Powershell


How to check for (and remove) Global Admins in your O365 subscription

In this post I’m going to describe how you can easily identify your Office 365 administrators and how to remove them.

You now get a overview of your Global Admin users in your O365 subscription.

It’s easy to revoke the Admin rights from a specific user using the Remove-MsolRoleMember command 


Script to check multiple servers which services are using specific accounts

A client wanted to rename a specific account, but they were afraid to change this specific account because it could be used as a service account for several services running on a number of servers. Because I didn’t want to logon to all those servers manually I decided to create a powershell script.

 

Hereby the source code :

 

This script uses a inputfile containing the servernames. You can use for example use rvtools or an WMI query to create this file.

After running the script the output is as follows :

services_export

(Click the picture for a full view)

I imported this file into excel and from now it’s easy to check for accounts being used etc.

Make sure to run powershell in elevated mode and don’t forget the set-executionpolicy unrestricted option.


Exchange & Lync : Find and fix broken inheritance

Many times I’ve ran into the following error :

move mailbox

(Error : unsufficient access rights to perform the operation) while moving Lync users of moving mailboxes in Exchange.

This is due to the following :

security002

Include inheritable permissions MUST BE ENABLED. (Also for other tasks)

When this is one or a couple of users this is no problem. When you have >100 users then you don’t want to do this manually.

This is how to script this :

First check witch users are having this problem using the following command :

Get-QADUser -SizeLimit 0 | where {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected}

Example :

security001

You see the accounts which are having this problem. Nothing is fixed yet. Therefore you need to run the following command :

Get-QADUser -SizeLimit 0 | where {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnlockInheritance