Exchange mailbox/folders permissions – dependency graph between users.

Following solution uses GraphViz application to visualize mailboxpermissions dependencies in the company.

Some time ago I published a scripts for reading mailbox permissions:

https://paweljarosz.wordpress.com/2016/03/04/script-to-check-mailbox-permissions/

and mailbox folder permissions:

https://paweljarosz.wordpress.com/2016/05/28/powershell-script-to-check-permissions-on-mailbox-folders-also-recursively/

If some of you are wondering what GraphViz is, a quick look on google graphics and phrase “graphviz”, gives us an idea of how gorgeous graphs it can create:

fancy_graphviz.JPG

All the GraphViz needs is to have properly formatted input file – that’s it!

68543429.jpg

The need of having such script showed up as one time I was standing in front of migrating users to Exchange Online. I started to wonder how shall I visualize in a simply way, who need to be migrated together…

vlcsnap-2012-06-20-22h11m40s86.png

It was not an easy task, going though a excel/csv file, or even creating lists were not satisfying for me, so I started to think about it more, even during meals…

hqdefault

And then I found GraphViz:

http://www.graphviz.org/

It was looking really good! So now just a matter of quick reading about it checking if it will apply…

tumblr_m1kpqqLxkj1r8yo2fo1_1280

…reviewing the idea…

eeddcbaa20c45eb5c3e1e4e3c73c330f

…some calculations…

ik53723e34

And after all that research the idea became clear…

homer-simpson-donut-dream

As I mentioned at the beginning, input file can be done with one of the mailbox permissions / mailbox folder permissions reading scripts – links provided on the top (you might need to change delimiters a little bit as I guess in these files are “;” but go for adventure and modify something :))

The proper input should look like:

The_Input_File

So it has columns named “Mailbox”, “User” and “AccessRights”

And now the script. In organization I was building script for – it appeared that we have so many permissions I almost shat brikcs when I saw the actual output (graph)…

Just take a look by yourself, here is just a very small piece of graph when I was checking dependencies of just one mailbox – mine:

giphy.gif

Silly_Permissions

Let’s go closer:

Silly_Permissions

really

Imagine now that whole dependency graph contained like 10 more same chunks/pieces, 10 more, 10 fuck*ng times!

Well, I needed somehow to…

dealwithitdrgrant.gif

So the idea of migrating people together in chunks fell down and broke into pieces :] but at least we have that nice script.

  1. First thing is to get GraphViz application and install it:

Here you can find it:

http://www.graphviz.org/Download_windows.php

After installation all you need to to read your mailbox permissions – you can choose to read it with scripts from links given at the beginning of that article.

     2. Next thing, is to set up 3 variables:

GraphViz_variables.JPG

$GraphImageFile = “GraphImageFile.png” -> this is the name/path of your output file – actual graph

$GraphGraphVizFile = “GraphVizFile.gv” -> this is the name/path of the input file that will be passed to GraphViz to visualize your data, it will look similar to this one:

GraphViz_File

$CSVPermissionsFile = “Permissions.csv” –> and finally this is the input file for the script – so output from your script that reads permissions from mailboxes

    3. Having CSV we can start reading permissions, so here are some examples.

After running below:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz”

Permissions_1_PS

We will get:

Permissions_1

Users mentioned in “Users” array will be marked on blue, nice arrows will show direction of permissions 🙂

After running:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz” -SingleUser $true

Permissions_2_PS

We will get:

Permissions_2

And finally after running same but with “level” set to 1 we will get:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz” -Level 1

Permissions_3_PS.jpg

That will runthough the whole file ONLY ONE TIME, and what we will get would be something like:

Permissions_3.jpg

So summing up – for me script does a good job when it comes to visualize data that would be actually really hard to see from a excel file.

It is just an easy script, please note that you can add here features like:

  • adding description to each “connection” saying to which folder permissions are given
  • reading mailboxes sizes and adding them to the graph so it can ease planing of migration of certain groups of people
  • remember – possibilities are endless:

 

possibilities1possibilities2

 

Script can be found on TechNet and GitHub.

 

Advertisements

Script to check mailbox permissions

Recently I have written a script for getting mailbox permissions.

Script reads permissions and puts it in CSV. I have used a lot from Get-MailboxReport.ps1 script wrote by Paul Cunningham.

Data can be read from mailboxes individually, for specific mailbox server or all mailboxes:

get_mailboxpermissions2

get_mailboxpermissions1

At the end it gives CSV output like:

get_mailboxpermissions3

Script can be found on Technet – link >> TECHNET

Im_helping

 

ZABBIX – listing permissions

Today one of our security officer asked me to retrieve a list of users and permissions from our zabbix systems.

The problem occured while I was trying to associate users’ groups to hosts’ groups. There is in fact one subsite “permissions” under “Administration” -> “Users” after clicking on particular group link. But you cannot copy any information from there. Additionally if you have many groups that would be tidious task.

Instead of that I decided to retrieve the permissions from the database: here is the working sql command:


SELECT r.permission as "Permissions", g.name as "User Group", z.name as "Host Group" FROM zabbix.rights as r
join zabbix.usrgrp as g
on r.groupid = g.usrgrpid
join zabbix.groups as z
on z.groupid = r.id

2 in the “permission” column means “read” access, 3 means “read/write” permissions.

Listing permissions for Sharepoint 2010 – including information about inheritable permissions lists/libraries and files

I am about to describe my struggling with SCCM 2007 to 2012 upgrade, but just before that I would like to share with you guys a script I was dreaming to have time to write to.

I am talking about script that is listing permissions for sharepoint and all libraries and files that don’t inherit permissions.

It was slightly a horrible nightmare for me to list permissions for the web application – there was a time, where users had power to grant permissions for folders and files. After a couple of years there was an idea from the managment – let’s take back those permissions and put everythign in User Rights Management system…

First thought:

fear

Second – pretty much the same:

lost

Finally I had some time and written a script that lets me to specify precisely on what file in what library who the hell has permissions 😀

Here it is:


$url = "http://<WEB_APPLICATION_NAME>"
$site = Get-SPWeb ($url)
$pliki = @()</span>

foreach ($web in $site.Site.AllWebs)
{

# if ($web.Url.StartsWith($url)) { # Uncomment for listing whe whole web application

if ($web.Url -match "http://<WEB_APPLICATION_NAME>/<SOME_FOLDER>") { #Uncomment to list just one particular site

#-----------

$host.ui.RawUI.ForegroundColor = “Green”;
Write-Host ("PErmissions for website " + $web.Name + " ,Url: " + $web.Url)
$lists = $web.Lists
Write-Host "Website contains the content libraries:"
$host.ui.RawUI.ForegroundColor = “white”;
foreach ($list in $lists) {

#-----------
# (START) Getting the files with non heritable permissions
#-----------
foreach ($ll in $list.items){
if ($ll.HasUniqueRoleAssignments -match "True"){
$e = $ll.url
foreach ($upr_f in $ll.RoleAssignments){
$f = $upr_f.member.name
$g = $upr_f.RoleDefinitionBindings | foreach {$_.name}
$paczka = "$e,$f,$g"
$pliki += $paczka
}
}
}
#-----------
# (END) Getting the files with non heritable permissions
#-----------

#-----------
# (START) Getting the list/libraries with inheritable permissions
#-----------

$l = $list.folders
foreach ($upr in $l){

#-----------
#   if ($upr.name -match "Systemy - admini"){ #Uncoment if you would like to list particular list/library, do not forget
#   to uncommenct the bracket below
#-----------
$a= $upr.Url
$b = $upr.HasUniqueRoleAssignments

if ($b -eq "True"){
$host.ui.RawUI.ForegroundColor = “green”;
Write-Host "The list/library with unique permissions:"
$host.ui.RawUI.ForegroundColor = “yellow”;
}

foreach ($u in $upr.RoleAssignments){
$c = $u.member.name
$d = $u.RoleDefinitionBindings | foreach {$_.name}
Write-Host "$a, $c, $d"
}

if ($pliki) {
$host.ui.RawUI.ForegroundColor = “Green”;
Write-Host "Files with unique permissions"
$host.ui.RawUI.ForegroundColor = “yellow”;
$pliki}

$pliki = @()
$host.ui.RawUI.ForegroundColor = “Green”;
Write-host "#-------------"
$host.ui.RawUI.ForegroundColor = “white”;
#----------
#   } Bracket for "IF" specifying list/library
#----------
}

#-----------
# (END) Getting the list/libraries with inheritable permissions
#-----------

}
}
}