脚本时,我收到以下错误:
Cannot process argument transformation on parameter 'Identity'. Cannot convert the "USERNAME" value of type
"Deserialized.Microsoft.Exchange.Data.Directory.Management.Mailbox" to type
"Microsoft.Exchange.Configuration.Tasks.MailboxIdParameter".
+ CategoryInfo : InvalidData: (:) [Get-MailboxPermission], ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-MailboxPermission
+ PSComputerName : SERVER
Any idea how to solve this?知道如何解决这个问题吗?
A quick and dirty solution can be like this:一个快速而肮脏的解决方案可能是这样的:
$mailbox=get-mailbox $user #populate this first
$perms=get-mailboxpermissions $mailbox | where {$_.isinherited -eq $false -and $_.user.toString() -ne "NT AUTHORITY\SELF"}
$perms | remove-mailboxpermission $mailbox -whatif
Be warned, incorrect user of this script can ruin your Exchange organization, probably test that on a single mailbox.请注意,此脚本的错误用户可能会破坏您的 Exchange 组织,可能会在单个邮箱上进行测试。 The script is NOT tested, although complies with manuals on both Exchange and Powershell.
该脚本未经过测试,但符合 Exchange 和 Powershell 的手册。
Explanation: First line gets the mailbox in question.说明:第一行获取有问题的邮箱。 Second line first gets full ACL on Exchange mailbox object, then filters only those entries that are not inherited
$_.IsInherited -eq $false
and filters out NT AUTHORITY\\SELF
which is required to be present for someone to ever access the mailbox - this entry is not inherited.第二行首先在 Exchange 邮箱对象上获取完整的 ACL,然后仅过滤那些未继承的条目
$_.IsInherited -eq $false
并过滤掉NT AUTHORITY\\SELF
,这是某人访问邮箱所必需的 - 这条目不是继承的。 Everything else is deemed to be those permissions that you wish to remove (such rights are added on the mailboxes directly, and thus are not inherited).其他所有内容都被视为您希望删除的权限(此类权限直接添加到邮箱中,因此不会被继承)。 The third line removes the rights determined by calling
Remove-MailboxPermission
against a pipeline.第三行删除通过对管道调用
Remove-MailboxPermission
确定的权限。 Note the -whatif
switch, which makes the cmdlet to display what's about to be done for the administrator to review before launching the script into production.请注意
-whatif
开关,它使 cmdlet 显示将要执行的操作,供管理员在将脚本启动到生产环境之前查看。
John,约翰,
I'm running into the exact same problem.我遇到了完全相同的问题。
I've made one change and it pushed the problem down but didn't solve it.我做了一个改变,它把问题推倒了,但没有解决它。
$Mailboxes = Get-Mailbox testmailbox
foreach($Mailbox in $Mailboxes) {
$FixAutoMappings = Get-MailboxPermission $Mailbox.DisplayName |where {$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}
Foreach($FixAutoMapping in $FixAutoMappings){
$FixAutoMapping | Remove-MailboxPermission $Mailbox.DisplayName
$FixAutoMapping | Add-MailboxPermission -Identity $_.Identity -User $_.User -AccessRights:FullAccess -AutoMapping $false
}
}
I simply added the .DisplayName after $Mailbox, this solved the getting of permissions, but now I can't remove them.我只是在 $Mailbox 之后添加了.DisplayName ,这解决了获取权限的问题,但现在我无法删除它们。 I'm stuck.
我被困住了。
For everyone looking at this and asking why.对于每个看着这个并问为什么的人。
In Exchange 2010 Service Pack 1 (SP1) Exchange introduced a feature that [forces] allows Outlook 2007 and Outlook 2010 clients to automatically map to any mailbox to which a user has Full Access permissions.在 Exchange 2010 Service Pack 1 (SP1) 中,Exchange 引入了一项功能,该功能 [强制] 允许 Outlook 2007 和 Outlook 2010 客户端自动映射到用户具有完全访问权限的任何邮箱。 If a user is granted Full Access permissions to another user's mailbox or to a shared mailbox, Outlook automatically loads all mailboxes to which the user has full access.
如果用户被授予对另一个用户的邮箱或共享邮箱的完全访问权限,Outlook 会自动加载该用户具有完全访问权限的所有邮箱。
https://technet.microsoft.com/en-us/library/hh529943(v=exchg.141).aspx https://technet.microsoft.com/en-us/library/hh529943(v=exchg.141).aspx
This lovely little feature is causing problems when you have mailboxes with permissions to mailboxes in a different forest.当您的邮箱有权访问不同林中的邮箱时,这个可爱的小功能会导致问题。
I figured it out我想到了
foreach($Mailbox in $Mailboxes){
$FixAutoMappings = Get-MailboxPermission $Mailbox.DisplayName |where {$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}
$FixAutoMappings
Foreach($FixAutoMapping in $FixAutoMappings){
Remove-MailboxPermission -Identity $Mailbox.Identity -User $FixAutoMapping.User -AccessRights $FixAutoMapping.AccessRights -confirm:$false
Add-MailboxPermission -Identity $Mailbox.Identity -User $FixAutoMapping.User -AccessRights:FullAccess -AutoMapping $false
}
}
This seemed to work for me.这似乎对我有用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.