Archive for April, 2011

Exchange 2007: Add Public folder client permissions recursivley

April 14, 2011 3 comments

By default are Public folder client permissions managed in the Exchange Management Shell via the Add-PublicFolderClientPermissions command. But this command only add permissions on the specified folder and not on the underneath folders or items. By default has any Exchange Server 2007 installation a subfolder called Scripts where we can find a script called AddUsersToPFRecursive.ps1. This script can add permissions recursively to all folders and items in a specified folder. So if you apply this script on the head public folder for a security group or user and make him owner of all folders and subfolders, then you are able to manage the Public folder permissions easily within the Outlook client.

Retrieve the current permissions of a specific folder:

Get-PublicFolderClientPermissions “PublicFolder” -User “Username”

Add permissions to a specific folder:

Add-PublicFolderClientPermissions “PublicFolder” -User “Username” -AccessRights <Right>

The Exchange 2007 default Scripts are located in C:\Program Files\Microsoft\Exchange Server\Scripts:

Use the AddUsersToPFRecursive.ps1 to apply the permissions to all public folders beneath a specified head public folder:

AddUsersToPFRecursive.ps1 -TopPublicFolder “foldername” -User “username” -Permission <Right>

**note** When there are spaces in the folder name you must place it between double and single quotes “‘folder name‘”

Possible access rights:

  • Owner CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingEditor CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • Editor CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingAuthor CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • Author CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • NonEditingAuthor CreateItems, ReadItems, FolderVisible
  • Reviewer ReadItems, FolderVisible
  • Contributor CreateItems, FolderVisible

See also video on Manage Client Permissions on Public Folders using built-in PowerShell scripts

Categories: Exchange 2007 / 2010

Powershell: Get Inactive Computer objects in AD

April 5, 2011 13 comments

I made a new Powershell script to retrieve all inactive and “non used” computer accounts for a specific organizational unit in Active Directory. You need to use the attribute “lastLogonTimestamp” from AD like you can see in the screenshot below. There is also a “lastlogon” attribute present but this an old attribute which is not replicated among the domain controllers. This attribute is only updated on the domain controller you are currently using therefor we use “lastLogonTimestamp” which is replicated. I have also used the  Quest Active Roles which is free to download.

The script below will display first the inactive computer objects that not have been signed-in in the last 3 Months, afterward are the “never used” computer accounts displayed. Modify the $Days & $OU variable to change the number of inactive days and the specified Organizational unit.


#Display inactive and "non used" workstations of a specific Organizational Unit
#More info:

$Currentdate = get-date
$Days = 90
$OU = " Computers"

$inactive = Get-QADComputer -SearchRoot $OU -SizeLimit 0 -IncludedProperties LastLogonTimeStamp | where { $_.LastLogonTimeStamp -ne $null -and ($Currentdate-$_.LastLogonTimeStamp).Days -gt $Days }
$neverused = Get-QADComputer -SearchRoot $OU -SizeLimit 0 -IncludedProperties LastLogonTimeStamp | where { $_.LastLogonTimeStamp -eq $null }

Write-Host "Inactive Workstations:"
$inactive | format-table name, lastlogonTimeStamp -autosize

write-host "Never used Worksations:"
$neverused  | format-table name -autosize


note: I have changed the variable $days to 5 to generate some output on my test domain controller.


Categories: Powershell