Friday, April 29, 2011

PowerShell: Set Mailbox Quota via AD Account Settings

Using only AD to set mailbox quota sizes.

#######################################################################
# Description: Set Mailbox Quota Sizes for Members of an AD Group
# 2GB Mailbox 2097152 and 1992294
# 1GB Mailbox 1048576 and 996352
#######################################################################

#Retrieve AD Group
$objGroup = [ADSI]"LDAP://CN=BioTech,OU=campusDepts,DC=MYDOMAIN,DC=edu"
#Create Array of Group Members
$objGroupMembers = $objGroup.member

foreach ($user in $objGroupMembers)
{
#Retrieve AD User Info
$userPath = "LDAP://" + $user
$objUser = [ADSI]$userPath

#Check to See of User Account Has a Mailbox
if ($objUser.homeMDB)
{
#Apply to Only Mailboxes with Default DB Setting or Lower Mailbox Quota Limit
if (($objUser.mDBUseDefaults -eq $true) -or ($objUser.mDBOverQuotaLimit -lt 2097152))
{
#Set Prohibit Send
$objUser.mDBOverQuotaLimit = 2097152
$objUser.setInfo()
#Set Issue Warning
$objUser.mDBStorageQuota = 1992294
$objUser.setInfo()
#Set Use Database Defaults Setting
$objUser.mDBUseDefaults = $false
$objUser.setInfo()
#Write Out Accounts Changed (Quick Logging)
Write-Host $objUser.sAMAccountName
}

}

}

Write-Host "All Done"

PowerShell: Set AD User No Expiration

In specified OUs, this script sets all user accounts to not expire account or password.

#Array for OUs
$arrOUs = "LDAP://OU=campusUsers,DC=MYDOMAIN,DC=EDU",
"LDAP://OU=campusStudents,DC=MYDOMAIN,DC=EDU"

$i = 0

#Run Against All Users in Specified OU
foreach ($ou in $arrOUs)
{

$ADsPath = [ADSI]$ou
$Search = New-Object DirectoryServices.DirectorySearcher($ADsPath)
$Search.filter = "(objectClass=user)"
$Search.PageSize = 900
$Search.SearchScope = "SubTree"
$results = $Search.Findall()

foreach($result in $results)
{
#Retrieve User Account
$objUser = $result.GetDirectoryEntry()

#Set Account to Not Expire
$objUser.accountExpires = 0
$objUser.setInfo()

#Pull Password Settings and Convert to Int
$crtUAC = [int]($objUser.userAccountControl.ToString())

#If Account is Enabled and\or Requiring Password Change at Next Login
#Set Password Doesn't Expire
if (($crtUAC -eq 512) -or ($crtUAC -eq 544))
{
$objUser.userAccountControl = 66048
$objUser.setInfo()
}
#Same Thing for Disabled Account; However Leave Disabled
elseif ($crtUAC -eq 514)
{
$objUser.userAccountControl = 66050
$objUser.setInfo()
}

$i = $i + 1

write-host $i

}

}

Write-Host 'All Done'

PowerShell: AD Account Creation and Password Last Change Dates for Individual User

AD Account Creation and Password Last Change Dates for Individual User

# Variable for User ID
$userID = "myUserID"

#Create AD Searcher
$ADsPath = [ADSI]"LDAP://DC=MYDOMAIN,DC=EDU"
$Search = New-Object DirectoryServices.DirectorySearcher($ADsPath)
$Search.filter = "(&(objectClass=user)(sAMAccountName=" + $userID.ToString() + "))"
$Search.SearchScope = "SubTree"
$result = $Search.FindOne()

#Get AD User Account
$objUser = $result.GetDirectoryEntry()

#Check to See If Password Last Set has been Actually Set and Not Default Windows Time
if(($result.Properties["pwdlastset"][0].ToString() -ne "9223372036854775807") -and ($result.Properties["pwdlastset"][0].ToString() -ne "0"))
{
$pwdSetDate = [System.DateTime]::FromFileTime($result.Properties["pwdlastset"][0])
}
else
{
$pwdSetDate = "Not Set"
}

#Write Out User Info
Write-Host "Account Created: " $objUser.whenCreated.ToString()
Write-Host "Last Password Change: " $pwdSetDate

Set Exchange Mailbox ActiveSync Policy for AD Group Members

One unit I support wanted a few AD groups to receive a specific ActiveSync security policy. Below is the script that quickly got it done.

#AD Setting for Multi Domain Forest
Set-ADServerSettings -ViewEntireForest $true

$Depts = "Group1","Group2","Group3"

ForEach ($Dept in $Depts)
{
(get-group $Dept).members | Set-CASMailbox –ActiveSyncMailboxPolicy "EDU Security for Mobile Devices"
}

PowerShell: Adjusting Configured Minimum Mailbox Quota

My new unit's Exchange environment had configured minimum mailbox quotas. Well they decided to up the range and we had to make sure all mailboxes were at least set the new minimum (which is this case was 500 MB).

#AD Setting for Multi Domain Forest
Set-ADServerSettings -ViewEntireForest $true

$mailboxes = get-mailbox -resultsize unlimited | select-object Name,Identity,ProhibitSendQuota,RecipientType,UseDatabaseQuotaDefaults

foreach ($mailbox in $mailboxes)
{
#Only Query User Mailboxes
if ($mailbox.RecipientType.ToString() -eq 'UserMailbox')
{

if ($mailbox.UseDatabaseQuotaDefaults -eq $false)
{
$quota = $mailbox.ProhibitSendQuota.Value.ToMB()

if($quota -lt 500)
{
#Write-Host $mailbox.Name.ToString()
set-mailbox -identity $mailbox.Identity -ProhibitSendQuota 500MB -IssueWarningQuota 475MB
}
}
}
}

Write-Host "All Done"

PowerShell: Mail Enable Migrated AD Groups

Came up with this script when migrating over a unit that had a few AD Groups that were mail enabled. Required that I set the no sender authentication and disable the email address policy due to they migrated their mx record as well.

#AD Setting for Multi Domain Forest
Set-ADServerSettings -ViewEntireForest $true

#Import Group Settings
$uGroups = Import-CSV "c:\users\myaccount\desktop\migrated_groups.csv"

foreach ($uGroup in $uGroups)
{
#Mail Enabled the Group
Enable-DistributionGroup -Identity $uGroup.groupid

#Add Remote Domain Primary SMTP Address to Group's Email Addresses
$uGrp = get-DistributionGroup -identity $uGroup.groupid
$uGrp.EmailAddresses += ("smtp:" + $uGroup.emailaddress)
set-DistributionGroup -identity $uGroup.groupid -EmailAddresses $uGrp.EmailAddresses
#Set No Sender Authentication and Disabled Email Address Policy
set-DistributionGroup -identity $uGroup.groupid -RequireSenderAuthenticationEnabled $false -EmailAddressPolicyEnabled $false
}



==============migrated_groups.csv==========================

groupid,displayname,emailaddress
Sales-Peps,Sales Users,SalesUsers@mydomain.edu
PurchasingUsers,Purchasing Users,PurchasingUsers@mydomain.edu
Marketing,Marketing Users,marketingUsers@mydomain.edu

Report on All ActiveSync Devices Attached to Exchange Mailboxes

Someone wearing a tie decided that we needed a report showing the stats of ActiveSync devices connected to our Exchange environment. Here my Exchange PowerShell script solution to the request.

#AD Setting for Multi Domain Forest
Set-ADServerSettings -ViewEntireForest $true

#Retrieve All Mailboxes...Sort by Display Name -resultsize unlimited
$mailboxes = get-mailbox -resultsize unlimited | sort -property DisplayName |
select-object DisplayName,Alias,Identity

foreach ($mailbox in $mailboxes)
{
#Pull ActiveSync Information for the Mailbox
$devices = get-activesyncdevicestatistics -mailbox $mailbox.identity

#Check to See if Mailbox has ActiveSync Device(s)
if ($devices)
{
#Report on All Devices for Mailbox
foreach ($device in $devices)
{
#Create New PowerShell Object and Assign Data to It
$uEntry = new-Object PSObject
$uEntry | add-Member -memberType noteProperty -name "Display Name" -Value $mailbox.DisplayName
$uEntry | add-Member -memberType noteProperty -name "Alias" -Value $mailbox.Alias
$uEntry | add-Member -memberType noteProperty -name "Device Type" -Value $device.DeviceType
$uEntry | add-Member -memberType noteProperty -name "Device Model" -Value $device.DeviceModel
$uEntry | add-Member -memberType noteProperty -name "First Sync Time" -Value $device.FirstSyncTime
$uEntry | add-Member -memberType noteProperty -name "Last Successful Sync" -Value $device.LastSuccessSync
$uEntry | add-Member -memberType noteProperty -name "Last Sync Attempt" -Value $device.LastSyncAttemptTime
$uEntry | add-Member -memberType noteProperty -name "Device OS" -Value $device.DeviceOS
$uEntry | add-Member -memberType noteProperty -name "Device ID" -Value $device.DeviceId
#Add Entry to Summary Array
$Summary += $uEntry

}
}
}

#Export Summary Info to CSV File
$Summary | Export-CSV ActiveSync_Devices.csv -NoTypeInformation

PowerShell: Get Mailbox Size for Members of Various AD Groups

One task that came up my first month at my current gig was to report on mailbox sizes for each member of various AD groups. Below is Exchange PowerShell script that I came up with.

#AD Setting for Multi Domain Forest
Set-ADServerSettings -ViewEntireForest $true

#Array for Reporting Objects
$Summary = @()

#Array of Requested Dept Codes Which Should AD Group Named After Them
$ADGroups = "Group1","Group2","Group3","Group4","Group5","Group6","Group7"

foreach ($ADGroup in $ADGroups)
{
#Pull AD Group Members
$dPart = (get-group $ADGroup).members

foreach ($dUser in $dPart)
{
#Get Mailbox Stats for Group Member
$mbstats = get-mailboxstatistics $dUser

#Only Report on Users with Actual Mailboxes
if($mbstats.TotalItemSize)
{
#Convert Size Into GBs
$mbsize = ("{0:N2}" -f ($mbstats.TotalItemSize.Value.ToMB()/1024))
#Create New PowerShell Object and Assign Data to It
$uEntry = new-Object PSObject
$uEntry | add-Member -memberType noteProperty -name "Display Name" -Value $mbstats.DisplayName
$uEntry | add-Member -memberType noteProperty -name "Mailbox Size (GB)" -Value $mbsize
$uEntry | add-Member -memberType noteProperty -name "Last Logon Time" -Value $mbstats.LastLogonTime
#Add Entry to Summary Array
$Summary += $uEntry
}

}

}

#Export Summary Info to CSV File
$Summary | Sort-Object {[int]$_."Mailbox Size (GB)"} -Descending | Export-CSV Mailboxes_By_AD_Group.csv -NoTypeInformation

PowerShell: Create Numerous Test Mailboxes

A developer in one the departments I support requested 50 test mailboxes. Below is the PowerShell script I ran to quickly take care of the task.

# AD Setting for Multi Domain Forest
Set-ADServerSettings -ViewEntireForest $true

$password = ConvertTo-SecureString -String 'CreativeThoughtGoesHere2011$' -AsPlainText -Force

for ($i=1; $i -le 50; $i++)
{
$un = "AppTestAccount" + $i
$upn = $un + "@mydomain.edu"
New-Mailbox -UserPrincipalName $upn -Alias $un -Database "EX-MDB-001" -Name $un -OrganizationalUnit "OU=RESOURCEACCOUNTS,DC=MYDOMAIN,DC=EDU" -Password $password -DisplayName $un -ResetPasswordOnNextLogon $false

}

Assign Recursive Rights To Public Folder

Day 90 of new job and finally able to take a break to blog some code. Here is a little diddy that I had to use to grant recursive rights on a Exchange public folder to a distribution group.

# AD Setting for Multi Domain Forest
Set-ADServerSettings -ViewEntireForest $true

$pfs = get-publicfolder -identity "\DeptPublicFolder" -recurse

foreach ($pf in $pfs)
{
# Grant Distribution Group Owner Access to Each Public Folder. Use Groups Exchange Alias
Add-PublicFolderClientPermission -Identity $pf.identity -AccessRights owner -User "DistGroupAlias"
}