get-qaduser with set-mailbox *danger*

This topic contains 6 replies, has 4 voices, and was last updated by Profile photo of Dan Potter Dan Potter 2 weeks ago.

  • Author
    Posts
  • #58358
    Profile photo of Dan Potter
    Dan Potter
    Participant

    A powershell novice here managed to disable several hundred accounts using this. When testuser1 is not found the get-mailbox ignores the identity and proceeds to modify every account it can before you catch it!

    $user = get-qaduser testuser1 -IncludedProperties msExchRecipientTypeDetails
    Get-Mailbox $user.name | Set-Mailbox -Type Shared

    I accidentally stumbled on this issue in 2007 where I managed to change 30k displaynames to '$_.displayname' and never used the quest cmdlets again.

    Anyone know the reasoning for this?

  • #58370
    Profile photo of Don Jones
    Don Jones
    Keymaster

    First, I'd suggest explicitly using a parameter rather than passing $user.name positionally. Just as a good practice.

    Second, you should be testing $user to make sure it contains something before using it. Right now, your code is assuming $user is valid, and that assumption is the problem. It isn't so much "reasoning;" if $user is empty, then it... well, it doesn't exist, so it doesn't need to be attached to a parameter positionally, so Get-Mailbox runs as if it was given no input – and gets all mailboxes.

  • #58378
    Profile photo of Ron
    Ron
    Participant

    Get-QADUser is different from Get-ADUser. It can return multiple matches (ANR search?) or nothing, with no error. If you have to use it, use the DN as the identity, or use an ldapfilter search. Also, remember your good friend -whatif, when running off the cuff scripts. I assume there was more to the script then you put in your post, you retrieved msExchRecipientTypeDetails and then didn't test it before changing the mailbox.

  • #58382
    Profile photo of Dan Potter
    Dan Potter
    Participant

    I didn't do this, a coworker did. I know how to protect myself:D

    The question is why does this happen with the exchange cmdlets?

  • #58387
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Thanks Don. I did verify that using the identity switch still results in getting all mailboxes.

    $user = get-aduser dkjfskdjf; Get-Mailbox -Identity $user

  • #58411
    Profile photo of Max Kozlov
    Max Kozlov
    Participant

    the problem really in exchange cmdlets
    just test Get-Mailbox $null / Get-Mailbox -Identity $null and you get it

    I think Exchange team use ($Identity -eq $null) and should use ($PSCmdletBinding.ContainsKey('Identity')) for retrieving all mailboxes
    I think this artefact from v1.0 days 🙂

  • #58426
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Thanks Max. Definitely odd why they would write it this way. Even the newest exchangeonline module does it. I have to tell people to be very careful.

You must be logged in to reply to this topic.