Hello Exchange Scripting Guys!
I'm working on a script for Exchange 2010 ScriptingAgent, which shall activate Mailbox Audit Logging, if an administrator applies FullAccess and/or SendAs permissions to himself, and de-activates Mailbox Audit Logging, if the admin removed all permissions from a user account.
Activating Mailbox Audit Logging works fine, but de-activating doesn't.
That's my code so far in the ScriptingAgentConfiguration.xml:
<Feature Name="MailboxPermissionsRemove" Cmdlets="remove-MailboxPermission,remove-ADPermission">
<ApiCall Name="OnComplete">
if($succeeded) {
$id = ($provisioningHandler.UserSpecifiedParameters["Identity"]).ToString() # friggin necessary!!!!!!!!!!!!!
$cmdlet = $provisioningHandler.TaskName $mailbox = Get-Mailbox -Identity $id
$admin = get-user -identity $provisioningHandler.UserScope.UserID
(Get-Date).ToString('yyyy-MM-dd HH:mm:ss') + "`t" + "Action stations! Action stations!" >> C:\UserAccess.txt
"Identified cmdlet: " + $cmdlet >> C:\UserAccess.txt
"Identified admin running cmdlet: " + $admin.SamAccountName >> C:\UserAccess.txt
"cmdlet running against mailbox: " + $mailbox.Name >> C:\UserAccess.txt
"Checking permissions: " >> C:\UserAccess.txt
get-mailboxpermission $id.ToString() -User $admin.SamAccountname >> C:\UserAccess.txt
get-adpermission -Identity $id.ToString() -User $admin.SamAccountname | where {$_.ExtendedRights -like "*Send-As*"} >> C:\UserAccess.txt
if ( (get-mailboxpermission $id.ToString() -User $admin.SamAccountname) -eq $NULL) {
if ( (get-adpermission -Identity $id.ToString() -User $admin.SamAccountname | where {$_.ExtendedRights -like "*Send-As*"} ) -eq $NULL ) {
set-mailbox $mailbox -AuditEnabled $false
} }
Else { "Cannot stop auditing, Admin still got permissions" >> C:\UserAccess.txt }
Get-Mailbox -Identity $id | fl Audit* >> C:\UserAccess.txt
}
</ApiCall>
</Feature>
That's the output into my logfile:
===============================================
2012-07-16 16:08:08 Action stations! Action stations!
Identified cmdlet: Remove-MailboxPermission
Identified admin running cmdlet: Administrator
cmdlet running against mailbox: Alex_C
Checking permissions:
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : CHARLY\Administrator
Identity : charly.net/_User/Alex_C
IsInherited : False
IsValid : True
Cannot stop auditing, Admin still got permissions
===============================================
Strange, though the script is called "OnComplete" of the cmdlet, the permission is still present, and it's only removed, if also the script finished running.
And yes, I checked a hundred times.
If you run the cmdlet again, it would say, "cannot remove permission because no permission for that user present", and it would stop the audit logging.
Can anyone bring some light to this behaviour of the ScriptingAgent/Powershell, why the permission is still present until the whole operation (cmdlet+script) is competed, given that the script is executed "OnComplete" of the cmdlet?
Thanks in advance, any help highly appreciated!
Cheers,
Alex