en Passant
not letting life just pass on by
Determine if user can send to DL
Tags:
Recently we've had a rash of SPAM email messages going to distribution lists. This has led to the limiting the permissions on who can send to these lists. For the largest lists, we are assigning mail-enabled security groups permissions to send to these lists.
Problem: Some of these mail-enabled groups are very large, containing nested lists inside of other lists. Trying to determine if a specific user has permissions to send to a list can be difficult.
That's the purpose of this script. It recurses each group until returning a raw list of all the mailboxes allowed to send to the specific distribution list. Using a -match, it can quickly tell you if a specific person is allowed to send to that list.
function Get-DLMembers ([string]$item, [array]$done) {
#Recurse distribution list, to get all the members
$x += 1
$members = @()
if ((($done -match $item).count -eq 0) -or ($done.count -eq 0)) {
$done += $item
$mems = get-distributiongroupmember $item | sort recipienttype, displayname
foreach ($m in $mems) {
$members += $m
if ($m.recipienttype -eq "UserMailbox" -or $m.recipienttype -eq "mailcontact") {
Write-Host ("-"*$x) $m.displayname
} elseif ($item -eq $m.displayname) {
Write-Host "loop:" $item " is a member of " $m.displayname
} else {
Write-Host ("-"*$x) $m.displayname
get-dlmembers $m.distinguishedname $done
#$done += $m.displayname
}
}
$arr = New-Object system.Object
$arr | Add-Member -memberType NoteProperty -name Name -value $item
$arr | Add-Member -memberType NoteProperty -name Members -value $members
return $arr
#return $done
} else {
Write-Host "nested list:" $item
}
}
function Get-DLPerms ([string]$item, [array]$done) {
# Pull out all accounts and groups that have perms to send to a specific list.
$x += 1
$members = @()
if ((($done -match $item).count -eq 0) -or ($done.count -eq 0)) {
$done += $item
$tempDL = Get-DistributionGroup $item
$mems = $tempDL.acceptmessagesOnlyFrom
$mems += $tempDL.acceptmessagesOnlyFromDLMembers
if ($mems.Count -ne 0){
foreach ($m in $mems) {
$members += $m
$t = Get-QADObject $m.distinguishedname
if ($t.type -ne "group") {
Write-Host ("-"*$x) $t.displayname
} else {
Write-Host ("-"*$x) $t.displayname "(group)"
get-dlmembers $m.distinguishedname $done
#$done += $m.displayname
}
}
$arr = New-Object system.Object
$arr | Add-Member -memberType NoteProperty -name Name -value $item
$arr | Add-Member -memberType NoteProperty -name Members -value $members
return $arr
#return $done
} else {
Write-Host $item}
} else {
Write-Host "nested list:" $item
}
}
$x=0
$done = @()
#Display name of the mailbox that I am looking for:
$findMbx = "Woodford, Eric"
#DL that I want to verify permissions on
$findDL = "All Eric's Family and Friends"
$find = Get-Mailbox -Identity $findmbx
if ($find -eq $null) {
cls
Throw "cound not find "+$findmbx}
$mems = Get-DLPerms $findDL $done
$Objects = $mems | %{$_.members}
$found = $Objects | ?{$_.DistinguishedName -eq $find.DistinguishedName}
Write-Host " ----------------------------- "
if ($found -ne $null) {
Write-Host " " $findmbx " has permissions to send to " $finddl
} else {
Write-Host " " $findmbx " does not have permissions to send to " $finddl
}
#Recurse distribution list, to get all the members
$x += 1
$members = @()
if ((($done -match $item).count -eq 0) -or ($done.count -eq 0)) {
$done += $item
$mems = get-distributiongroupmember $item | sort recipienttype, displayname
foreach ($m in $mems) {
$members += $m
if ($m.recipienttype -eq "UserMailbox" -or $m.recipienttype -eq "mailcontact") {
Write-Host ("-"*$x) $m.displayname
} elseif ($item -eq $m.displayname) {
Write-Host "loop:" $item " is a member of " $m.displayname
} else {
Write-Host ("-"*$x) $m.displayname
get-dlmembers $m.distinguishedname $done
#$done += $m.displayname
}
}
$arr = New-Object system.Object
$arr | Add-Member -memberType NoteProperty -name Name -value $item
$arr | Add-Member -memberType NoteProperty -name Members -value $members
return $arr
#return $done
} else {
Write-Host "nested list:" $item
}
}
function Get-DLPerms ([string]$item, [array]$done) {
# Pull out all accounts and groups that have perms to send to a specific list.
$x += 1
$members = @()
if ((($done -match $item).count -eq 0) -or ($done.count -eq 0)) {
$done += $item
$tempDL = Get-DistributionGroup $item
$mems = $tempDL.acceptmessagesOnlyFrom
$mems += $tempDL.acceptmessagesOnlyFromDLMembers
if ($mems.Count -ne 0){
foreach ($m in $mems) {
$members += $m
$t = Get-QADObject $m.distinguishedname
if ($t.type -ne "group") {
Write-Host ("-"*$x) $t.displayname
} else {
Write-Host ("-"*$x) $t.displayname "(group)"
get-dlmembers $m.distinguishedname $done
#$done += $m.displayname
}
}
$arr = New-Object system.Object
$arr | Add-Member -memberType NoteProperty -name Name -value $item
$arr | Add-Member -memberType NoteProperty -name Members -value $members
return $arr
#return $done
} else {
Write-Host $item}
} else {
Write-Host "nested list:" $item
}
}
$x=0
$done = @()
#Display name of the mailbox that I am looking for:
$findMbx = "Woodford, Eric"
#DL that I want to verify permissions on
$findDL = "All Eric's Family and Friends"
$find = Get-Mailbox -Identity $findmbx
if ($find -eq $null) {
cls
Throw "cound not find "+$findmbx}
$mems = Get-DLPerms $findDL $done
$Objects = $mems | %{$_.members}
$found = $Objects | ?{$_.DistinguishedName -eq $find.DistinguishedName}
Write-Host " ----------------------------- "
if ($found -ne $null) {
Write-Host " " $findmbx " has permissions to send to " $finddl
} else {
Write-Host " " $findmbx " does not have permissions to send to " $finddl
}
Comments
Post new comment