Update fix to moving PST files

I wanted to automate the process of pushing this checkbox for all users who has a “OutlookArchive” Folder.

The unforeseen error on my part was this: I had the quest tool create all the archives on \\server\home\myadmin folder, then i used a PowerShell move command to move the files to each users home folder.

Because I moved the file, it was really fast, but it retained the original permissions from the source folder (hence, exadmin had rights to it, but not the user)

If I would have copied the file rather than moving the file, everything would have been ok, because coping the file makes a new file and the new file inherits the permissions of the parent folder (OutlookArchive), but it would have taken much longer to copy than to move.

That is why that person could not access their migrated.pst file due to permissions issue.

So, I want to automate this red box for all users with an OutlookArchive Folder and a Migrated.pst file in it.

To fix this, I made a batch file and used the free tool SETACL to reset the above inhermited permissions.

The batch file code:

Set _InputFile=allusers.txt
Echo off
For /F “tokens=*” %%I IN (%_InputFile%) DO (
IF EXIST \\server\home\%%I\OutlookArchive\Migrated.pst (
SetACL.exe -silent -on “\\server\home\%%I\OutlookArchive*” -ot file -actn setprot -op “dacl:np;sacl:np” -rec cont_obj -actn setowner -ownr “n:S-1-5-32-544;s:y” -actn clear -clr “dacl,sacl”
)
rem ELSE (
rem
)
)

In English:

I created the alluses.txt from doing a dir at the \\server\home folder and piping it to a text file, then I used excel to clean up the file, so I had a listing of all the uses home folders.

The line “IF EXIST” checks to see if the file migrated.pst exists in each home folder, if it does, it runs the next line, which is the setacl command to do the same thing as the Red box in the graphic. (Thank you google)

Advertisements

Scripts to grant FullAccess, SendAs, and SendOnBehalf Permissions

I have been getting requests to grant FullAccess (and other) permissions to a list of users to a Shared Mailbox, so I came up with some scripts.

This is FullAccess.ps1
import-csv .\people.csv | foreach {
$user = “ad\”+$_.people
Add-MailboxPermission -Identity “NAME OF RESOURCE” -User $user -AccessRights ‘FullAccess’
}

This is SendAs.ps1

import-csv .\people.csv | foreach {
$user = “ad\”+$_.people
Add-ADPermission “NAME OF RESOURCE” -User $user -Extendedrights “send as”
set-mailbox “NAME OF RESOURCE” -GrantSendOnBehalfTo $user
}

And my people.csv looks like this

people
USER1
USER2
USER3
USER4

Powershell to move pst files

I have been using a tool from Quest (GroupWise Migrator for Exchange) to migrate 7,500+ users/resources into Exchange 2007.

Part of the migration takes all of the offline archives in Groupwise (stored in the home folder of users) and converts them to PST files.

The result is a bunch of pst files that are named userid.pst, by that I mean if the user was jsmith, the pst would be called jsmith.pst

In additon, the Quest tool drops all the files into folders reflective to the groupwise domain name and groupwise postoffice. So it the groupwise domain was called DOM and the post office was called POST, and I told the quest tool to start shoving things in the c:\archivedump folder, then the pst file for jsmith would be c:\archivedump\DOM\POST\jsmith.pst

Ultimately, i need to get this file to jsmith’s home network share under \OutlookArchive and name it Migrated.pst

Time for PowerShell

First I found out that in order to get jsmith out of reading jsmith.pst, i needed a powershell extension.

I called this file My.Types.ps1xml and the contents look like this

<Types>
<Type>
<Name>System.IO.FileInfo</Name>
<Members>
<ScriptProperty>
<Name>Basename</Name>
<GetScriptBlock>
$this.Name.Remove($this.Name.Length – $this.Extension.Length);
</GetScriptBlock>
</ScriptProperty>
</Members>
</Type>
</Types>

Then i needed to run from the powershell command

Update-TypeData My.Types.ps1xml

I also added this to my script seen below, incase i forget to add it upon starting powershell later on.

To suppress errors i added

The powershell script to move the pst files, as described above is this:  $ErrorActionPreference = “SilentlyContinue”
$ErrorActionPreference = “SilentlyContinue”
# The My.Types.ps1xml is an extenstion to recognize the $_.basename, the filename w/o extension
Update-TypeData My.Types.ps1xml
$Path = “c:\Archives\”

foreach ($file in Get-Childitem $Path -recurse -force)
{if ($file.extension -eq “.pst”)
{
$user= $file.basename
New-item \\server1\home\$user\OutlookArchive -type directory
Move-Item $file.fullname \\server1\home\$user\OutlookArchive\Migrated.pst
}
}

Set Inheritable Permissions on user accounts

This script (I put in a pdf format, click here set-inheritance )
I put on a temp folder on a admin machines, and ran it. I called it set-inheritance.vbs
Note the line: strOU = “OU=TestOU,”
All the users in this ou have the below inheritance checkbox and turned on.
This fixes the issue with user not being able to use ActiveSync on Exchange.

See the permission issue image below:

Powershell Exchange Commands

I am doing a migration from GroupWise to Exchange, here are some helper powershell commands I used to modify mail enabled and mailbox enabled users.

1. RemoveBADAddressesOnMBXusers.ps1 code:

foreach($mbx in Get-Mailbox -Resultsize unlimited){

$newaddrs = $mbx.EmailAddresses |? {$_ -notlike “gwise:UHD*”} |? {$_ -notlike “smtp:”+$mbx.alias}

set-mailbox $mbx -emailaddresses $newaddrs

}

Why we need it:

After we Mailbox enable a user (convert them from a mail enabled user in AD to a mailbox user) using the quest tool, we need to remove the old GroupWise address that points back to the GroupWise address. In addition, the Quest tool has a bug that stamps an invalid SMTP address on the user of just the username. (This invalid SMTP address occurs when we use the Quest tool to make the user mail enabled or mailbox enabled)

What it does:

It reads ALL mailbox users and removes any GroupWise email address that starts with UHD and the invalid SMTP address that is just the userid.

2. MailusersRemoveBadSMTPaddress.ps1

foreach($mu in Get-Mailuser -Resultsize unlimited){

$newaddrs = $mu.EmailAddresses |? {$_ -notlike “smtp:”+$mu.alias}

set-mailuser $mu -emailaddresses $newaddrs

}

Why we need it:

After we Mail enable a user using the quest tool, we need to remove the old invalid smtp address that it makes.

What it does:

It reads ALL mail enabled users and removes any invalid SMTP address that is just the userid.

3. gwise-mailbox-apply.ps1 (fix users that don’t have a gwise entry)

foreach($mbox in Get-Mailbox -Resultsize unlimited){

$mbox.EmailAddresses += (“gwise:Exchange.expo.” + $mbox.DisplayName)

Set-Mailbox $mbox -EmailAddresses $mbox.EmailAddresses

}

Why we need it:

After we Mailbox enable a user using the quest tool, we need to set the new GroupWise address that allows the Exchange mailbox user to be seen as a user in the GroupWise address book. The address is of the format Exchange.expo.display name. The “Exchange” is the External domain, the “expo” is the external post office, and the “display name” is the first name last name as it appears in Active Directory.

We had a Email address policy applying this address up until just recently, but it was inconsistent. So this PowerShell script does it for us.

What it does:

It reads all mailbox users, adds the address gwise:Exchange.expo.DisplayName

PowerShell set the manager on users

I came up with the idea that if we set the “manager” on a user in AD, the users can look at resources, and see who the owner is.

The manager seems like a natural attribute to look at…..

In outlook when I look at the user (resource) in the Global Address list I see this.

The Manager of extest5 is quest migrator (and it displays the full name, not the user id)

This will be my “input file”

So we want to set the resource Manager in AD,

Let’s learn!

So I set it manually in ADUC (on the left) and look at the attribute on the right in ADSIEDIT.MSC

So I do some googling, I search for set manager attribute PowerShell

and I find that quest makes some extensions for active directory that are FREE and make my life easy. Oh, like Free beer, it’s free and it makes my life easy…. Or a little more relaxing… LOL.

You can look at this later, but this is it. http://www.quest.com/powershell/activeroles-server.aspx

So I download and install on a workstatation, that already has the PowerShell and Exchange 2007 management tools installed…. So this download adds this tool.

This gives me this shell prompt, nice blue…

So, I ran this command (I got to know this from googling)

Sure enough, Manager is the attribute, cool.

So let’s set one…. See if that works. I know extest4 is empty (I ran the above command and the Manager field was blank…. Or in the world of PowerShell we call that $null)

Sure enough, that was easy…. Oh boy, am I glad I don’t have to put in the Distinguished Name (DN) and I just can call out the userid (SamAccountName)

So I took one of my other PowerShell commands and built this:

NOTE that it says Resource-OwnerTest.csv, I took the big file and made one small entry to test it (I would hate to mess things up on 600 plus resources)

SPECIAL NOTE: I MADE SURE THERE WERE NO EMPTY LINES, OR THE COMMAND WILL GRAB ALL USERS AND SET LOTS OF ERRORS WILL OCCUR.

It worked!

Now I do it on all the users, this is the output

There were a few errors, for example, the one you see, is really Blahblha_SR (note the underscore)

I’ll find the errors, fix the list and re-run.

The only errors I can’t fix at this point is this: