Powershell

How to check for (and remove) Global Admins in your O365 subscription

10 Dec, 2018 in Office365 tagged Powershell by Xander

In this post I’m going to describe how you can easily identify your Office 365 administrators and how to remove them.

connect-msolservice
$role = Get-MsolRole -RoleName "Company Administrator"
Get-MsolRoleMember -roleobjectid $role.objectid

connect-msolservice

$role = Get-MsolRole -RoleName "Company Administrator"

Get-MsolRoleMember -roleobjectid $role.objectid

You now get a overview of your Global Admin users in your O365 subscription.

It’s easy to revoke the Admin rights from a specific user using the Remove-MsolRoleMember command

Remove-MsolRoleMember -RoleName "Company Administrator"-RoleMemberType User -RoleMemberEmailAddress "emailaddress@ofuser.com"

1	Remove-MsolRoleMember -RoleName "Company Administrator"-RoleMemberType User -RoleMemberEmailAddress "emailaddress@ofuser.com"

Script to check multiple servers which services are using specific accounts

2 Jul, 2014 in IT / Powershell / Uncategorized tagged Powershell by Xander

A client wanted to rename a specific account, but they were afraid to change this specific account because it could be used as a service account for several services running on a number of servers. Because I didn’t want to logon to all those servers manually I decided to create a powershell script.

Hereby the source code :

$DefineSaveLocation=&quot;f:\powershell&quot;
$SaveLocaPath=Test-Path $DefineSaveLocation
if ($SaveLocaPath -eq $False)
    {New-Item -ItemType directory -Path $DefineSaveLocation}
cd $DefineSaveLocation

Foreach ($Server in Get-Content &quot;F:\powershell\inputfile.txt&quot; )
 {
  Write-Host &quot;Retrieving Servers for $Server &quot;    
  Get-WmiObject win32_service -ComputerName $Server  | select Name,
  @{N=&quot;Startup Type&quot;;E={$_.StartMode}},
  @{N=&quot;Service Account&quot;;E={$_.StartName}},
  @{N=&quot;System Name&quot;;E={$_.Systemname}} | Sort-Object &quot;Name&quot; &gt; &quot;.\$Server -Services.txt&quot;
 }

$DefineSaveLocation="f:\powershell"

$SaveLocaPath=Test-Path $DefineSaveLocation

if ($SaveLocaPath -eq $False)

{New-Item -ItemType directory -Path $DefineSaveLocation}

cd $DefineSaveLocation

Foreach ($Server in Get-Content "F:\powershell\inputfile.txt" )

{

Write-Host "Retrieving Servers for $Server "

Get-WmiObject win32_service -ComputerName $Server | select Name,

@{N="Startup Type";E={$_.StartMode}},

@{N="Service Account";E={$_.StartName}},

@{N="System Name";E={$_.Systemname}} | Sort-Object "Name" > ".\$Server -Services.txt"

}

This script uses a inputfile containing the servernames. You can use for example use rvtools or an WMI query to create this file.

After running the script the output is as follows :

(Click the picture for a full view)

I imported this file into excel and from now it’s easy to check for accounts being used etc.

Make sure to run powershell in elevated mode and don’t forget the set-executionpolicy unrestricted option.

Exchange & Lync : Find and fix broken inheritance

23 Feb, 2013 in Exchange / IT / Lync / Uncategorized tagged Exchange / Lync / Powershell by Xander

Many times I’ve ran into the following error :

(Error : unsufficient access rights to perform the operation) while moving Lync users of moving mailboxes in Exchange.

This is due to the following :

Include inheritable permissions MUST BE ENABLED. (Also for other tasks)

When this is one or a couple of users this is no problem. When you have >100 users then you don’t want to do this manually.

This is how to script this :

First check witch users are having this problem using the following command :

Get-QADUser -SizeLimit 0 | where {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected}

Example :

You see the accounts which are having this problem. Nothing is fixed yet. Therefore you need to run the following command :

Get-QADUser -SizeLimit 0 | where {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnlockInheritance

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30

Because IT's a virtual World!

Because IT's a virtual World!

Powershell

How to check for (and remove) Global Admins in your O365 subscription

Script to check multiple servers which services are using specific accounts

Exchange & Lync : Find and fix broken inheritance