Error 80180008 when joining to Windows 10 device to Azure AD
I’ve been messing about with Azure AD join in Windows 10 recently, and made what was ultimately a stupid mistake, but the error message and behaviour didn’t make realising my mistake terribly easy.
In my scenario, I had configured Azure AD for domain join, configured which users were allowed to join, and setup auto-enrollment for Intune. I jumped on to a new machine, and it worked sweet. Wicked I thought.
Then I got someone else to try.. and it didn’t work.
They got through the authentication step, multi-factor auth, and confirmed the org details presented back were correct. Then it failed with a super unhelpful “something has gone wrong” message, with an error code of 80180008.
I asked the internet. The internet didn’t know.
So I applied brain.. and realised I’m an idiot.
The back-of-a-napkin steps that occurs during the join process is as follows:
- Authenticate against Azure AD (or proxy auth via ADFS if that’s your bag).
- Azure confirms if you’re allowed to domain join and processes the join.
- Azure hands off to Intune to manage the device enrollment.
What was happening in my case was steps 1 and 2 were working fine, but when it came time to enroll in Intune, it was checking the license assignment for the user and low and behold, the user didn’t have one, so rejected the enrollment.
Duh! Like I said, idiot.
It would be super awesome if perhaps Microsoft could improve the feedback to the user with a useful ‘you are not licensed for device enrollment’ type message, but I guess you can’t have everything.
So if like me you forget to sort your user licensing, expect to hit error 80180008. Luckily you just need to assign the user an Intune license (either direct or via EMS) and you’re sorted.
JB
How to delete those annoying duplicate Lync contacts
If you’ve been using Lync (now Skype for Business) for a while, you’ll likely find that you have a number of duplicate contacts in your mailbox, due to a legacy behavior of the client auto-creating contacts everytime the client version changed. If you’ve been running Lync for quite a while, these duplicates may run north of 10,000 objects, which will start to mess with your Outlook performance and do horrible things to your mobile phone address book.
The underlying cause of these duplicates being created has long been fixed via CUs, but the contacts remain. The trouble with removing these if you’re on Exchange Online is the contacts have special permissions and can’t be deleted by the end user.
I needed to solve this problem recently, and found plenty of suggested fixes but they were either way too manual (fine for a few duplicates but not thousands) or they just didn’t work at all.
Being a fan of all things PowerShell, I dug out some cmdlets and figured out how to do it via PowerShell, which I’ll spell out below. I’ve included a full copy of the script at the end of this post if you just want to steal the whole thing. Go for it.
To do this you’ll need a PowerShell window (no special modules required) and an account with the global admin role. (To be honest I’ve been lazy here, there will be a combination of role permissions lower than global admin that enables this, I just haven’t figured out what they are yet)
First up, the basics. Get yourself connected to Exchange Online via PowerShell.
$cred = get-credential $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell/" -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $session -AllowClobber
Next create a mailbox to store the log output. I’d recommend using a shared mailbox so it doesn’t consume a license. Be sure to grant yourself access to the mailbox so you can review outputs.
New-Mailbox -Name LyncContactRemoval -Shared Get-Mailbox LyncContactRemoval | Add-MailboxPermission -User -AccessRights FullAccess -InheritanceType All
Now to find the offending contacts. We use a mailbox search query to iterate over all mailbox items that contains the unique string that each duplicate contains. The output of the search is saved to the shared mailbox you created above to allow you to verify the query returns only those items you want.
I’ve included a few sample queries to get you started.
1. Query against a single mailbox
2. Query multiple mailboxes
3. Query all mailboxes
Note that these commands will include the dumpster by default. If you want to exlude the mailbox dumpster from the query, add “-SearchDumpster:$false” to the end of the command. There is also a return item limit of 10,000 items per mailbox.
# Example 1 - For a single mailbox Get-Mailbox | Search-Mailbox -SearchQuery 'all:"This contact was updated from Microsoft Lync" OR all:"This contact was added from Microsoft Lync"' -TargetMailbox LyncContactRemoval -TargetFolder Cleanup -LogLevel Full -LogOnly # Example 2 - For a couple of mailboxes Get-Mailbox | ?{$_.alias -eq '' -OR $_.alias -eq ';' -or $_.alias -eq ''} | Search-Mailbox -SearchQuery 'all:"This contact was updated from Microsoft Lync" OR all:"This contact was added from Microsoft Lync"' -TargetMailbox LyncContactRemoval -TargetFolder Cleanup -LogLevel Full -LogOnly # Example 3 - For all mailboxes Get-Mailbox | Search-Mailbox -SearchQuery 'all:"This contact was updated from Microsoft Lync" OR all:"This contact was added from Microsoft Lync"' -TargetMailbox LyncContactRemoval -TargetFolder Cleanup -LogLevel Full -LogOnly
Open the shared mailbox via Outlook and locate the TargetFolder path you used. This will include a mail object with the results of the query you ran, and a CSV file attachment containing the precise results down to a per-contact level. Validate your results are as you expect, and then either proceed with deletion, or refine your query and re-run the search.
Once you’re happy with your query and the output you’re getting, time to hit delete. This is basically just a case of using the -DeleteContent flag on the same query command you used above.
If you use the ‘all mailboxes’ query this may take a very long time. In my case I had about 150 mailboxes with 350,000 duplicate contacts. The deletion process took 7 hours to complete.
Due to the query return item limit, this will only delete 10,000 items from each mailbox at a time. Pending on how many duplicates your users have you may need to run this more than once (I did).
# For a single mailbox Get-Mailbox | Search-Mailbox -SearchQuery 'all:"This contact was updated from Microsoft Lync" OR all:"This contact was added from Microsoft Lync"' -DeleteContent # For a couple of mailboxes (this filter uses the mailbox alias value, but you could filter on any field that makes sense to you) Get-Mailbox | ?{$_.alias -eq '' -OR $_.alias -eq '' -or $_.alias -eq ''} | Search-Mailbox -SearchQuery 'all:"This contact was updated from Microsoft Lync" OR all:"This contact was added from Microsoft Lync"' -DeleteContent # For all mailboxes - note this could take a loooong time. Get-Mailbox | Search-Mailbox -SearchQuery 'all:"This contact was updated from Microsoft Lync" OR all:"This contact was added from Microsoft Lync"' -DeleteContent -SearchDumpster:$false
That’s it – job done.
Technically you should remove the shared mailbox you created at the beginning to clean this up. I left mine in place for a while as a lazy log of what was removed, but deleted it once I was happy nobody was upset by the sudden removal of 350,000 completely useless contact objects. That and of course close your session like a good ‘sheller should.
Get-Mailbox LyncContactRemoval | Remove-Mailbox Remove-PSSession $session
If you’re looking for the entire script, you’ll find it below. Hope it’s useful.
JB
# Get yourself connected to Exchange Online $cred = get-credential $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell/" -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $session -AllowClobber # First create a destination mailbox for query reports. Use a shared mailbox so it doesn't consume a license New-Mailbox -Name LyncContactRemoval -Shared # Grant yourself access to the mailbox so you can open via Outlook Get-Mailbox LyncContactRemoval | Add-MailboxPermission -User <your-mailbox-upn> -AccessRights FullAccess -InheritanceType All # Query for candidates and log results (no other action taken) # Example 1 - For a single mailbox Get-Mailbox | Search-Mailbox -SearchQuery 'all:"This contact was updated from Microsoft Lync" OR all:"This contact was added from Microsoft Lync"' -TargetMailbox LyncContactRemoval -TargetFolder Cleanup -LogLevel Full -LogOnly # Example 2 - For a couple of mailboxes (this filter uses the mailbox alias value, but you could filter on any field that makes sense to you) Get-Mailbox | ?{$_.alias -eq '' -OR $_.alias -eq ';' -or $_.alias -eq ''} | Search-Mailbox -SearchQuery 'all:"This contact was updated from Microsoft Lync" OR all:"This contact was added from Microsoft Lync"' -TargetMailbox LyncContactRemoval -TargetFolder Cleanup -LogLevel Full -LogOnly # Example 3 - For all mailboxes Get-Mailbox | Search-Mailbox -SearchQuery 'all:"This contact was updated from Microsoft Lync" OR all:"This contact was added from Microsoft Lync"' -TargetMailbox LyncContactRemoval -TargetFolder Cleanup -LogLevel Full -LogOnly # Note - these commands will include the dumpster by default. If you want to exlude the mailbox dumpster from the query, add "-SearchDumpster:$false" to the end of the command # Open the mailbox in Outlook and locate the TargetFolder path you used. This will include a mail object with the results of the query, and a CSV file attached containing the precise results down to a per-contact level. Validate your results are as you expect, and then either proceed with deletion, or refine your query and re-run the search. # To actually delete the objects.. do this # For a single mailbox Get-Mailbox | Search-Mailbox -SearchQuery 'all:"This contact was updated from Microsoft Lync" OR all:"This contact was added from Microsoft Lync"' -DeleteContent # For a couple of mailboxes (this filter uses the mailbox alias value, but you could filter on any field that makes sense to you) Get-Mailbox | ?{$_.alias -eq '' -OR $_.alias -eq '' -or $_.alias -eq ''} | Search-Mailbox -SearchQuery 'all:"This contact was updated from Microsoft Lync" OR all:"This contact was added from Microsoft Lync"' -DeleteContent # For all mailboxes - note this will take a loooong time. For 232 mailboxes with 350,000 duplicate contacts, this process took 7 hours to complete. Get-Mailbox | Search-Mailbox -SearchQuery 'all:"This contact was updated from Microsoft Lync" OR all:"This contact was added from Microsoft Lync"' -DeleteContent -SearchDumpster:$false
Windows 10 – First Impressions (End-User Edition)
With the release of the Windows 10 Technical Preview last week, I (like so many other IT Pros around the world) have installed it onto my primary device and am using it in anger for the first time. What follows is my first impressions of the new and the shiny. Note that I haven’t gone hunting for new features – these really only relate to features I’ve encountered in everyday use as an end-user. I’ll post another update soon with my impressions from an Enterprise Admin perspective.
New Start Menu
Personally, I liked the Windows 8 Start experience, so wasn’t looking for a change here. That said, the new one is a nice blend of the old and the new. It’s nice having the ability to pin a list of common stuff to your left-hand menu (the old style Windows 7 menu), but also maintain the live-tile experience with the right-hand side Win8 elements. My only complaint is the ‘all programs’ list view is too old school. The ability to see all your apps in the Win8 Start screen was great, especially when combined with view filters (eg. sort by date installed).
It’s with pointing out for those that like the Windows 8 Start Screen experience, you can change your Start Menu to use the Windows 8 version.
Improved Search Experience
This is probably my favourite change in Windows 10 – it’s brilliant. I loved the unified search functionality of Windows 8 – search for ‘everything’ from one place – your Start screen. Simple, fast, brilliant. Windows 10 turns that up to 11. When searching from the Start Menu, you get the same Windows 8 experience you’ve got used to – local apps, files, and web suggestions – nothing new there apart from the layout. Where things get exciting is when you click through to one of those web suggestions. This takes you to the Search interface proper, where you get an expanded view of web/files/apps, but also images, videos, settings, and thumbnails/previews everywhere. Now we really are searching ‘everything’ from one place.
I wonder whether a future enhancement might be to search across your other connected Windows devices (Windows Phone, Xbox, etc). Given the talk about ‘one platform everywhere’, I wouldn’t be surprised if that’s the case.
Copy/Paste in Command Prompt / PowerShell
I spend a lot of time in PowerShell (less so in cmd), and have been wanting proper copy/paste (Ctrl-C/Ctrl-V) functionality here since forever. Finally, it’s here. And it works. There’s not much to say on this really – its a basic feature that just does what it should. At last. Win.
Multiple Desktops
I’ve seen several posts about how this is such a great (and long desired) feature – but truth be told – I don’t really get it. This feature effectively gives you independent desktops to create workspaces that suit your user behaviour. In principal, I like the sound of that. I often work on documents or platforms that require a level of discretion/privacy, so being able to group those tasks on a separate desktop that I can quickly hide away has some appeal. In practice however, the separate desktops are, for want of a better phrase, too close together. By this I mean that if you have apps open in one desktop (lets call it Desktop “A”), then switch to another desktop (lets call this one Desktop “B”), you’d expect a level of isolation between the two. But regardless of which one you’re in, as soon as you Alt-Tab (and who doesn’t?), you’ll see all apps in all desktops, and will be automatically swapped between them. So where is the isolation? All we’ve achieved is a little bit of de-clutter.
Install Process
The upgrade process for Windows just keeps getting easier and faster. In-place upgrade from Windows 8.1 to 10 took less than 30 minutes (on an SSD based laptop from USB media), required less than half a dozen clicks, and kept most of my Windows apps intact. Couple this with how so much of your user profile is synced to the cloud these days, and the time it takes to get your OS back to a familiar state is nothin. Super simple.
Overall Impression
There are some nice enhancements in Windows 10 over Windows 8/8.1, and I certainly like where the platform is heading – the usability changes in Windows 10 will certainly ease the transition from Windows 7 and prior – but overall, I’m left feeling a little let down. Moving from Windows 8.1 to Windows 10 felt like a big deal – it sounded so monumental. But on the surface, it’s a lot of the same. However, I think its obvious that there is a lot more to come, and most of the exciting stuff in Windows 10 wont really start to shine until we see all the other platforms (Phone, Xbox, the Internet of Things) take their own step towards Windows 10 – that’s where the real gold lies. Once everything in your life is running the same OS, shit is going to get crazy.
User not in service error
I encountered this issue recently when attempting to Lync call an internal user (P2P, not via PSTN), and was initially a little surprised to see this error message return almost instantly.
Fair enough if I’d dialed a number that wasn’t valid, but I wasn’t dialing a phone number, and this was a user that I could see was online and available. What the….
In reality the cause is fairly obvious, but to an end-user this could be fairly confusing, so I thought I’d go through the debug process to be thorough. A quick pick through my local trace logs returned this:
history-info: <sip:[email protected]?Reason=SIP%3Bcause%3D302%3Btext%3D%22Moved%20Temporarily%22>;index=1;ms-retarget-reason=forwarding
ms-diagnostics: 13006;reason=”Request forwarded, any previous branches cancelled.”;source=”front-end-servername”;appName=”InboundRouting”
which ultimately resulted in:
SIP/2.0 404 No matching rule has been found in the dial plan for the called number
All this talk of numbers when you’re not dialing a number seems a little odd, until you consider the user-controlled call forwarding feature. Then it all makes sense again.
If a user has elected to forward their calls (not sim-ring) to another number, but have entered a number that cannot be normalised for some reason (could be their fault or yours), then Lync will quite legitimately return the out of service error. Question then becomes, who needs to fix it? The user, or the Lync Admin? How do you know?
To find out, you can consult either the server logs or the SSRS QoE reports. I tend to jump into the QoE reports first in situations like this as it is often quicker. On the QoE report server, run the User Activity Report, bring up calls from the offending user, and open the detail of the call that failed. You will find a number of 404 response codes, and if you drill into the one with a diagnostic ID of 14010, you’ll see the following:
To user URI: sip:00001234567;phone-context=dialplanname@sipdomain.com
Diagnostic header: 14010; reason=”Unable to find an exact match in the rules set”; source=”lyncfe”; CalledNumber=”00001234567“; ProfileName=”dialplanname“; appName=”TranslationService
So in this case, the user is attempting to foward to 00001234567, and Lync is trying to normalise this based on the rules associated with the dial plan listed under ProfileName. It can’t find a rule to match this number format, so fails and essentially rejects the number. From this error detail you can then evaluate the number and determine if the user has fat-fingered an impossible number, or whether perhaps you need to tweak your normalisation rules so this one matches.
Snooper install returns vcredist error
Chances are if you’re trying to install the Lync 2013 Debugging Tools, you may find you receive the following error message:
The obvious requirement here is to ensure you have the Visual C++ 2012 x64 Redistributable package installed, and that it be version 11.0.50.727.
The trouble comes when you try and download that version. It’s next to impossible to find as the only versions listed on the official Microsoft sites are either a higher increment of version 11, which doesn’t work, or version 12.x, which also doesn’t work. Frustrating much?
The simple solution is to go dig up your Lync Server 2013 install media, and you’ll find this version in the ~Setupamd64 folder. Install that, and you’re gold.
Alternatively you can download a copy from here, however please be aware this is not an official Microsoft source – its just the copy from my Lync media that I’ve uploaded. It was free of viruses when I uploaded it, in original form, but the internet is a scary place – so make sure you take the necessary precautions if you choose to download it.
Publishing Lync via Web App Proxy with multiple SIP domains
With the recent release of Server 2012 R2, and with it ADFS 3.0 and the Web Application Proxy (WAP) role, word on the street was we now had a replacement product from Microsoft to publish Lync, rather than using the now retired TMG or ISA products.
It’s an exciting time.
So naturally, the minute we upgraded our ADFS farm to 3.0 (as its a hard requirement for deploying WAP), I was straight into test publishing our Lync 2013 platform behind WAP.
Doug Deitterick over on the Microsoft UC Blog has done a great job of documenting how to setup and publish Lync via WAP, and Marc Terblanche has a great post that goes into a bit more detail around scripting the rules, along with some excellent information about the SNI challenge and how to assign a default cert for clients that don’t support SNI (very important to understand this one).
But in both cases, they’re publishing a straight-forward Lync lab, with a single SIP domain. What happens in a real world scenario where you have multiple SIP domains associated with your Lync platform, and you need to publish them all – specifically, if you support mobility?
Unfortunately, the answer is slightly disappointing. You can’t do this via WAP. Yet.
When you have multiple SIP domains, there is a gotcha when it comes to publishing the Lync Discover URL that mobile clients rely on to auto-discover their sign-in server details. In a single SIP domain environment, you’d just have a URL and publishing rule for lyncdiscover.sipdomain.com:443 that points to lyncweb.sipdomain.com:4443. In a multiple SIP domain environment however, you can’t as the mobile clients for users on SIP domain #2 will fail to correctly redirect to the primary SIP domain. The reason for this is outlined below:
Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.sipdomain2.com that redirects to an address of lyncdiscover.sipdomain1.com is not supported over HTTPS. In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing rule for port 80 (HTTP). For details, see “To create a web publishing rule for port 80” in Configuring the Reverse Proxy for Mobility.
(quoted from ‘Technical Requirements for Mobility’ at http://technet.microsoft.com/en-us/library/hh690030.aspx)
Under TMG, this isn’t a problem, as you can simply create an additional publishing rule for each additional SIP domain on HTTP, which redirects clients to the Lync webservices on 8080. This allows the initial request to come in on HTTP, perform the redirection to the webservices endpoint, then perform subsequent requests directly, via HTTPS.
Why doesn’t this work with WAP? Because as at RTM, the WAP feature only allows you to publish HTTPS URLs. If you attempt to publish anything via HTTP, WAP will return and error and come to a hard stop.
From what I’ve heard, this is something Microsoft are working hard to bring to the product as they recognise it is a barrier to entry for Lync publishing, though whether that will be via an update or a future version I’m unsure at this time.
In the meantime, it looks like your TMG platform might need to stick around a fraction longer if you have multiple SIP domains in your environment. Fingers crossed you wont have to wait too long though.
JB
Lync 2013 Monitoring and Mirroring Gotcha
If you don’t configure your 2013 platform for SQL mirroring from the outset (or at least, prior to deploying the Lync Reports), then add mirroring later, you’ll find your Lync Monitoring Reports stop working when you failover the SQL servers.
Reason being is the report deployment will configure its datasources for the SQL instance(s) its aware of at deployment time, and subsequent changes to SQL topology wont be updated in the datasources later.
Not a major to fix, you’ll just need to change your datasource connection strings.
1. Open your SSRS front end http://<server>/reports
2. Open the Reports_Content Folder
3. Edit the properties of both CDRDB and QMSDB datasources
4. Change the connection strings to use the following syntax:
Data Source=SQLServer1SQLInstance;Failover Partner=SQLServer2SQLInstance;initial catalog=<DBName>
5. Re-enter your report user password and hit Test Connection to ensure it works, then Apply and you’re done.
Wellington IUG | Lync 2013 Migration Pro-Tips | April 9th @ 5pm
I’ll be presenting a usergroup session on Lync 2013 in early April down in Wellington at Microsoft’s recently refurbished office (Level 12, 157 Lambton Quay) – you should come – it’ll be great.
Lync 2013 is here – planned your upgrade yet?
Lync 2013 is here, and it’s action-packed full of fantastic new features that will quite honestly change your life. If, like many organisations, you drank the kool-aid a while back and deployed OCS or Lync 2010, you’ll be asking yourself whether you should be upgrading, and how you go about it.
We’ll do a whistle-stop tour through the pick of the new features – hopefully helping you build your business case to upgrade – and run step-by-step through a Lync 2010-2013 upgrade, including a few lessons from the field to save you some pain.
Registration is required for this event – please do so here if you’d like to attend. (did I mention there’s free beer and pizza?)
Hyper-V USB Storage Limitation and Workaround
As many before me have experienced, I struck an error recently when creating or starting a Hyper-V VM on Windows 8 (with USB 3.0 external storage) where I encountered the following error message:
Failed to create external configuration stare at <path>: General access denied error (Virtual machine ID 0x80070005)
User "domainuser" failed to create external configuration store at <path>: General access denied error (virtual machine ID 0x80070005)"
There’s no shortage of suggested workarounds on the web, but most relate to permissions or disk format (NTFS/FAT32), and none worked for me. After exploring a bunch of the suggested fixes, I stumbled on this superbly technical post that raised the excellent point that not all USB devices mount in the same way, and therefore don’t all present to Hyper-V in a way that is compatible.
So on a hunch, I tried an alternative mounting method in Disk Management. Rather than the normal approach of creating a volume and assigning it a drive letter, I mounted it as an NTFS volume under an existing drive – my existing HDD was partitioned with C: and D: partitions, so I mounted the SSD volume as D:SSD.
And just like that, everything worked perfectly. I had no further issues using this storage media with Hyper-V. Problem solved.
Now, there’s a distinct likelihood this has a performance impact (I’m genuinely unsure if there is a tradeoff involved in using the NTFS mount method) – though in my ad-hoc testing I saw no discernible difference in performance of the SSD-based data. If anything, the only performance hit seemed to be when accessing other data on the rest of the D: partition – but I haven’t managed to quantify that (and may well be imagining it).
Bare in mind also that because the drive is mounted under your local file system, your drive is no longer strictly portable, in as much as there is no file system reference data on the USB drive itself, so if you plug the drive into a different computer, that computer wont be able to see whats on the external disk (and will report it as empty).
Apply default calendar permissions in Office 365
April 5, 2016
Exchange Online, Office 365, PowerShell
No Comments
gingerninjanz
Something that’s often frustrated me as an O365 Administrator is the lack of ability to craft and apply default calendar sharing permissions in Office 365. Sure you can create sharing policy for external organisaitons, but what about all your internal users? This is pretty standard stuff for internal collaboration, so why can’t we do it via the Admin Portal?
Like most things though, if you can’t do it via the UI, you can probably do it via PowerShell. Guess what.. you can do this too..
I love PowerShell so I’m ok with this, but on the off-chance you’re less excited by the ‘shell approach, feel free to steal this and claim it as your own (I don’t care – own it).
So first up, get your ‘Shell sessions sorted – if you’re already sorted here, skip to the next bit. If you’re not, check this out (I don’t tend to do this bit quite like other folks – mostly cos I’m lazy and don’t like typing in my username).
If you’re wondering why I’m calling an Outlook session and the MSOLService, that’s cos we’re going to cross both the Office 365 and Azure AD environments. Madness.
There are a bunch of blog posts out there that talk about how to apply permissions for a given user, but frankly that’s what the GUI is for, so why bother do that via PowerShell. I’m more interested in bulk application of permissions, so that’s what you’ll find below.
Let’s assume you have (like I do) a security group that includes all your users (or at least a big chunk of the ones you care about). And lets assume you want to apply the same set of standard calendar sharing permissions to all your users – so all staff can see the same properties of all other staff. That’s what this bit does…
Now, like many a lazy (pragmatic?) admin, my ‘all staff’ group is actually a set of nested groups – in my case, one for each of our global offices. Not an unusual scenario I suspect. So first thing I need to do is expand those out to their actual members. Let’s do that first. Note that if you are not using nested groups, you can skip this step.
<Group DisplayName> is the name of your ‘all staff’ group. This step will find all the groups that exist within your ‘all staff’ group.
Now that we have the list of actual groups in your main group, we’re going to iterate through each one, find the members, and set a given set of permissions for each mailbox. The syntax here is set/add-mailboxfodlermission -identity <calendar being impacted> – user <user being granted permission> -accessrights <specific access control>.
This will step through each nested group, expand the members, and assign the permissions define above to each member. In addition it will set basic permissions for the system roles ‘Default’ and ‘Anonymous’. Feel free to adjust these to suit your purposes.
I confess, I’m being a little lazy here. What I probably should do here is apply some if/then/else logic to determine what the current sharing permissions are, to ensure only actual changes are processed, which would (massively) speed up the script, but I ran out of time to get the logic working (it’s more complicated than just a simple ‘where equals’ unfortunately). It’s on my backlog – I’ll update this post if (when?) I get it working.
Hope this is useful.
JB / TheGingerOne
SecurityTips