get-qaduser with set-mailbox *danger*

Welcome Forums General PowerShell Q&A get-qaduser with set-mailbox *danger*

This topic contains 6 replies, has 4 voices, and was last updated by

 
Participant
1 year, 12 months ago.

  • Author
    Posts
  • #58358

    Participant
    Points: 21
    Rank: Member

    A powershell novice here managed to disable several hundred accounts using this. When testuser1 is not found the get-mailbox ignores the identity and proceeds to modify every account it can before you catch it!

    $user = get-qaduser testuser1 -IncludedProperties msExchRecipientTypeDetails
    Get-Mailbox $user.name | Set-Mailbox -Type Shared

    I accidentally stumbled on this issue in 2007 where I managed to change 30k displaynames to '$_.displayname' and never used the quest cmdlets again.

    Anyone know the reasoning for this?

  • #58370

    Keymaster
    Points: 1,644
    Helping HandTeam Member
    Rank: Community Hero

    First, I'd suggest explicitly using a parameter rather than passing $user.name positionally. Just as a good practice.

    Second, you should be testing $user to make sure it contains something before using it. Right now, your code is assuming $user is valid, and that assumption is the problem. It isn't so much "reasoning;" if $user is empty, then it... well, it doesn't exist, so it doesn't need to be attached to a parameter positionally, so Get-Mailbox runs as if it was given no input – and gets all mailboxes.

  • #58378
    Ron

    Participant
    Points: 0
    Rank: Member

    Get-QADUser is different from Get-ADUser. It can return multiple matches (ANR search?) or nothing, with no error. If you have to use it, use the DN as the identity, or use an ldapfilter search. Also, remember your good friend -whatif, when running off the cuff scripts. I assume there was more to the script then you put in your post, you retrieved msExchRecipientTypeDetails and then didn't test it before changing the mailbox.

  • #58382

    Participant
    Points: 21
    Rank: Member

    I didn't do this, a coworker did. I know how to protect myself:D

    The question is why does this happen with the exchange cmdlets?

  • #58387

    Participant
    Points: 21
    Rank: Member

    Thanks Don. I did verify that using the identity switch still results in getting all mailboxes.

    $user = get-aduser dkjfskdjf; Get-Mailbox -Identity $user

  • #58411

    Participant
    Points: 0
    Rank: Member

    the problem really in exchange cmdlets
    just test Get-Mailbox $null / Get-Mailbox -Identity $null and you get it

    I think Exchange team use ($Identity -eq $null) and should use ($PSCmdletBinding.ContainsKey('Identity')) for retrieving all mailboxes
    I think this artefact from v1.0 days 🙂

  • #58426

    Participant
    Points: 21
    Rank: Member

    Thanks Max. Definitely odd why they would write it this way. Even the newest exchangeonline module does it. I have to tell people to be very careful.

The topic ‘get-qaduser with set-mailbox *danger*’ is closed to new replies.