When I type the command :
Get-Mailbox "user"
It returns the mailbox of "user" without problem but when I want to access the folders of "user" with :
Get-MailboxFolder "user"
I have this error message : "The specified mailbox doesn't exist".
I specify that I have full access on the "user"'s mailbox.
You can try the following codeļ¼
Get-MailboxFolder -Identity user:\user -Recurse
This code is to get information about all the subfolders under the user folder in the user mailbox.
If the above code doesn't solve the problem, you can see if your user folder is in the root directory, and if not, change the file path,for example:
Get-MailboxFolder -Identity user:\yourfoldername\user -Recurse
Related
I want to create a new SMB Share for every folder in a directory under windows, have the smb share name be the same as the folder name and set the account "Everyone" with "Full Acess" for the share permission (so not the NTFS permissions)
So for example I have the following folders
Folder1
Folder2
Folder3
And the share names should then be named adequately, so Folder1, Folder2, Folder3
I know how to create a single smb share and set a local user with full access with the following:
New-SmbShare -name "Test" -path "D:\Test" -FullAccess "TestServer\TestAccount"
Where I currently fail is to somehow get all the folder names and create a share accordingly. Also, I don't know how to tell PowerShell the account "Everyone".
EDIT:
When I try it as you mentioned, I get the following error
New-SmbShare: The trust relationship between this workstation and the primary domain failed.
At line:2 char:1
+ New-SmbShare -Name $_.Name -Path $._FullName -FullAccess Everyone
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_SMBShare:ROOT/Microsoft/Windows/SMB/MSFT_SMBShare) [New-SmbShare], CimException
+ FullyQualifiedErrorId : Windows System Error 1789,New-SmbShare
Since I can set the permission for this group manually, I dont know why I here would need access to the domain.
I know that the Well-Known SID "World" or "Everyone" has the String Value S-1-1-0, maybe you have to replace "-FullAccess Everyone" with "FullAccess S-1-1-0"? But that didn't work for me..
Source:
https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids
EDIT2
OS is in german, so I have to change "Everyone" to the german counterpart (="Jeder")
Use Get-ChildItem -Directory to enumerate all the folders:
Get-ChildItem path\to\root\directory -Directory |ForEach-Object {
New-SmbShare -Name $_.Name -Path $_.FullName -FullAccess Everyone
}
To generate the correct translation of Everyone regardless of OS language, use its well-known SID:
$everyoneSID = [System.Security.Principal.SecurityIdentifier]::new('S-1-1-0')
$everyoneName = $everyoneSID.Translate([System.Security.Principal.NTAccount]).Value
Get-ChildItem path\to\root\directory -Directory |ForEach-Object {
New-SmbShare -Name $_.Name -Path $_.FullName -FullAccess $everyoneName
}
I am trying to change permissions on a file through Powershell, and am having trouble figuring out how to get this to work.
$path1 = "\\somepath1\somefile1"
$path2 = "\\somepath2\somefile2"
$acl = Get-Acl $path1
$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule("User","Write","ContainerInherit,ObjectInherit","None","Deny")
$acl.SetAccessRule($access_rule)
$acl | Set-Acl $path2
"User" is a specified usergroup, of many users, and is called something different in the actual code. This throws two errors:
Exception calling "SetAccessRule" with "1" argument(s): Some or all identity references could not be translated."
Set-Acl : Some or all identity references could not be translated.
Then, I try to dumb the code down, essentially trying to copy permissions of one file to another:
$path1 = "\\somepath1\somefile1"
$path2 = "\\somepath2\somefile2"
Get-Acl -Path $path1 | Set-Acl -Path $path2
Even this throws an error:
Set-Acl : Some or all identity references could not be translated.
If I understand these errors correctly, then my "User" is not being properly defined. I try to get the "User" info by running the Get-ADUser cmdlet, but the ActiveDirectory module must not be installed, because I receive this error:
Get-ADUser : The term 'Get-AdUser' is not recognized as the name of a cmdlet,.........
My main question now, is how can I get the user SID information to properly change the permissions on the file? Am I missing a step somewhere? Is there a better way to change file permissions? Can I even try to change permissions for a group? I have hit a wall trying to find a solution, lol.
I have looked at the following sources for help:
link
link
link
link
link
link
link
link
I am trying to search Active Directory for deleted users with PowerShell, but am unable to return any results even though I have used the -IncludeDeletedObjects parameter. Here is the command that I used:
get-adobject -filter{Name -like "$user"} -includedeletedobjects -properties *
The answer that worked for me is the command below will list all the users that were deleted from the Active Directory if your AD recycle bin is enabled and if you have sufficient privileges on Active Directory
Get-AdObject -Filter 'ObjectClass -eq "user" -and IsDeleted -eq $True' -IncludeDeletedObjects -Properties * | Ft Name,IsDeleted,WhenCreated
If you don't have the AD Recycle Bin enabled, you won't be able to find deleted objects.
If $user is expected to an exact match, you should also be using the -eq operator, not -like. If you want a fuzzy match, -like is correct but you should surround $user with * like so: *${user}*.
If $user is supposed to be the logon name, and not the friendly name of the user, then Name isn't the correct property to filter on, you will want to check against SamAccountName, not Name:
Get-ADObject -Filter "SamAccountName -eq '$user'"
If you are only interested in user objects, and not other AD object types, consider usingGet-ADUser in lieu of Get-ADObject. The syntax for what you specified above is the same, but will guarantee you only get ADUser objects, not ADComputer, ADGroup, etc.
Also, you should avoid using -Properties * and -Filter { ScriptBlock } arguments when using the AD cmdlets. Only use the Properties you need to process later, and use a string based filter like so:
Get-ADObject -Filter "Name -like '*$user*'"
See my answer here for best practices when using the -Filter parameter with AD cmdlets (also explains why not to use -Properties *), and this answer here for more details on why you should not use ScriptBlock parameters for AD filters.
I have users and groups in the Users folder of a Windows 2012 Server. I want to check if a user is a member of a group and if not, add to the group. To list the members of a group, I've tried everything including:
get-adgroupmember -identity "cs99group"
which produces the error
get-adgroupmember : Cannot find an object with identity: 'cs99group' under: ...
The following works perfectly
get-adgroupmember -identity "Administrators"
Of course the Administrators group is in the Builtin folder and cs99group is in the Users folder. What am I doing wrong?
Can you try with the parameter -recursive added?
Does the command Get-AdGroup work?
If so, try Get-AdGroup "cs99group" | get-adgroupmember
The service (Jenkins) is running on a server as a different user account with additional permissions. It then calls a powershell script during a build to use those permissions (access to some folders on another server) but it doesn't work. In the script i've got the following code:
New-PSDrive -Name Y -PSProvider filesystem -Root '\\XXX\ctv$'
Get-Childitem -Path 'Y:\'
The result is:
Get-ChildItem : Access to the path '\\XXX\ctv$' is denied.
At D:\XXX\copy.ps1:2 char:14
+ get-childitem <<<< -Path 'Y:\'
+ CategoryInfo : PermissionDenied: (\\XXX\ctv$\:String
) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.
Commands.GetChildItemCommand
Trying to access the folder directly returns a similar error, that the path was not found:
Get-ChildItem -Path '\\XXX\ctv$\X\X'
I've also checked as which user the script is running as with
[Security.Principal.WindowsIdentity]::GetCurrent()
and it returned this
AuthenticationType : Negotiate
ImpersonationLevel : None
IsAuthenticated : True
IsGuest : False
IsSystem : True
IsAnonymous : False
Name : NT AUTHORITY\SYSTEM
Owner : S-1-5-32-544
User : S-1-5-18
Groups : {S-1-5-32-544, S-1-1-0, S-1-5-11}
Token : 1072
which isn't the user Jenkins is running as.
So my question is how do i pass my script the same user that Jenkins is running as? Last resort would be to directly pass the username+password as credentials to the script but i would prefer if there is another way.