get-adobject in ForeachLoop with Variable usage

PowerShell Help
1

Hello PS Board,
I’m trying to get a list of all AD Groups which are used for settings Rights on Exchange Resources. For that I’m using

$mbxperm=Get-MailboxPermission *| select user| Out-String

Now I have a list with usernames and Groupnames and \Domainname in $mbxperm like “domain\ImGroup”
I split them using

$mbxperm.User
$mbxperm| gm
$domain,$username = $mbxperm.split('\')

$username looks like

"baschi
tesuser
..."

After that I’m trying only to get the groups, not all users and groups mixed.

foreach ($i in $username) {
get-adgroup -filter {name -eq $i -and ObjectClass -eq "group"}
}

I simply get no results from the command, If I use a oneliner like
get-adgroup -filter {name -eq $i -and ObjectClass -eq “group”} I get the proper result.

These are the var types:

PS C:\Users\xy\Desktop> $i.gettype() 
IsPublic IsSerial Name                                     BaseType                                                            
-------- -------- ----                                     --------                                                            
True     True     String                                   System.Object                                                       

PS C:\Users\xy\Desktop> $LHash.gettype()
IsPublic IsSerial Name                                     BaseType                                                            
-------- -------- ----                                     --------                                                            
True     True     Object[]                                 System.Array                                                        

PS C:\Users\xy\Desktop> $username.gettype() 
IsPublic IsSerial Name                                     BaseType                                                            
-------- -------- ----                                     --------                                                            
True     True     Object[]                                 System.Array

also when I convert the string to an Customobject and try to use it with “$i.name” in the foreach it doesn’t work, it only works when I use the oneliner as well. I even can see the proper output of $i when I add write-output $i. But not in the foreach.
Seems like the problem is with using the variable in the foreach loop, but I can’t figure out how to manipulate the command that I get the whished result. I would be more than happy if there is any smarter solution for getting a result all permission groups of exchange. We are in an enterprise and the output of “Get-MailboxPermission *” is super heavy.

Hope you can help.
Best Regards,
baschi

2

If i ever run into this problem i always peel things back.

Run

foreach ($i in $username) {
    #get-adgroup -filter {name -eq $i -and ObjectClass -eq "group"}
    Write-Output $i
}

And see what is in $i

3

Why are you doing this on an Exchange server, using the Exchange cmdlet for user group info that is on the DC?
Now, I am not saying you can’t do this from an Exchange server, especially if you have RSAT ADDS enabled.

There are better ways to more completely get user / group membership info.

You could just to this…

Get-ADPrincipalGroupMembership  -Identity $env:username

Also, of note, the default cmdlets do not get nested or indirect group memberships.

Try something like this…

function Get-NestedGroupMember
{
    [cmdletbinding()]

    [Alias('gngm')]

    param
    (
        [Parameter(Mandatory,ValueFromPipeline)]
        [string]
        $Identity
    )

    process
    {
        $user = Get-ADUser -Identity $Identity
        $userdn = $user.DistinguishedName
        $strFilter = "(member:1.2.840.113556.1.4.1941:=$userdn)"
        Get-ADGroup -LDAPFilter $strFilter -ResultPageSize 1000
    }
}


# Example
Get-NestedGroupMember -Identity $env:username |
Select-Object -Property Name, DistinguishedName

Of course I am passing in only one username here, but just make a list and loop through that.

4

With foreach ouput $i, I saw a list which where looking like $mbxperm,
there I was expecting everything is right cause I saw rows between Domainname\ and username

Thanks Alex, using $mbxperm[1] I found out that the split not really worked. I got
“domainname
username”
as a result which showed me that the split didn’t work properly so I used -replace now instead.

Thanks for your input, your thoughts are really insightfull.

5

This confirms my feeling that Exchange is not the right place for it BUT,
so far I don’t have an working alternative. If I get your function your command gives me where the user have rights but I need only all security groups which are used for settings permissions on Exchange resources. Your input is really great thanks for these insights.

Best Regards,
baschi

6

When you say…

Exchange resources
… does this mean, member of Exchange groups only?

If that is the case, the script is still usable as is, just apply a filter to the Exchange groups.

(Get-NestedGroupMember -Identity $env:username |
Select-Object -Property Name, DistinguishedName) -match 'Exchange'
7

[quote quote=118344]When you say…

Exchange resources
… does this mean, member of Exchange groups only?

If that is the case, the script is still usable as is, just apply a filter to the Exchange groups.

PowerShell
3 lines
<textarea class="ace_text-input" style="opacity: 0; height: 18px; width: 6.6px; left: 44px; top: 0px;" spellcheck="false" wrap="off"></textarea>
1
2
3
(Get-NestedGroupMember -Identity $env:username |
Select-Object -Property Name, DistinguishedName) -match 'Exchange'
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[/quote] No this would mean Security Groups which are used for granting SendAs or FullAccess rights to Mailboxes and resources.

f.e.

Group1 with member xyz, yax
is used on Maibox asdf@domain.com to grant SendAs rights to Group1. And from my understand these security groups don’t have “Exchange” necessarily in their DN.

BR baschi