get-adobject in ForeachLoop with Variable usage

Welcome Forums General PowerShell Q&A get-adobject in ForeachLoop with Variable usage

This topic contains 6 replies, has 3 voices, and was last updated by

 
Participant
1 month, 2 weeks ago.

  • Author
    Posts
  • #116466

    Participant
    Points: 2
    Rank: Member

    Hello PS Board,
    I'm trying to get a list of all AD Groups which are used for settings Rights on Exchange Resources. For that I'm using

    $mbxperm=Get-MailboxPermission *| select user| Out-String
    

    Now I have a list with usernames and Groupnames and \Domainname in $mbxperm like "domain\ImGroup"
    I split them using

    $mbxperm.User
    $mbxperm| gm
    $domain,$username = $mbxperm.split('\')
    

    $username looks like

    "baschi
    tesuser
    ..."
    

    After that I'm trying only to get the groups, not all users and groups mixed.

    foreach ($i in $username) {
    get-adgroup -filter {name -eq $i -and ObjectClass -eq "group"}
    }
    

    I simply get no results from the command, If I use a oneliner like
    get-adgroup -filter {name -eq $i -and ObjectClass -eq "group"} I get the proper result.

    These are the var types:

    PS C:\Users\xy\Desktop> $i.gettype() 
    IsPublic IsSerial Name                                     BaseType                                                            
    -------- -------- ----                                     --------                                                            
    True     True     String                                   System.Object                                                       
    
    PS C:\Users\xy\Desktop> $LHash.gettype()
    IsPublic IsSerial Name                                     BaseType                                                            
    -------- -------- ----                                     --------                                                            
    True     True     Object[]                                 System.Array                                                        
    
    PS C:\Users\xy\Desktop> $username.gettype() 
    IsPublic IsSerial Name                                     BaseType                                                            
    -------- -------- ----                                     --------                                                            
    True     True     Object[]                                 System.Array                                                        
    

    also when I convert the string to an Customobject and try to use it with "$i.name" in the foreach it doesn't work, it only works when I use the oneliner as well. I even can see the proper output of $i when I add write-output $i. But not in the foreach.
    Seems like the problem is with using the variable in the foreach loop, but I can't figure out how to manipulate the command that I get the whished result. I would be more than happy if there is any smarter solution for getting a result all permission groups of exchange. We are in an enterprise and the output of "Get-MailboxPermission *" is super heavy.

    Hope you can help.
    Best Regards,
    baschi

  • #117591

    Participant
    Points: 87
    Helping Hand
    Rank: Member

    If i ever run into this problem i always peel things back.

    Run

    foreach ($i in $username) {
        #get-adgroup -filter {name -eq $i -and ObjectClass -eq "group"}
        Write-Output $i
    }
    

    And see what is in $i

    • #117843

      Participant
      Points: 2
      Rank: Member

      With foreach ouput $i, I saw a list which where looking like $mbxperm,
      there I was expecting everything is right cause I saw rows between Domainname\ and username

      Thanks Alex, using $mbxperm[1] I found out that the split not really worked. I got
      "domainname\
      username"
      as a result which showed me that the split didn't work properly so I used -replace now instead.

      Thanks for your input, your thoughts are really insightfull.

  • #117736

    Participant
    Points: 316
    Helping Hand
    Rank: Contributor

    Why are you doing this on an Exchange server, using the Exchange cmdlet for user group info that is on the DC?
    Now, I am not saying you can't do this from an Exchange server, especially if you have RSAT ADDS enabled.

    There are better ways to more completely get user / group membership info.

    You could just to this..

    Get-ADPrincipalGroupMembership  -Identity $env:username
    

    Also, of note, the default cmdlets do not get nested or indirect group memberships.

    Try something like this....

    function Get-NestedGroupMember
    {
        [cmdletbinding()]
    
        [Alias('gngm')]
    
        param
        (
            [Parameter(Mandatory,ValueFromPipeline)]
            [string]
            $Identity
        )
    
        process
        {
            $user = Get-ADUser -Identity $Identity
            $userdn = $user.DistinguishedName
            $strFilter = "(member:1.2.840.113556.1.4.1941:=$userdn)"
            Get-ADGroup -LDAPFilter $strFilter -ResultPageSize 1000
        }
    }
    
    
    # Example
    Get-NestedGroupMember -Identity $env:username |
    Select-Object -Property Name, DistinguishedName
    
    

    Of course I am passing in only one username here, but just make a list and loop through that.

    • #117844

      Participant
      Points: 2
      Rank: Member

      This confirms my feeling that Exchange is not the right place for it BUT,
      so far I don't have an working alternative. If I get your function your command gives me where the user have rights but I need only all security groups which are used for settings permissions on Exchange resources. Your input is really great thanks for these insights.

      Best Regards,
      baschi

  • #118344

    Participant
    Points: 316
    Helping Hand
    Rank: Contributor

    When you say...

    Exchange resources

    … does this mean, member of Exchange groups only?

    If that is the case, the script is still usable as is, just apply a filter to the Exchange groups.

    (Get-NestedGroupMember -Identity $env:username |
    Select-Object -Property Name, DistinguishedName) -match 'Exchange'
    
  • #118513

    Participant
    Points: 2
    Rank: Member

    When you say...

    Exchange resources

    … does this mean, member of Exchange groups only?

    If that is the case, the script is still usable as is, just apply a filter to the Exchange groups.

    PowerShell
    3 lines

    1
    2
    3
    (Get-NestedGroupMember Identity $env:username |
    Select-Object Property Name, DistinguishedName) -match 'Exchange'
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    No this would mean Security Groups which are used for granting SendAs or FullAccess rights to Mailboxes and resources.

    f.e.

    Group1 with member xyz, yax
    is used on Maibox asdf@domain.com to grant SendAs rights to Group1. And from my understand these security groups don't have "Exchange" necessarily in their DN.

    BR baschi

You must be logged in to reply to this topic.