get-qaduser with set-mailbox *danger*

This topic contains 6 replies, has 4 voices, and was last updated by  Dan Potter 8 months, 4 weeks ago.

  • Author
    Posts
  • #58358

    Dan Potter
    Participant

    A powershell novice here managed to disable several hundred accounts using this. When testuser1 is not found the get-mailbox ignores the identity and proceeds to modify every account it can before you catch it!

    $user = get-qaduser testuser1 -IncludedProperties msExchRecipientTypeDetails
    Get-Mailbox $user.name | Set-Mailbox -Type Shared

    I accidentally stumbled on this issue in 2007 where I managed to change 30k displaynames to '$_.displayname' and never used the quest cmdlets again.

    Anyone know the reasoning for this?

  • #58370

    Don Jones
    Keymaster

    First, I'd suggest explicitly using a parameter rather than passing $user.name positionally. Just as a good practice.

    Second, you should be testing $user to make sure it contains something before using it. Right now, your code is assuming $user is valid, and that assumption is the problem. It isn't so much "reasoning;" if $user is empty, then it... well, it doesn't exist, so it doesn't need to be attached to a parameter positionally, so Get-Mailbox runs as if it was given no input – and gets all mailboxes.

  • #58378

    Ron
    Participant

    Get-QADUser is different from Get-ADUser. It can return multiple matches (ANR search?) or nothing, with no error. If you have to use it, use the DN as the identity, or use an ldapfilter search. Also, remember your good friend -whatif, when running off the cuff scripts. I assume there was more to the script then you put in your post, you retrieved msExchRecipientTypeDetails and then didn't test it before changing the mailbox.

  • #58382

    Dan Potter
    Participant

    I didn't do this, a coworker did. I know how to protect myself:D

    The question is why does this happen with the exchange cmdlets?

  • #58387

    Dan Potter
    Participant

    Thanks Don. I did verify that using the identity switch still results in getting all mailboxes.

    $user = get-aduser dkjfskdjf; Get-Mailbox -Identity $user

  • #58411

    Max Kozlov
    Participant

    the problem really in exchange cmdlets
    just test Get-Mailbox $null / Get-Mailbox -Identity $null and you get it

    I think Exchange team use ($Identity -eq $null) and should use ($PSCmdletBinding.ContainsKey('Identity')) for retrieving all mailboxes
    I think this artefact from v1.0 days 🙂

  • #58426

    Dan Potter
    Participant

    Thanks Max. Definitely odd why they would write it this way. Even the newest exchangeonline module does it. I have to tell people to be very careful.

You must be logged in to reply to this topic.