-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathGet-onPremSendAs.ps1
146 lines (108 loc) · 5.78 KB
/
Get-onPremSendAs.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
<#
.SYNOPSIS
This function utilizes exchange on premises and searches for all send as rights across all recipients.
.DESCRIPTION
This function utilizes exchange on premises and searches for all send as rights across all recipients.
.PARAMETER originalDLConfiguration
The mail attribute of the group to search.
.PARAMETER collectedData
.OUTPUTS
Returns a list of all objects with send-As rights and exports them.
.EXAMPLE
get-o365dlconfiguration -groupSMTPAddress Address -collectedData DATA
#>
Function Get-onPremSendAs
{
[cmdletbinding()]
Param
(
[Parameter(Mandatory = $true)]
$originalDLConfiguration,
[Parameter(Mandatory=$false)]
$collectedData=$NULL
)
#Output all parameters bound or unbound and their associated values.
write-functionParameters -keyArray $MyInvocation.MyCommand.Parameters.Keys -parameterArray $PSBoundParameters -variableArray (Get-Variable -Scope Local -ErrorAction Ignore)
#Declare function variables.
[array]$functionSendAsRights=@()
$functionRecipients=$NULL
$functionQueryName=("*"+$originalDLConfiguration.sAMAccountName+"*")
[array]$functionSendAsIdentities=@()
[int]$functionCounter=0
Out-LogFile -string "********************************************************************************"
Out-LogFile -string "BEGIN Get-onPremSendAs"
Out-LogFile -string "********************************************************************************"
if ($collectedData -eq $NULL)
{
#Start function processing.
try {
out-logfile -string "Gathering all on premises recipients."
$functionRecipients = invoke-command {get-recipient -resultsize unlimited}
}
catch {
out-logfile -string "Error attempting to invoke command to gather all recipients."
out-logfile -string $_ -isError:$TRUE
}
try {
out-logfile -string "Test for send as rights."
$ProgressDelta = 100/($functionRecipients.count); $PercentComplete = 0; $MbxNumber = 0
foreach ($recipient in $functionRecipients)
{
$MbxNumber++
write-progress -activity "Processing Recipient" -status $recipient.primarySMTPAddress -PercentComplete $PercentComplete
$PercentComplete += $ProgressDelta
if ($functionCounter -gt 1000)
{
#Implement function counter for long running operations - pause for 5 seconds every 1000 queries.
start-sleepProgress -sleepString "Throttling for 5 seconds at 1000 operations." -sleepSeconds 5
$functionCounter=0
}
else
{
$functionCounter++
}
$functionSendAsRights+= invoke-command {$blockName=$args[1];Get-ADPermission -identity $args[0] | where {($_.ExtendedRights -like "*send-as*") -and -not ($_.User -like "nt authority\self") -and ($_.isInherited -eq $false) -and ($_.user -like $blockName)}}-ArgumentList $recipient.identity,$functionQueryName
#$functionSendAsRights+= invoke-command {Get-ADPermission -identity $args[0] | where {($_.ExtendedRights -like "*send-as*") -and -not ($_.User -like "nt authority\self") -and ($_.isInherited -eq $false)}}-ArgumentList $recipient.identity,$functionQueryName
}
}
catch {
out-logfile -string "Error attempting to invoke command to gather all send as permissions."
out-logfile -string $_ -isError:$TRUE
}
#At this point we have a filter list of ACLs.
#The query above uses a like for the user name - which means we need to validate for sure that we're talking about thes ame user.
foreach ($sendAsRight in $functionSendAsRights)
{
#Since each permission is in domain\samAccountName format split the string.
if ($sendAsRight.user -notlike "*S-1-5-21*")
{
#Need to ignore anything that looks like a SID / orphaned entry.
$stringTest = $sendAsRight.user.split("\")
#Test the second half of the string for a direct eq to samAccountName.
if ($stringTest[1] -eq $originalDLConfiguration.samAccountName)
{
out-logfile -string ("Send as permission matching group found - recording."+$sendAsRight.identity)
$functionSendAsIdentities+=$sendAsRight.identity
}
}
}
write-progress -activity "Processing Recipient" -completed
}
elseif ($collectedData -ne $NULL)
{
out-logfile -string "Test for send as rights."
$functionSendAsIdentities = $collectedData | where {($_.user.tolower()).contains($originalDLConfiguration.samaccountname.tolower())}
}
else
{
out-logFile -string "The administrator has specified to use pre-collected data."
}
Out-LogFile -string "********************************************************************************"
Out-LogFile -string "END Get-onPremSendAs"
Out-LogFile -string "********************************************************************************"
if ($functionSendAsIdentities.count -gt 0)
{
out-logfile -string $functionSendAsIdentities
return $functionSendAsIdentities
}
}