PowerShell script for Exchange mailbox item (email, meeting, contacts, etc.) removal.

You might have a situation when someone – it might have even been you – send or receive an email that shouldn’t be sent or received.

It might have been a SPAM sent to your organization or an email that supposed to be send to your colleague but was send to a bunch of other people and had naked ladies in the attachment.

After sending such email reaction chain is as follows:

First you noticed that you have might clicked “Send” button, maybe you clicked CTRL + Enter combination, but you still not sure…

omg-what-have-i-done-jpg

Continue reading “PowerShell script for Exchange mailbox item (email, meeting, contacts, etc.) removal.”

PowerShell script to auto approve WSUS updates for pilot and standard groups.

Recently there has been a need for me to create script that will cover auto approval work for WSUS.

So the idea was tu approve certain patches to pilot group, and after 2 weeks apply these on standard target group and do another pilot group approval for latest time span.

Important! WSUS target groups need to have “Standard” and “Pilot” in their names.

Lines of code that are worth mentioning:

## 64th LINE
## Specify time span between pilot and standard approvals, below is 14 days
$Next_Approval_Date_Raw = (Get-Date).AddDays(14)
...
## 106 - 108 LINE
## Specify the report file name and path
$CSVFileName = $range+"UpdateTimes.csv"
$CSVPath = 'c:\'
$CSVFile = "$CSVPath$CSVFileName"

So after specifying what period we like we just need to specify the file name and path and we are ready to go!

If we would like to show it on diagram it would look like:

przechwytywanie

Of course we may add many things to it’s functionality and this is just the very early version of the script. Worth adding might be – and probably will be added in future – a list of updates that were approved to particular target group – it s already there in “verbose” mode, adding possibility to choose the target groups by name other than “Server” or “Workstation”.

Script can be found on TechNet and GitHub.

SQL long running jobs alert script in PowerShell

databaseHi folks!

Recently there was in a need of monitoring jobs on SQL – if they finish in timely manner. So I was looking for ready solution, found two:

https://devinknightsql.com/2012/07/07/identifying-long-running-sql-agent-jobs-script/ and http://www.sqlchicken.com/2012/07/identify-and-alert-for-long-running-agent-jobs/ however both are SQL jobs that monitor SQL jobs. I feel quite good in TSQL…

1fo1ju

…however that solution didn’t suit me from few reasons:

  1. I wanted to do monitoring of SQL jobs as an independent from SQL jobs failure.
  2. I might need to modify add something in the future and it would be easier for me in PowerShell
  3. Above solutions were giving alerts when a job run time was above average – not over certain time – an I needed that. Didn’t know how to do it in SQL.

So the decision was made:

b9c

To make it running in your environment just modify these lines:

## 10th-12th LINE
## SPECIFYING DATA FOR SENDMAIL FUNCTION
$fromemail = 'Job_Alert@domain_name.com'
$mailserver = 'mail_server.domain_name.com'
$toemail = 'recipient@domain_name.com'
...
## 21st LINE
## SPECIFYING DATABASE CONNECTION STRING
$dataSource = “DATABASE_SERVER_NAME”
...
## 71st LINE
## BELOW SPECIFY HOW MANY MINUTES IS THE TRIGGER - 5 IN THIS EXAMPLE
if ($Date_Diff.TotalMinutes -gt 5){

So in this example a script will send an email in HTLM:

przechwytywanie
If a job runs over 5 minutes.

So there you go 🙂 it is easy, no parameters and really dirty. I like it 🙂

Script can be found on TechNet and GitHub.

HP MSA – PowerShell script to check if disk drives firmware revision is up to date.

Recently I came across updating firmware on some HP MSA appliances.

As there were many different disk drives models on those, I started to wonder – how would I know if any new firmware has been released?

I didn’t want to search firmware for 10 different disk drives models every quarter neither. Firstly because I would forget, secondly – time consuming.

It was no brainer that I needed some automation for that stuff.

I found a HP website providing disk drives firmwares:

http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04315770

http://h20628.www2.hp.com/km-ext/content-webapp/document?docId=emr_na-c04315770

Unfortunately I was not able to find any of these for controller firmwares or enclosures.

Fortunately for controllers and enclosures checkout is easy, also usually we get information in controller firmware documentation which firmware revision is recommended for enclosure.

Script need to have current MSA firmware information in a JSON file – as for now this process is not automated and information need to be put manually in the JSON file.

What script does is it is going though mentioned website creating hash array of objects basing on very hideous HTML parsing (yup, I know it is ugly AF but well… works ^^).

After it got all that shit from the website, it runs array one by one checking looking for particular object by disk model, and comparing it’s current firmware revision from JSON to what it found on the website.

And here is the thing, there are 3 statuses:

Green – disk has the newest firmware

Light Green – disk most probably has the newest firmware.

Red – disk has an old firmware

You might ask – why we need Light Green. Well, sometimes one disk drive model is visible twice as different model, like below:

disk1

disk2

So these two are the same model, but have different firmware.

If script finds such situation, it checks if your firmware revision is among these found on the website – it also lists what firmware revisions have been found for that particular drive model. If your firmware revision is there – drive is reported as light green.

Output should look like:

hp_disk_firmware_hmtl_report

As you probably noticed for controllers there is just list to verify firmware version – I didn’t find any good source to script can run trough it checking if it is up to date, so as a workaround there is a fixed link in JSON file – it is always better just to click it and check current version than to search every quesrter for the correct link.

Script has 4 simple switches:

-File – switch parameter, if ran with that it will generate HTML file

-FilePath – default path is “.\”, so if you want to put HTML file somewhere else – this is the right place

-Email – switch parameter, if ran with that it will generate an email.

-Verbose – you got additional information about what actions have been done

Hope it will be helpful for some of you guys.

Script can be found on TechNet and GitHub.

Exchange mailbox/folders permissions – dependency graph between users.

Following solution uses GraphViz application to visualize mailboxpermissions dependencies in the company.

Some time ago I published a scripts for reading mailbox permissions:

https://paweljarosz.wordpress.com/2016/03/04/script-to-check-mailbox-permissions/

and mailbox folder permissions:

https://paweljarosz.wordpress.com/2016/05/28/powershell-script-to-check-permissions-on-mailbox-folders-also-recursively/

If some of you are wondering what GraphViz is, a quick look on google graphics and phrase “graphviz”, gives us an idea of how gorgeous graphs it can create:

fancy_graphviz.JPG

All the GraphViz needs is to have properly formatted input file – that’s it!

68543429.jpg

The need of having such script showed up as one time I was standing in front of migrating users to Exchange Online. I started to wonder how shall I visualize in a simply way, who need to be migrated together…

vlcsnap-2012-06-20-22h11m40s86.png

It was not an easy task, going though a excel/csv file, or even creating lists were not satisfying for me, so I started to think about it more, even during meals…

hqdefault

And then I found GraphViz:

http://www.graphviz.org/

It was looking really good! So now just a matter of quick reading about it checking if it will apply…

tumblr_m1kpqqLxkj1r8yo2fo1_1280

…reviewing the idea…

eeddcbaa20c45eb5c3e1e4e3c73c330f

…some calculations…

ik53723e34

And after all that research the idea became clear…

homer-simpson-donut-dream

As I mentioned at the beginning, input file can be done with one of the mailbox permissions / mailbox folder permissions reading scripts – links provided on the top (you might need to change delimiters a little bit as I guess in these files are “;” but go for adventure and modify something :))

The proper input should look like:

The_Input_File

So it has columns named “Mailbox”, “User” and “AccessRights”

And now the script. In organization I was building script for – it appeared that we have so many permissions I almost shat brikcs when I saw the actual output (graph)…

Just take a look by yourself, here is just a very small piece of graph when I was checking dependencies of just one mailbox – mine:

giphy.gif

Silly_Permissions

Let’s go closer:

Silly_Permissions

really

Imagine now that whole dependency graph contained like 10 more same chunks/pieces, 10 more, 10 fuck*ng times!

Well, I needed somehow to…

dealwithitdrgrant.gif

So the idea of migrating people together in chunks fell down and broke into pieces :] but at least we have that nice script.

  1. First thing is to get GraphViz application and install it:

Here you can find it:

http://www.graphviz.org/Download_windows.php

After installation all you need to to read your mailbox permissions – you can choose to read it with scripts from links given at the beginning of that article.

     2. Next thing, is to set up 3 variables:

GraphViz_variables.JPG

$GraphImageFile = “GraphImageFile.png” -> this is the name/path of your output file – actual graph

$GraphGraphVizFile = “GraphVizFile.gv” -> this is the name/path of the input file that will be passed to GraphViz to visualize your data, it will look similar to this one:

GraphViz_File

$CSVPermissionsFile = “Permissions.csv” –> and finally this is the input file for the script – so output from your script that reads permissions from mailboxes

    3. Having CSV we can start reading permissions, so here are some examples.

After running below:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz”

Permissions_1_PS

We will get:

Permissions_1

Users mentioned in “Users” array will be marked on blue, nice arrows will show direction of permissions 🙂

After running:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz” -SingleUser $true

Permissions_2_PS

We will get:

Permissions_2

And finally after running same but with “level” set to 1 we will get:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz” -Level 1

Permissions_3_PS.jpg

That will runthough the whole file ONLY ONE TIME, and what we will get would be something like:

Permissions_3.jpg

So summing up – for me script does a good job when it comes to visualize data that would be actually really hard to see from a excel file.

It is just an easy script, please note that you can add here features like:

  • adding description to each “connection” saying to which folder permissions are given
  • reading mailboxes sizes and adding them to the graph so it can ease planing of migration of certain groups of people
  • remember – possibilities are endless:

 

possibilities1possibilities2

 

Script can be found on TechNet and GitHub.

 

PowerShell script to check permissions on mailbox folders (also recursively).

Hey there!

Some time ago I posted script that is checking general permissions of a mailbox like “FullAccess”, “ReadOnly” etc.:

https://paweljarosz.wordpress.com/2016/03/04/script-to-check-mailbox-permissions/

Here is another one that is checking permissions on particular folders 🙂

Worth mentioning is that script is also checking groups recursively, and has – let me call it – anti-loop protection :] so if someone creates “Group_A” and “Group_B” and put A in B and B in A the script will notice that particular group has been already reported in that particular cycle, and won’t go deeper.

Parameters and examples:

.SYNOPSIS
MailboxFolderPermissions.ps1 – Mailbox folder permissions report generation script.

.DESCRIPTION
Generates a report of permissions that have been set on a folder

.OUTPUTS
Single mailbox reports are output to the console, while all other
reports are output to a CSV file.

.PARAMETER all
Generates a report for all mailboxes in the organization.

.PARAMETER server
Generates a report for all mailboxes on the specified server.

.PARAMETER database
Generates a report for all mailboxes on the specified database.

.PARAMETER file
Generates a report for mailbox names listed in the specified text file.

.PARAMETER mailbox
Generates a report only for the specified mailbox.

.PARAMETER filename
(Optional) Specifies the CSV file name to be used for the report.
If no file name specificed then a unique file name is generated by the script.

.EXAMPLE
.\MailboxFolderPermissions.ps1 -database HO-MB-01
Returns a report with the mailbox statistics for all mailbox users in
database HO-MB-01

.EXAMPLE
.\MailboxFolderPermissions.ps1 -file .\users.txt
Returns a report with the mailbox statistics for all mailbox users in
the file users.txt. Text file should contain names in a format that
will work for Get-Mailbox, such as the display name, alias, or primary
SMTP address.

.EXAMPLE
.\MailboxFolderPermissions.ps1 -server ex2010-mb1
Generates a report with the mailbox statisitcs for all mailbox users
on ex2010-mb1

.EXAMPLE
.\MailboxFolderPermissions.ps1 -server ex2010-mb1 -filename ex2010-mb1.csv
Generates a report with the mailbox statisitcs for all mailbox users
on ex2010-mb1, and uses the custom file name of ex2010-mb1.csv

Script can be downloaded from Technet and GitHub.

Remove cancelled Outlook meetings using PowerShell and EWS.

I_am_so_Great

 

Recently there was a business demand for removal of meetings that were canceled in our resource mailboxes. Thought it was some sort of  a bug but then saw that problem was “AutomateProcessing” attribute on these was set to “AutoUpdate” not “AutoAccept” (This can be checked using Get-CalendarProcessing cmdlet).

 

So when someone is scheduling a meeting form his own mailbox and is picking up room – creates a meeting, and later changes his mind and removes it, it still is hanging there visible as “Canceled: Subject of the meeting“. And each time (because of that “AutoUpdate”) someone manually needs to go there and remove it.

https://technet.microsoft.com/en-us/library/bb123495%28v=exchg.141%29.aspx

 

After reading a bit about that topic, I realized that PowerShell script I was about to write needs to use EWS and impersonation in Exchange.

There are few things you need before running the script:

  • AD account used by the script
  • Security Group that will contain people who will have impersonation rights (admns/service accounts)
  • Distribution List that will contain room mailboxes – managed by admins/service accounts from Security Group
  • Management Scope in Exchange – narrowing scope for members of the Distribution List
  • Management Role Assigment – glue all that crap together – permission Security Group to Distribution List with “Application Impersonation” rights.

In commands it can look like:

1. Creating Distibution Group

New-DistributionGroup -Name ‘RoomImpersonationGroup‘ -Type ‘Distribution’ –OrganizationalUnit ‘contoso.com/Distribution Lists’ -SamAccountName ‘RoomImpersonationGroup’ -Alias ‘RoomImpersonationGroup’ –managedBy ‘PawelJarosz’

2. Creation of Exchange Management Scope:

$Grupa = Get-DistributionGroup -Identity “RoomImpersonationGroup”
New-ManagementScope “Room Mailboxes Impersonation” -RecipientRestrictionFilter “MemberOfGroup -eq ‘$($Grupa.DistinguishedName)'”

3. Creation of security group “ExchangeRoomImpersonation” in Active Directory

NEW-ADGroup –name “ExchangeRoomImpersonation” –groupscope Universal –path “OU=Offices,DC=Contoso,DC=local” -GroupCategory Security

4. Creation of new Exchange Assigment Role:

New-ManagementRoleAssignment -Name “Room Mailboxes Impersonation Assigment” -Role “ApplicationImpersonation” -CustomRecipientWriteScope “RoomImpersonationGroup” -SecurityGroup “ExchangeRoomImpersonation”

 

If you have all of that or you do not need to configure it as there are some service accounts you will use that are permissioned to impersonate globally – omit all these steps.

Some details about the script:

.SYNOPSIS
DeleteCanceledMeetings.ps1 - Cancelled meetings removal script.

.PARAMETER SearchStartDay
(OPTIONAL) Specifies START date from which sript should start searching of 
appointments.
If not specified the today's date is used.

.PARAMETER SearchEndDay
(MANDATORY) Specifies END date till which sript should start searching of 
appointments.

.PARAMETER Room
(MANDATORY) Specifies mailboxes from which cancelled meetings should be removed.
As this is an array it accepts many mailboxes given after coma.

.PARAMETER HardDelete
(OPTIONAL) Triggers HardDelete action on cancelled meetings if equal "True". 
Without it it generates a on screen report.

.EXAMPLE
.\Get-MailboxPermissions.ps1 -SearchStartDay 10 -SearchEndDay 30 -Room Room1,Room2
Starts searching of meetings 10 days back and 30 days in front 
for 3 rooms Room1,Room2.
Returns a on screen report.

.EXAMPLE
.\Get-MailboxPermissions.ps1 -SearchEndDay 90 -Room Room1,Room2,Room3 `
 -HardDetele True
Starts searching of meetings starting from current day and 90 days in front 
for 3 rooms Room1,Room2,Room3 and hard deletes them.
Reruns a CSV report and a log file.

You need to modify these lines in order to get logging working:

DeleteCanceledMeetings_script1

And you are ready to go! 🙂

Please remember that when runnig the script:

Calvin12

Script can be found on my Technet and GitHub

Have fun with IT!