November 21, 2016 at 8:36 pm #58358
A powershell novice here managed to disable several hundred accounts using this. When testuser1 is not found the get-mailbox ignores the identity and proceeds to modify every account it can before you catch it!
$user = get-qaduser testuser1 -IncludedProperties msExchRecipientTypeDetails
Get-Mailbox $user.name | Set-Mailbox -Type Shared
I accidentally stumbled on this issue in 2007 where I managed to change 30k displaynames to '$_.displayname' and never used the quest cmdlets again.
Anyone know the reasoning for this?
November 21, 2016 at 8:48 pm #58370
First, I'd suggest explicitly using a parameter rather than passing $user.name positionally. Just as a good practice.
Second, you should be testing $user to make sure it contains something before using it. Right now, your code is assuming $user is valid, and that assumption is the problem. It isn't so much "reasoning;" if $user is empty, then it... well, it doesn't exist, so it doesn't need to be attached to a parameter positionally, so Get-Mailbox runs as if it was given no input – and gets all mailboxes.
November 21, 2016 at 9:04 pm #58378
Get-QADUser is different from Get-ADUser. It can return multiple matches (ANR search?) or nothing, with no error. If you have to use it, use the DN as the identity, or use an ldapfilter search. Also, remember your good friend -whatif, when running off the cuff scripts. I assume there was more to the script then you put in your post, you retrieved msExchRecipientTypeDetails and then didn't test it before changing the mailbox.
November 21, 2016 at 9:19 pm #58382
I didn't do this, a coworker did. I know how to protect myself:D
The question is why does this happen with the exchange cmdlets?
November 21, 2016 at 9:30 pm #58387
Thanks Don. I did verify that using the identity switch still results in getting all mailboxes.
$user = get-aduser dkjfskdjf; Get-Mailbox -Identity $user
November 22, 2016 at 8:15 am #58411
the problem really in exchange cmdlets
Get-Mailbox $null / Get-Mailbox -Identity $nulland you get it
I think Exchange team use ($Identity -eq $null) and should use ($PSCmdletBinding.ContainsKey('Identity')) for retrieving all mailboxes
I think this artefact from v1.0 days 🙂
November 22, 2016 at 2:19 pm #58426
Thanks Max. Definitely odd why they would write it this way. Even the newest exchangeonline module does it. I have to tell people to be very careful.
You must be logged in to reply to this topic.