v2.3.1 (#22)

## <a href="https://github.com/GruberMarkus/Export-RecipientPermissions/releases/tag/v2.3.1" target="_blank">v2.3.1</a> - 2022-11-28 ### Added - New FAQ in '`README`': 'How to export permissions for specific public folders?' ### Fixed - Sample code '`compare.ps1`' now additionally outputs the original identity of a trustee and not only the primary SMTP address. This helps with permissions granted to 'Anonymous' and 'Default', as well as with recipients which have been deleted in the time between the old and the new export. - Always include trustee groups in '`GrantorFilter`' when '`ExportDistributionGroups`' is set to '`OnlyTrustees`'
GruberMarkus · Nov 28, 2022 · 2b92fa3 · 2b92fa3
1 parent 2c8284c
commit 2b92fa3
Show file tree

Hide file tree

Showing 6 changed files with 105 additions and 11 deletions.
diff --git a/.github/workflows/build, draft release.yml b/.github/workflows/build, draft release.yml
@@ -15,12 +15,12 @@ jobs:
           fetch-depth: 0
 
       - name: Install GitVersion
-        uses: gittools/actions/gitversion/[email protected].14
+        uses: gittools/actions/gitversion/[email protected].15
         with:
           versionSpec: "5.x"
 
       - name: Determine SemVer
-        uses: gittools/actions/gitversion/[email protected].14
+        uses: gittools/actions/gitversion/[email protected].15
         with:
           additionalArguments: '/overrideconfig major-version-bump-message="^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\\([\\w\\s]*\\))?(!:|:.*\\n\\n((.+\\n)+\\n)?BREAKING CHANGE:\\s.+)" /overrideconfig minor-version-bump-message="^(feat)(\\([\\w\\s]*\\))?:" /overrideconfig patch-version-bump-message="^(build|chore|ci|docs|fix|perf|refactor|revert|style|test)(\\([\\w\\s]*\\))?:"'
 

diff --git a/build/build.ps1 b/build/build.ps1
@@ -58,7 +58,7 @@ function main {
         $tempFileContent = $tempFileContent -replace 'XXXRemoveWhenBuildingXXX-->', ''
         $tempFileContent | Set-Content $($_[0])
         # convert to HTML
-        & pandoc.exe $($_[0]) --resource-path=".;docs" -f gfm -t html --self-contained -H .\build\pandoc_header.html --css .\build\pandoc_css_empty.css --metadata pagetitle="$(([System.IO.FileInfo]"$($_[0])").basename) - $(($env:GITHUB_REPOSITORY -split '/')[1])" -o $($_[1])
+        & pandoc.exe $($_[0]) --resource-path=".;docs" -f gfm -t html --embed-resources --standalone -H .\build\pandoc_header.html --css .\build\pandoc_css_empty.css --metadata pagetitle="$(([System.IO.FileInfo]"$($_[0])").basename) - $(($env:GITHUB_REPOSITORY -split '/')[1])" -o $($_[1])
     }
 
 

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -15,6 +15,13 @@
   ### Fixed
 -->
 
+## <a href="https://github.com/GruberMarkus/Export-RecipientPermissions/releases/tag/v2.3.1" target="_blank">v2.3.1</a> - 2022-11-28
+### Added
+- New FAQ in '`README`': 'How to export permissions for specific public folders?'
+### Fixed
+- Sample code '`compare.ps1`' now additionally outputs the original identity of a trustee and not only the primary SMTP address. This helps with permissions granted to 'Anonymous' and 'Default', as well as with recipients which have been deleted in the time between the old and the new export.
+- Always include trustee groups in '`GrantorFilter`' when '`ExportDistributionGroups`' is set to '`OnlyTrustees`'
+
 ## <a href="https://github.com/GruberMarkus/Export-RecipientPermissions/releases/tag/v2.3.0" target="_blank">v2.3.0</a> - 2022-10-25
 ### Added
 - When '`ExportFromOnPrem`' is set to '`$true`' and '`ExchangeConnectionUriList`' is not specified, '`ExchangeConnectionUriList`' defaults to '`http://<server>/powershell`' for each Exchange server with the mailbox server role

diff --git a/docs/README.md b/docs/README.md
@@ -76,6 +76,7 @@ Compare exports from different times to detect permission changes (sample code i
   - [2.9. Is there a GUI available?](#29-is-there-a-gui-available)
   - [2.10. Which resources does a particular user or group have access to?](#210-which-resources-does-a-particular-user-or-group-have-access-to)
   - [2.11. How to find distribution lists without members?](#211-how-to-find-distribution-lists-without-members)
+    - [2.11.1. How to export permissions for specific public folders?](#2111-how-to-export-permissions-for-specific-public-folders)
 - [3. Sample code](#3-sample-code)
   - [3.1. Get-DependentRecipients.ps1](#31-get-dependentrecipientsps1)
   - [3.2. Compare-RecipientPermissions.ps1](#32-compare-recipientpermissionsps1)
@@ -705,6 +706,76 @@ $params = @{
 }
 
 
+& .\Export-RecipientPermissions\Export-RecipientPermissions.ps1 @params
+```
+### 2.11.1. How to export permissions for specific public folders?
+You need three things for this:
+- GrantorFilter should only include Public Folder Mailboxes
+- ExportFileFilter needs to remove everything not of interest
+
+The following example shows how to export permissions granted on the public folder '/X', '/Y' and their subfolders, plus all members of groups granted permissions:
+```
+$params = @{
+    ExportFromOnPrem                            = $true
+    UseDefaultCredential                        = $true
+
+    ExportMailboxAccessRights                   = $false
+    ExportMailboxAccessRightsSelf               = $false
+    ExportMailboxAccessRightsInherited          = $false
+    ExportMailboxFolderPermissions              = $false
+    ExportMailboxFolderPermissionsAnonymous     = $true
+    ExportMailboxFolderPermissionsDefault       = $true
+    ExportMailboxFolderPermissionsOwnerAtLocal  = $true
+    ExportMailboxFolderPermissionsMemberAtLocal = $true
+    ExportSendAs                                = $false
+    ExportSendAsSelf                            = $false
+    ExportSendOnBehalf                          = $true
+    ExportManagedBy                             = $false
+    ExportLinkedMasterAccount                   = $false
+    ExportPublicFolderPermissions               = $true
+    ExportPublicFolderPermissionsAnonymous      = $true
+    ExportPublicFolderPermissionsDefault        = $true
+    ExportForwarders                            = $false
+    ExportManagementRoleGroupMembers            = $false
+    ExportDistributionGroupMembers              = 'OnlyTrustees'
+    ExportGroupMembersRecurse                   = $true
+    ExpandGroups                                = $false
+    ExportGuids                                 = $true
+    ExportGrantorsWithNoPermissions             = $true
+    ExportTrustees                              = 'All'
+
+    RecipientProperties                         = @()
+    GrantorFilter                               = "if ( (`$Grantor.RecipientTypeDetails.Value -ieq 'PublicFolderMailbox') ) { `$true } else { `$false }"
+    TrusteeFilter                               = $null
+    ExportFileFilter                            = "
+                                                    if (
+                                                        (
+                                                            (`$ExportFileLine.'Grantor Recipient Type' -ieq 'UserMailbox/PublicFolderMailbox') -and
+                                                            (
+                                                                (`$ExportFileLine.'Folder' -ieq '/X') -or
+                                                                (`$ExportFileLine.'Folder' -ilike '/X/*') -or
+                                                                (`$ExportFileLine.'Folder' -ieq '/Y') -or
+                                                                (`$ExportFileLine.'Folder' -ilike '/Y/*')
+                                                            )
+                                                        ) -or
+                                                        (
+                                                            `$ExportFileLine.'Grantor Recipient Type' -ine 'UserMailbox/PublicFolderMailbox'
+                                                        )
+                                                    ) {
+                                                        `$true
+                                                    } else {
+                                                        `$false 
+                                                    }
+                                                 "
+
+    ExportFile                                  = '..\export\Export-RecipientPermissions_Result.csv'
+    ErrorFile                                   = '..\export\Export-RecipientPermissions_Error.csv'
+    DebugFile                                   = ''
+
+    verbose                                     = $true
+}
+
+
 & .\Export-RecipientPermissions\Export-RecipientPermissions.ps1 @params
 ```
 # 3. Sample code

diff --git a/src/Export-RecipientPermissions.ps1 b/src/Export-RecipientPermissions.ps1
@@ -6423,6 +6423,10 @@ try {
                     if ($AllGroupMembers.ContainsKey($AllRecipients[$x].Identity.ObjectGuid.Guid)) {
                         $tempQueue.enqueue($x)
                     }
+
+                    if (($ExportDistributionGroupMembers -ieq 'OnlyTrustees') -and (($x -notin $GrantorsToConsider))) {
+                        $null = $GrantorsToConsider.add($x) # makes $ExportGrantorsWithNoPermissions work for these groups
+                    }
                 }
             }
         }
@@ -7085,8 +7089,21 @@ try {
             $tempQueue = [System.Collections.Queue]::Synchronized([System.Collections.Queue]::new($AllRecipients.count))
 
             foreach ($x in $GrantorsToConsider) {
-                $tempQueue.enqueue($x)
+                if (($AllRecipients[$x].RecipientTypeDetails.Value -ilike 'Group*') -or ($AllRecipients[$x].RecipientTypeDetails.Value -ilike '*Group')) {
+                    if ($ExportDistributionGroupMembers -ieq 'None') {
+                        # do nothing
+                    } elseif ($ExportDistributionGroupMembers -ieq 'OnlyTrustees') {
+                        if ($AllRecipients[$x].IsTrustee -eq $true) {
+                            $tempQueue.enqueue($x)
+                        }
+                    } else {
+                        $tempQueue.enqueue($x)
+                    }
+                } else {
+                    $tempQueue.enqueue($x)
+                }
             }
+
             $tempQueueCount = $tempQueue.count
 
             $ParallelJobsNeeded = [math]::min($tempQueueCount, $ParallelJobsLocal)

diff --git a/src/sample code/Compare-RecipientPermissions/Compare-RecipientPermissions.ps1 b/src/sample code/Compare-RecipientPermissions/Compare-RecipientPermissions.ps1
@@ -21,12 +21,11 @@ Param(
     $newCsv = '.\Export-RecipientPermissions_Output_new.csv',
 
     # Display results on screen before creating file showing changes
-    $DisplayResults = $false,
-
+    $DisplayResults = $true,
 
     # Path for export file showing changes
     # Set to '' or $null to not create this file
-    $ChangeFile = '.\changes.csv'
+    $ChangeFile = '.\comparison.csv'
 )
 
 
@@ -91,11 +90,11 @@ if ($DisplayResults) {
         Write-Host "  $($GrantorPrimarySmtp)"
         foreach ($DatasetObject in $Dataset[$($GrantorPrimarySmtpOrder.IndexOf($GrantorPrimarySmtp))..$($GrantorPrimarySmtpReverseOrder.count - 1 - $GrantorPrimarySmtpReverseOrder.IndexOf($GrantorPrimarySmtp))]) {
             if ($DatasetObject.Change -eq 'Deleted') {
-                Write-Host ("    Deleted: $($DatasetObject.'Trustee Primary SMTP') no longer has the '$($DatasetObject.'Permission')' right" + $(if ($DatasetObject.'Folder') { " on folder '$($DatasetObject.'Folder')'" }))
+                Write-Host ("    Deleted: '$($DatasetObject.'Trustee Original Identity')' (E-Mail '$($DatasetObject.'Trustee Primary SMTP')') no longer has the '$($DatasetObject.'Permission')' right" + $(if ($DatasetObject.'Folder') { " on folder '$($DatasetObject.'Folder')'" }))
             } elseif ($DatasetObject.change -eq 'New') {
-                Write-Host ("    New: $($DatasetObject.'Trustee Primary SMTP') now has the '$($DatasetObject.'Permission')' right" + $(if ($DatasetObject.'Folder') { " on folder '$($DatasetObject.'Folder')'" }))
+                Write-Host ("    New: '$($DatasetObject.'Trustee Original Identity')' (E-Mail '$($DatasetObject.'Trustee Primary SMTP')) now has the '$($DatasetObject.'Permission')' right" + $(if ($DatasetObject.'Folder') { " on folder '$($DatasetObject.'Folder')'" }))
             } else {
-                Write-Host ("    Unchanged: $($DatasetObject.'Trustee Primary SMTP') still has the '$($DatasetObject.'Permission')' right" + $(if ($DatasetObject.'Folder') { " on folder '$($DatasetObject.'Folder')'" }))
+                Write-Host ("    Unchanged: '$($DatasetObject.'Trustee Original Identity')' (E-Mail '$($DatasetObject.'Trustee Primary SMTP')') still has the '$($DatasetObject.'Permission')' right" + $(if ($DatasetObject.'Folder') { " on folder '$($DatasetObject.'Folder')'" }))
             }
         }
     }
@@ -115,4 +114,4 @@ if ($ChangeFile) {
 
 
 Write-Host
-Write-Host "End script @$(Get-Date -Format 'yyyy-MM-ddTHH:mm:sszzz')@"
+Write-Host "End script @$(Get-Date -Format 'yyyy-MM-ddTHH:mm:sszzz')@"