Grant calendar rights to O365 user script

Posted on 2024-04-03 by Jim

So I found the commands in Exchange Powershell to add a user to have rights to a shared mailbox. Then I wrote it out as a script.

Import-Module ExchangeOnlineManagement
$AdminAddress = Read-Host -Prompt "Enter your admin e-mail address"
Connect-ExchangeOnline -UserPrincipalName $AdminAddress -ShowProgress $true
$SharedCalendar = Read-Host -Prompt "E-mail address of shared mailbox"
$RightsRecipient = Read-Host -Prompt "E-mail address of person getting rights to calendar"
$RightsLevel = Read-Host -Prompt "Enter either Editor or Reviewer"
Add-MailboxFolderPermission -Identity $SharedCalendar:\calendar -user $RightsRecipient -AccessRights $RightsLevel

Now, this works… assuming you don’t have any typos and you have all your ducks in a row. HOWEVER, I wanted to cover most of my bases, and demonstrate to my team how to write a more ‘robust’, error-checking script with documentation, to be used as a reference for future PS scripting. So I came up with this-

# JMarcum - 2024-Jan-05  // Always sign and date your code, and
#            add revision notes below the 'Purpose' section.
# PURPOSE:
# Grant requested access level to shared calendar in O365 to specified user

###  FUNCTIONS
# Validate text choices for granting calendar rights
Function ValidateOption {
  Param (
    [Parameter(Mandatory=$true)]
    [ValidateNotNullOrEmpty()]
    [ValidateSet('E','R')][string]$RightsLevel
  )
}

# Validate e-mail address as actual mailbox
function Test-ADUser {
  param(
    [Parameter(Mandatory=$true)]
    [ValidateNotNullOrEmpty()]$mail
  )
  try {
    # Cast address as mailaddress and see if 'valid'
    $null -ne ([mailaddress]$mail)
    # If e-mail address format is valid, see if user in forest (or the scope of account you are running this as)
    $null -ne ([ADSISearcher]"(mail=$mail)").FindOne()
  }
  catch {
    return $false
  }
  finally {
    $Error.Clear()
  }
}

###  CODE
# Break if error
$ErrorActionPreference = 'Stop'

# Connect to O365 using admin credentials
try {
  Import-Module ExchangeOnlineManagement
  $AdminAddress = Read-Host -Prompt "Enter your admin e-mail address"
  Connect-ExchangeOnline -UserPrincipalName $AdminAddress -ShowProgress $true
}
catch {
  Write-Host "Run the following commands in PowerShell before running this script:"
  Write-Host "Install-Module -Name ExchangeOnlineManagement"
  Write-Host "Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser"
  Exit
}

# Get addresses of calendar to share and user to give rights to
# Shared Calendar e-mail address
$SharedCalendar = ''
do {
  try {
    $SharedCalendar = Read-Host -Prompt "E-mail address of shared mailbox"
    if (($SharedCalendar -eq '') -or ((Test-ADUser $SharedCalendar) -eq $false)) {
      throw
    }
  }
  catch {
    Write-Host "Please check address and re-enter"
    $SharedCalendar = 'invalid'
  }
  finally {
    $Error.Clear()
  }
} until (Test-ADUser $SharedCalendar)

# E-mail address of person being granted rights to shared mailbox
$RightsRecipient = ''
do {
  try {
    $RightsRecipient = Read-Host -Prompt "E-mail address of person getting rights to calendar"
    if (($RightsRecipient -eq '') -or ((Test-ADUser $RightsRecipient) -eq $false)) {
      throw
    }
  }
  catch {
    Write-Host "Please check address and re-enter"
    $RightsRecipient = 'invalid'
  }
  finally {
    $Error.Clear()
  }
} until (Test-ADUser $RightsRecipient)

# Get requested calendar rights for user
$RightsLevelTest = ''
do {
  try {
    $RightsLevelTest = Read-Host -Prompt "(E)ditor/(R)eviewer"
    ValidateOption $RightsLevelTest
  }
  catch {
    Write-Host "Please type either E for Editor or R for Reviewer"
    $RightsLevelTest = ''
  }
  finally {
    $Error.Clear()
  }
} until ($RightsLevelTest -ne '')

# Assign correct value to rights level
if ($RightsLevelTest -eq 'R') {
  $RightsLevel = "Reviewer"
} else {
  $RightsLevel = "Editor"
}

# Grant requested rights to calendar
try {
  Add-MailboxFolderPermission -Identity $SharedCalendar:\calendar -user $RightsRecipient -AccessRights $RightsLevel
}
catch {
  Write-Host "Please re-run as account with O365 Admin rights"
}

With this code, I have accounted for a majority of the ‘oops’ that can occur in a script that calls various services. Yes, I could have gotten more involved in certain checks (like confirming Exchange Admin rights at the beginning), but this was more a “proof of concept”.

Hopefully it helps some people out there!

Is this user in ‘Group X’?

Posted on 2016-06-09 by Jim

OK, so here is the scenario – I was tasked with scripting an action based on group membership. The environment in question does not use nested groups, so I didn’t need to compensate for that (Like Hey, Scripting Guy! already addressed.) I also didn’t want to introduce the possibility of infinite recursion if group A had group B nested in it, which in turn contained group A. This is a real problem I have encountered at a different location that relied on group nesting up to 6 or 7 levels deep… kinda hard to keep track that way. Plus, I wanted to see if I could do it myself.

Now, I could do this in PowerShell, but I’m old fashioned. And so are some of the environments I have to support in my off hours. So, without further ado, here is the code I wrote to make this happen.


' 2016-06-06 JMarcum
' Pass the group to be tested in quotes
' Ex: cscript //nologo test-group.vbs "Domain Users"
' Returns 1 if user is a member of the group, 0 if not

' Variable Declarations
Dim WSHNetwork
Dim strUserName    ' Current user
Dim strUserDomain  ' Current users domain name
Dim strTestGroup   ' Group we are testing for - from command line
Dim strArg
Dim objGroupList
Dim objUser
Dim objArgs
Dim intExists
Dim intCount

' Load strTestGroup with the group passed from command line
intCount = 1
Set objArgs = WScript.Arguments
For Each strArg in objArgs
    If intCount = 1 Then
        strTestGroup = strArg
    Else
        strTestGroup = strTestGroup & Space(1) & strArg
    End If
    intCount = intCount + 1
Next
Set objArgs = Nothing

' Wait until the user is really logged in...
Set WSHNetwork = WScript.CreateObject("WScript.Network")
strUserName = ""
While strUserName = ""
    WScript.Sleep 100 ' 1/10 th of a second
    strUserName = WSHNetwork.UserName
Wend

' Get the users group memberships
Set objGroupList = CreateObject("Scripting.Dictionary")
objGroupList.CompareMode = vbTextCompare
Set objUser = GetObject("WinNT://" _
    & WSHNetwork.UserDomain & "/" _
    & strUserName & ",user")
For Each objGroup In objUser.Groups
    objGroupList.Add objGroup.Name, " , "
Next
Set objUser = Nothing

' Test group memberships
intExists = 0  ' Default to Not Found
If intCount = 2 Then
    If (CBool(objGroupList.Exists(strTestGroup))) Then
        intExists = 1
    End If
Else
    If (CBool(objGroupList.Exists(Chr(34) & strTestGroup & Chr(34)))) Then
        intExists = 1
    End If
End If
Set objGroupList = Nothing

' intExists = 1 if user is a member of the group, 0 if not.  Return that value as %ERRORLEVEL%
WScript.quit intExists

The argument for Passphrases

Posted on 2015-02-11 by Jim

I see so many instances where peoples’ accounts are hacked, or phished, and I just wanted to put out a few pointers that I give to the users on my own network. PLEASE read this all and FOLLOW THESE DIRECTIONS!!! It will make it WAY HARDER for hackers/phishers to get into your account!!! Also, remember- these are guidelines for EVERY site/account you use!

Your password should not be a name of a person, place or thing (I.E., try not to put your child’s name in there, or your pets name). Also, your password should not contain your e-mail name or any part of your full name.

Remember that passwords are CASE SeNsITiVe on most sites, so pay attention to your ‘CAPS LOCK’ and ‘SHIFT’ keys.

As a suggestion, try using a small phrase as your password, with punctuation in place –

Examples –

Wow, this is gr8!
this1is4u
hi, howru2day?
Get that cat OUT of my hat!

These are called passphrases, and are (currently) far more secure than pass words. Also, it is easier to remember a passprase than it is to remember a random password of equal length. The numbers being replaced for letters where they match phonetically also confuses some password cracking software (ex.: gr8 replacing great). The longer your pass word/phrase, the longer it takes to break it, and the more likely it is that the hacker will just move on to the next account!

Now that we’ve covered picking a password/phrase, let’s move on to ‘phishing’. Many of you (maybe all?) have been ‘phished’ at one point or another. It happened to me once, so I know how easy it is to fall into it.

‘Phishing’ is usually done in one of two ways-

An e-mail that looks official and asks you to provide your username and/or password (or Social Security number, bank account info, whatever). These are NEVER (repeat- NEVER!) legitimate! Mark them as spam and move on. Save yourself the heartache, please!
A logon screen. Looks just like the one for the site you are on, right? But you’re already logged on. Now, look up at the address… not the one for that site, is it? Hit the ‘Back’ button a couple of times and don’t go back to the profile/message/bulletin that took you to the fake logon. Report it to the site administrators if possible.

Now, if you follow these simple rules on EVERY site and EVERY computer/network you get on, you will be FAR less likely to get your account hacked by someone. Of course, a truly determined hacker can bypass these precautions, but it will at least make them work for it.

If you do get hacked, they can send messages as you, they can delete your e-mails, change your profile, even delete your account or friends list. So please, please follow this advice and share a link to it with others!

Jim

James Marcum

Network Engineer / Administrator

Network and Account Security

Grant calendar rights to O365 user script

Is this user in ‘Group X’?

The argument for Passphrases