• State Not Answered
  • Replies 1 reply
  • Subscribers 62 subscribers
  • Views 396 views
  • Users 0 members are here
Options
Related

SendAs Permission in a Workflow with Add-ADPermission

JackO2
4 months ago

Hello

I have a strange problem, with a Workflow.

The Idea behinde the Workflow is

  • We have SharedMailboxes
  • For Each SharedMailboxe we built a FullAccess and SendAs Group
  • If user is added to the group the workflow starts and we are adding the SendAs Permission for the User via Powershell Script

 

The problem is that the Add-Permission command is executed according to the debug log, but the SendAs command is not set on the mailbox in the end. If I run the code outside of AR, with the Admin user for AR, by hardcoding a test object, setting the SendAs permission on the mailbox works fine.

Is there any reason why an Exchange Powershell command would not run within a workflow?

function SendAsAdd ($Request)
{
	#Var
	$ExchangeURL = "https://mail/PowerShell"
	$domainDN = "DC=XX,DC=CCC,DC=EEE"
	$Group = $workflow.SavedObjectProperties("Group").get("samAccountName")
	$Mail = $Group.Replace("_SENDAS", "")

	# Exchange Connection
	$SkipCertificate = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
	$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ExchangeURL -Authentication Basic -SessionOption $SkipCertificate -credential $DomainOverrideCredentials.get($domainDN)
	Import-PSSession -Session $Session -AllowClobber
	
	# Get Member of SendAs Group
	$SendASGroup = @()
	Get-ADGroupMember $Group | foreach {
		$SendASGroup += $_.SamAccountName
	}
	
	# Get Users that have send as permission on Mailbox
	$SendAS = @()
	Get-Mailbox -Identity $Mail | Get-ADPermission | ? { ($_.ExtendedRights -like "*send*") -and ($_.User -like "*ADDOMAIN*") } | foreach {
		$user = $_.User.split("\")[1]
		$SendAS += $user
	}
	
	# Compare Members of Group and User that have permission and if not entitled
	foreach ($MBXMember in $SendASGroup)
	{
		if ($SendAS -match $MBXMember)
		{		}
		else
		{
			$UserToAdd = Get-ADUser -Identity $MBXMember -Properties distinguishedName
			$MailboxUser = Get-ADUser -Identity $Mail -Properties distinguishedName
			Add-ADPermission -Identity $MailboxUser -User $UserToadd -AccessRights ExtendedRight -ExtendedRights "Send As"
		}
	}
	Remove-PSSession -Session $Session
}

  • 0 3 months ago

    I did some more testing, the remote powershell is behaving strangely. According to debug the code runs but it is simply not executed, especially if you execute too much code, especially if the code works in a normal Powershell console, it makes little sense.

    I have outsourced some logic to the workflow and this seems to be executed

    function SendAsAdd ($Request)
{
	#Var
	$ExchangeURL = "https://mail/PowerShell"
	$domainDN = "DC=XX,DC=CCC,DC=EEE"
	$Group = $workflow.SavedObjectProperties("Group").get("samAccountName")
	$User = $workflow.SavedObjectProperties("Users").get("distinguishedName")
	$MailboxUser = $Group.Replace("_SENDAS", "")

	# Exchange Connection
	$SkipCertificate = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
	$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ExchangeURL -Authentication Basic -SessionOption $SkipCertificate -credential $DomainOverrideCredentials.get($domainDN)
	Import-PSSession -Session $Session -AllowClobber
	

	Add-ADPermission -Identity $MailboxUser -User $User -AccessRights ExtendedRight -ExtendedRights "Send As"

	Remove-PSSession -Session $Session
}