Grant full access object in database

Similar Messages

• Unable to grant full access permission

  I am trying to grant full access permissions for one user to another users mailbox  when I right click on the user the command does not appear to allow this.  I have tried using the Add-MailboxPermission CMdlet but this is not recognised either.
  My exchange knowledge is relatively limited so it may be something simple, but I would appreciate any assistance.
  best regards
  James

  Turns out someone had saved the wrong credentials in the RDP  connection and I was logging in as the wrong user.

• Granting full access and Mailbox Caching

  Hi!
  We have a Microsoft Server 2008 R2 (terminal server) with Office 2013. The mailboxes are hosted by Microsoft Online. If a user creates a Outlook profile everything goes well. I
  even have a policy set up that forces to Cache one month to speed things up.
  Now when I give this person 'full access to a colleges mailbox it appears (magically) on its own which is perfect yes? However it starts caching the entire mailbox from that college
  and not just a month. What Group Policy should I set? Or should I do this differently.
  The only Group Policies which I have set (for Outlook that is) are:
  Cached Exchange Mode Sync Settings (1 month)
  Use Cached Exchange mode for new and existing Outlook profiles. (enable)

  Thank you for sharing your solution and experience here. Have a good time.
  Tony Chen
  TechNet Community Support

• Script Grant Full Access Permission on Multiple Folders and Sub-Folders

  Hi, I'm having a issue trying to run this script. 
  1.)It provides each folder with "Special" Permission over them. (Read, Write, Modify, Full control). Is there a way of making it "Full Control" Permission instead of special permission?
  or
  2.) Is there a way to make the Object Apply to "This Folder,sub folders and files" (when i change it manually this it changes to Full Control Access)?
  What I tried doing in the following script is removing the inheritance of the folder then applying its level of authentication. I do get some errors and I'm pretty sure it's has to do with some files being password protected.
  $domainG = "Domain\Group"
  $dir = "X:\Folder\Folder\*\SameName"
  $subfolder = Join-Path $dir "\*"
  $subsubfolder = Join-Path $subfolder "\*"
  $subsubsubfolder = Join-Path $subsubfolder "\*"
  $subsubsubsubfolder = Join-Path $subsubsubfolder "\*"
  $acl = Get-Item $dir |get-acl
  #This removes inheritance
  $acl.SetAccessRuleProtection($true,$true)
  $acl |Set-Acl
  # Gives full control
  $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl","Allow")
  $acl.SetAccessRule($rule)
  $acl |Set-Acl
  $acl = Get-Item $subfolder |Get-Acl
  # This adds full control to the subfolder
  $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl","Allow")
  $acl.SetAccessRule($rule)
  $acl |Set-Acl
  $acl = Get-Item $subsubfolder |Get-Acl
  # This adds full control to the sub sub folder
  $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl","Allow")
  $acl.SetAccessRule($rule)
  $acl |Set-Acl
  $acl = Get-Item $subsubsubfolder |Get-Acl
  # This adds full control to the sub sub subfolder
  $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl","Allow")
  $acl.SetAccessRule($rule)
  $acl |Set-Acl
  $acl = Get-Item $subsubsubsubfolder |Get-Acl
  # This adds full control to the sub sub sub subfolder
  $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl","Allow")
  $acl.SetAccessRule($rule)
  $acl |Set-Acl

  The constructor you are using for the FileSystemAccessRule will only apply to the object the ACE belongs to. To have it apply to anything else, you'll have to use the constructor with the following arguments:
  <Principal>, <Rights>, <InheritanceFlags>, <PropagationFlags>, <Type>
  The one you're using doesn't have the flags. Those two flags enumerations control two things that you'll see in the GUI: 'Applies To' and 'Only Applies to this Object'. To have the ACE apply to the folder, subfolders and files (and have it not show as 'Special'
  in the GUI), you'll want the InheritanceFlags as 'ContainerInherit, ObjectInherit' and the PropagationFlags as 'None'. Try this:
  $rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($domainG,"FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
  On a side note, check
  this module out. It greatly simplifies access control. If you're interested in it and have any questions, let me know.

• Granting full access rights to archiving reports

  Hi,
  During Monitoring Reports deployment, I've unintentionally granted ReadOnly permission to user administrator. Now I access to https://servername/reports and only view directories. I don't have any buttons, such as "new folder" or "new data
  source". I tried to rerun Monitoring Reports deployment - no result. In SQL management console for administrator user I unchecked ReportsReadOnlyRole for databases where this role exists. And also granted administrator user dbowner for all databases -
  no result.

  Hi,
  Is there any update on the issue?
  If the issue persists, you can also post the issue on SQL Reporting Services forum as the issue is also related to SQL Report Server permission issue. Thank you for your understanding.
  http://social.technet.microsoft.com/Forums/sqlserver/en-US/home?category=sqlserver
  Kent Huang
  TechNet Community Support

• I'm unable to grant full access to 2nd user account. What am I missing

  While our MacBook Pro is out for repairs, I need a way to process my wife's emails and other business. So I'm trying to set up a 2nd user account for my wife on our iMac (running 10.7.5 Lion). Unfortunately, every step I've tried has failed to grant permission for her account to access the iMac desktop or launch applications other than Safari.
  Here's what I've tried:
  1. I created an account with my wife's name and password under Users & Groups in System Preferences.
  2. In her Users & Groups account, I granted her Adminstrator privileges.
  3. In the Sharing folder in System Preferences, I selected all the folders except those labeled "remote" and "xgrid" (whatever that is). I granted Read & Write privileges for each one. These included two Desktop folders, and I added the folder for Applications.
  4. I made sure File Sharing was turned on, along with Printer Sharing, Web Sharing, Screen Sharing, Internet Sharing, etc.
  5. Under Sharing Options, I noted a checkmark in the box labeled "Share files and folders using AFP", although the "number of users connected" was 0. I left that alone.
  6. Because several sharing choices were listed as "blocked by firewall," I turned the Firewall setting off.
  Despite all this, when I log in as my wife, I cannot launch any major applications except Safari, whether from the Dock or Applications folder. In fact, most of the apps in the folder are grayed out. And when I try to access the Desktop, Other Files, and various other folders, I receive a message that her account "does not have permission to see the contents." Why not? What have I overlooked?
  This is becoming an urgent problem, because there's business that must be conducted. I have had similar problems with the iMac from the start, when it refused to accept me as the rightful owner of files that were transferred from our older Mac Pro dwesktop. Yikes!
  Any help on this will be very much appreciated. Thanks.
  Message was edited by: David Henderson7

  Hey thomashfrompa,
  Thanks for the question. I understand that you are experiencing issues with iTunes for Windows. The following article outlines the error message you are receiving and a potential resolution:
  iTunes 11.1.4 for Windows: Unable to install or open
  http://support.apple.com/kb/TS5376
  Some Windows customers may experience installation issues while trying to install or open iTunes 11.1.4.
  Symptoms may include:
  "The program can't start because MSVCR80.dll is missing from your computer"
  "iTunes was not installed correctly. Please reinstall iTunes. Error 7 (Windows Error 126)”
  "Runtime Error: R6034 - An application has made an attempt to load the C runtime library incorrectly"
  "Entry point not found: videoTracks@QTMovie@@QBE?AV?$Vector@V?$RefPtr@VQTTrack@@@***@@$0A@VCrashOnOverf low@@***@@XZ could not be located in the dynamic link library C:\Program Files(x86)\Common Files\Apple\Apple Application Support\WebKit.dll”
  Resolution
  Follow these steps to resolve the issue:
  Check for .dll files
  1. Go to C:\Program Files (x86)\iTunes and C:\Program Files\iTunes and look for .dll files.
  2. If you find QTMovie.DLL, or any other .dll files, move them to the desktop.
  3. Reboot your computer.
  Note: Depending on your operating system, you may only have one of the listed paths.
  Uninstall and reinstall iTunes
  1. Uninstall iTunes and all of its related components.
  2. Reboot your computer. If you can't uninstall a piece of Apple software, try using the Microsoft Program Install and Uninstall Utility.
  3. Re-download and reinstall iTunes 11.1.4.
  Thanks,
  Matt M.

• Using security groups to grant Full Mailbox Permissions

  Hi, I've of course found several articles discussing granting full mailbox permissions to universal security groups in Exchange 2010, however, most of them are outdated and provide contradicting information.
  So I figured I'd ask here to generate a more 'current' discussion of this and get the real answers.
  If I do the following:
  1. Create a shared mailbox
  2. Create a Universal Security group (USG)
  3. Add User X to the USG
  4. Grant the USG Full Access Permissions to the shared mailbox
  Q1: Will the shared mailbox automatically show up in User X's mailbox? I've read posts/articles claiming both NO and YES to this question. Some say you have to still go through the 'open additional mailboxes' setting in Outlook.
  Q2: According to the below thread, this is actually still a bug in Exchange 2010 in that when you assign Full Access to a Universal Group, it is supposed to auto-populate, but doesn't. Further, there are claims that USG replication takes a good 12-24 hours
  before showing up in the user's Outlook. Some say you actually need to restart the Information Store before it will take affect. This is in stark contrast to granting full access to an individual user account, which takes affect immediately.
  So what is the real truth here when using USGs to grant Full Access?
  https://social.technet.microsoft.com/Forums/exchange/en-US/9840fd13-daf8-45aa-ab35-4a827f1ba1e0/exchange-2010-unable-to-assign-full-access-permissions-using-a-security-group?forum=exchangesvrgenerallegacy
  Thanks,

  Hi squishmike,
  Thank you for your question.
  Q1: Will the shared mailbox automatically show up in User X's mailbox? I've read posts/articles claiming both NO and YES to this question. Some say you have to still go through the 'open additional mailboxes' setting in Outlook.
  A: By my testing, we still go through the ‘open addition mailbox’ setting in outlook when we open outlook with new profile.
  Q2: According to the below thread, this is actually still a bug in Exchange 2010 in that when you assign Full Access to a Universal Group, it is supposed to auto-populate, but doesn't. Further, there are claims that USG replication takes a good 12-24
  hours before showing up in the user's Outlook. Some say you actually need to restart the Information Store before it will take affect. This is in stark contrast to granting full access to an individual user account, which takes affect immediately. 
  So what is the real truth here when using USGs to grant Full Access?
  A: Question 1 has been answered it. It will show share mailbox by ‘open additional mailbox’, we will add shared mailbox manually.
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim

• Full access permissions and calendars

  Quick question...in Exchange 2007 if you grant full access permissions on a mailbox, does it also give full owner rights to the calendar as well?
  So if User A has full access permissions to User B's mailbox, do they also get Owner permissions on the calendar of User B?

  Hi,
  When you grant the Full Access permission to another user for a mailbox, that user becomes able to log on to the mailbox and access its entire contents. This includes calendar as well.
  Grant Full Access permission is different from applying the Owner role to a folder. For more details, you can refer to the following articles.
  Add-MailboxPermission:http://technet.microsoft.com/en-us/library/bb124097(v=exchg.150).aspx
  Add-MailboxFolderPermission:http://technet.microsoft.com/en-us/library/dd298062(EXCHG.140).aspx
  Best regards,
  Belinda
  Belinda Ma
  TechNet Community Support

• Exchange 2010 Full Access to mailbox not working.

  Hi Guys
  Few changes were made to exchange so users can only have "send on behalf of" when using shared mailboxes.
  for example : Sent from Bob Smith on behalf of [EmailAddress1]
  need to grant full access, then use the client delegate (outlook 2010) and add them to that also.
  even if you set permissions to none in Delegate the full access kicks in.
  if you remove the users name from delegate (set with no permissions) full access is gone.
  has anyone else come across this ?
  ive been trolling the net the last 2 days and havernt found a thing . .
  any help would be great.

  Hi ITWizchch,
  Try these methods to check what's happening and set the required access (i.e. SendOnBehalfOf without Full Access)
  Check for individual user or all users having access on John's mailbox:
  Get-MailboxPermission -Identity [email protected] | Format-List
  Get-MailboxPermission -Identity [email protected] -User "Ayla"
  Once permission is set you can use below to remove it:
  Remove-MailboxPermission -Identity John -User 'Ayla' -AccessRights FullAccess -InheritanceType All
  Set SendOnBehalf Permission:
  Set-mailbox John -GrantSendOnBehalfto @{Add="Ayla"}
  Set SendOnBehalf Permission:
  Set-mailbox John -GrantSendOnBehalfto @{Remove="Ayla"}
  NOTE:- When you modify a multivalued property, you must ensure that you append / remove the values accordingly , without Overwriting the existing list.
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• Previous Exchange Admin has somehow granted himself inherited Full access rights to All Exchange Mailboxes -AccessRights -InheritanceType

  Good Day,
  There is a previous employee that was a Systems Admin and somehow he granted himself access to Every Mailbox item at one point in time and the cleanup has been a bit messy.
  When this user is listed as "Full Access Granted" in the Manage Full Access Permissions function, and I delete him, I get a confirmation that he was removed, but then an additional item below it.  (This is depicted in the attached photo)
  How do I remove the hierarchical inheritance of this user?
  the commands in the photo show:
  Remove-Mailboxpermission -identity %OU String% -user %user% -inheritancetype 'All' -Accessrights 'FullAccess'
  Add-Mailboxpermission -identity %OU String% -user %user% -Deny -Accessrights 'FullAccess'

  Hello,
  I have removed permission to this user in ADSI Edit Microsoft Exchange Configuration CN and ensured that his name was no where to be found in the ADSI permissions for Exchange.  I was running the following command:
  Get-Mailbox | Remove-MailboxPermission -User %USER% -AccessRights FullAccess,SendAs,Exter
  nalAccount,DeleteItem,ReadPermission,ChangePermission,ChangeOwner -InheritanceType All
  and I get a return warning:
  WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl,
  WriteOwner, ControlType: Allow] 
  and was ignored on object "CN=%FullAccessUser%"
  How can I ensure that this user had NO permissions at all to the exchange mailboxes?

• Granting priviledge to objects in different databases

  hey all,
  I wanted to know if there is a way to grant an insert priviledge to a user in a different database. I have one user in environment A(so his connection information is johndoe@A). In A, there is a table that I need to give insert priviledge to to janedoe@B. Is there a way to do this? If so then do let me know how to go about it.
  Thanks.

  I assume that you are talking about different databases here, and not different schemas in the same database (if you're a SQL Server developer, you may well mean different schemas rather than different databases).
  In order for Jane to be able to operate on objects in another database, you would need to have created a database link between the systems. If Jane has access to that database link, she will connect to database A as either a particular user of database B, in which case she would have whatever privileges are granted to the that user in database B, or as herself, in which case there would need to be a Jane account on database A.
  Justin

• How to get list of users who all are having full access in sharepoint site using client object model c#

  Hi,
  I want to fetch the list of users who all are having full access to the sharepoint list using client object model with .Net
  Please let me know if any property for the user object or any other way to get it.
  Thanks in advance.

  Here you are complete code i created from some years it lists all groups and users, you can just add a check in the permissions loop to see if it is equal to Full Control.
  Private void GetData(object obj)
  MyArgs args = obj as MyArgs;
  try
  if (args == null)
  return; // called without parameters or invalid type
  using (ClientContext clientContext = new ClientContext(args.URL))
  // clientContext.AuthenticationMode = ClientAuthenticationMode.;
  NetworkCredential credentials = new NetworkCredential(args.UserName, args.Password, args.Domain);
  clientContext.Credentials = credentials;
  RoleAssignmentCollection roles = clientContext.Web.RoleAssignments;
  ListViewItem lvi;
  ListViewItem.ListViewSubItem lvsi;
  ListViewItem lvigroup;
  ListViewItem.ListViewSubItem lvsigroup;
  clientContext.Load(roles);
  clientContext.ExecuteQuery();
  foreach (RoleAssignment orole in roles)
  clientContext.Load(orole.Member);
  clientContext.ExecuteQuery();
  //name
  //MessageBox.Show(orole.Member.LoginName);
  lvi = new ListViewItem();
  lvi.Text = orole.Member.LoginName;
  lvsi = new ListViewItem.ListViewSubItem();
  lvsi.Text = orole.Member.PrincipalType.ToString();
  lvi.SubItems.Add(lvsi);
  //get the type group or user
  // MessageBox.Show(orole.Member.PrincipalType.ToString());
  if (orole.Member.PrincipalType.ToString() == "SharePointGroup")
  lvigroup = new ListViewItem();
  lvigroup.Text = orole.Member.LoginName;
  // args.GroupsList.Items.Add(lvigroup);
  DoUpdate1(lvigroup);
  Group group = clientContext.Web.SiteGroups.GetById(orole.Member.Id);
  UserCollection collUser = group.Users;
  clientContext.Load(collUser);
  clientContext.ExecuteQuery();
  foreach (User oUser in collUser)
  lvigroup = new ListViewItem();
  lvigroup.Text = "";
  lvsigroup = new ListViewItem.ListViewSubItem();
  lvsigroup.Text = oUser.LoginName;
  lvigroup.SubItems.Add(lvsigroup);
  //args.GroupsList.Items.Add(lvigroup);
  DoUpdate1(lvigroup);
  // MessageBox.Show(oUser.LoginName);
  RoleDefinitionBindingCollection roleDefsbindings = null;
  roleDefsbindings = orole.RoleDefinitionBindings;
  clientContext.Load(roleDefsbindings);
  clientContext.ExecuteQuery();
  //permission level
  lvsi = new ListViewItem.ListViewSubItem();
  string permissionsstr = string.Empty;
  for (int i = 0; i < roleDefsbindings.Count; i++)
  if (i == roleDefsbindings.Count - 1)
  permissionsstr = permissionsstr += roleDefsbindings[i].Name;
  else
  permissionsstr = permissionsstr += roleDefsbindings[i].Name + ", ";
  lvsi.Text = permissionsstr;
  lvi.SubItems.Add(lvsi);
  // args.PermissionsList.Items.Add(lvi);
  DoUpdate2(lvi);
  catch (Exception ex)
  MessageBox.Show(ex.Message);
  finally
  DoUpdate3();
  Kind Regards, John Naguib Technical Consultant/Architect MCITP, MCPD, MCTS, MCT, TOGAF 9 Foundation

• Database access code in objects constructor, or in data access object

  Given an object that is stored in a database, is it better to have the database access code in a constructor method, or a data access layer object? E.g. I have a Person class
  public class Person{
  int Id;
  String name;
  int age;
  }When I want to read a person's details from the database, I could use a constructor something like this:
  public Person(int id){
  Connection con = getDatabaseConnection();
  ResultSet rs = con.createStatement().executeQuery("Select name, age from person where person_id = " + id);
  rs.next();
  this.name = rs.getString(1);
  this.age=rs.getInt(2);
  }Or I could use a method in a data access object :
  public Person getPerson(int id){
  Person p = new Person();
  Connection con = getDatabaseConnection();
  ResultSet rs = con.createStatement().executeQuery("Select name, age from person where person_id = " + id);
  rs.next();
  p.setName(rs.getString(1));
  p.setAge(rs.getInt(2));
  return p;
  }It seems to me that the constructor approach has two advantages
  (1) the SQL code is kept in the relevant class (so if I want to add a field to Person, I only have to make changes to the Person class)
  (2) I don't have to have a setter method for each field
  Is one or other of these ways generally recognized as 'best practise'?

  malcolmmc wrote:
  But then, on the other hand, everytime a Person gains a new field that's two places you have to change it. if the persistence interface is written in terms of the object and uses ORM, I don't have to touch the implementation. all i have to do is update the object, the database, and the mapping - just like you and your home brew ORM.
  besides, so what? i'd fear the resource leak, bad layering, more difficult testing more.
  Actually lately I've used annotations to label setters with database field names and run a simple home brew ORM to convert rows into objects even when not using a more complex persistence manager.home brew ORM? why is that necessary when you can choose from hibernate, ibatis, jdo, jpa, etc.? that's just nuts.
  %

• How to access the LOB objects through database links??????????????

  How to access the LOB objects through database links??????????????

  Hi
  See:
  http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:52297289480186
  http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:5322964030684
  And you also might want to get a new keyboard, your '?' seems to be stucked....

• Exchange 2010 Unable to Assign Full Access Permissions using a Security Group

  I've been running into this issue lately.  I cannot seem to use groups to allow full access to mailboxes.  When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...".  After waiting a day and even restarting
  the Information Store service, the permissions do not take effect.  When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed.
  When I grant a user full permission, it works and updates the attribute.  However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute.  So the mailbox
  will still appear in Outlook, but the user isn't able to see new emails.
  Any ideas on what may be going wrong?
  Environment:
  Exchange Server 2010 SP1 Standard
  Windows Server 2008 R2 Standard
  Outlook 2010 SP1 (tried without SP1 as well)
  I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups.  Is this not possible?

  I never got a proper fix.
  I worked around it by creating a script which gets the members of an AD Mail Enabled security group, and updates the full access based on the groups members.
  Here's a script I'm running every hour which updates permissions. It's probably not the most efficient script ever, but it works. It has several benefits
  1. Managers of the distribution group can add/remove mailbox members using OWA or through the address list
  2. New members of groups are added to FULL Access Permissions
  3. Members removed from the groups are removed from FULL access permissions
  4. Automapping works :)
  5. Maintains a log of access added / removed / time taken etc.
  Obviously I have had to remove domain related information, replace with whatever your domain requirements are, and PLEASE debug it properly in your environent first, don't complain to me if it wipes out a load of access for you or something like that!
  It takes about 5 minutes to run in my environement. Some formatting seems to have got messed up on here, sorry. I hope it is of use!
  # Mailbox Permissions Setter for Exchange #
  # v1.1 #
  # This script will loop through all mailboxes in Exchange and find any where #
  # the type is 'SHARED'. These should be determined to be a GROUP/SHARED mailbox #
  # and access to these mailboxes are controlled by a single ACL, e.g. 'ACL_Shared_Mailbox'. #
  # This script will add any members of these ACLs directly to the Full Access Permissions #
  # of the mailbox and also remove them if they no longer need the access. #
  # Script created by Jon Read, Technical Administration
  # Recent Changes
  # 15/11/2012
  # 1.1 Added exclusions for ACLs that we don't want automapping to happen for
  # 12/11/2012
  # 1.0 Initial script
  #Do not change these values
  Add-PSSnapin *Ex*
  $starttime = Get-Date
  $logfile = "C:\accesslog.txt"
  $logfile2 = "C:\accesslog2.txt"
  $totaladditionstomailboxes = 0
  $totalremovalsfrommailboxes = 0
  $totalmailboxesprocessed = 0
  $totalmailboxesskipped = 0
  # Exclude any ACLs that shouldn't be processed here if they are used for a non-standard purpose and
  # we don't want FULL access mapping to happen. Seperate array values with commas
  $ExcludedACLArray = "DOMAIN\ACL_ExcludedExample"
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "#----------------------------------------------------------------#" >> $logfile
  Write-Output "# Mailbox Permissions Setter for Exchange #" >> $logfile
  Write-Output "# v1.1 #" >> $logfile
  Write-Output "#----------------------------------------------------------------#" >> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-output "Start time $starttime ">> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  # Set preferred DCs and GCs
  $preferredDC = "preferredDC.domain"
  $preferredGC = "preferredGC.domain"
  Write-Output " PreferredDC = $preferredDC ">> $logfile
  Write-Output " PreferredGC = $preferredGC " >> $logfile
  Set-ADServerSettings -PreferredGlobalCatalog $preferredGC -SetPreferredDomainControllers $preferredDC
  # The first part of this will ADD permissions to the mailbox, reading from an associated ACL.
  # Check for all mailboxes where the type is SHARED. These are the only ones we would
  # want to apply group mailbox permissions to.
  foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
  $totalmailboxesprocessed = $totalmailboxesprocessed + 1
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  Write-Output "| MAILBOX ADDITIONS: $mailbox " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  $mailbox=$mailbox.ExchangeGuid.ToString()
  # For each of them, get the distribution list applied to the mailbox (Starting DOMAIN\ACL_)
  # We then need it to be turned into a string to use later.
  #Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
  $changes = 0
  foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
  $skipACL = 0
  #Get the distribution group and put the name in a useable format
  $distributiongroup=$distributiongroup.user.tostring()
  Write-Output "Found ACL $distributiongroup" >> $logfile
  # Check if this distribution group needs to be excluded and if it shouldn't be processed
  # then move onto the next ACL. This will stop FULL access being granted if the mailbox is
  # used for a non-standard purpose. See the start of this script
  # for where these are excluded (ExcludedACLArray)
  foreach ($ACL in $ExcludedACLArray )
  if ($distributiongroup -eq $ACL)
  $skipACL = 1
  Write-Output "ACL $distributiongroup is excluded so skipping mailbox " >> $logfile
  $totalmailboxesskipped = $totalmailboxesskipped + 1
  if ($skipACL -eq 0)
  # Get each user in this group and for each of them, add try to add them to full access permissions.
  foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
  # Get the user to try, convert to DOMAIN\USER to use shortly
  $user="DOMAIN\" + $user.alias.ToString()
  # Check to see if the user we have chosen from the ACL group already exists in the full access
  # permissions. If they do, set $userexists to 1, if they do not, leave $userexists set to 0.
  # Set $userexists to 0 as the default
  $userexists = 0
  foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission)
  # See if the user exists in the mailbox access list.
  # Change $fullaccessuser to a useable string (matching $user)
  $fullaccessuser=$fullaccessuser.user.tostring()
  if ($fullaccessuser -eq $user)
  $userexists=1
  # Break out of foreach if the user exists so we don't unnecessarily loop
  break
  # Now we know if the user needs to be added or not, so run code (if needed) to add
  # the user to full access permissions
  if ($userexists -eq 0)
  Add-MailboxPermission $mailbox –user $user –accessrights "FullAccess"
  Write-Output "Added $user " >> $logfile
  $changes = 1
  $totaladditionstomailboxes = $totaladditionstomailboxes + 1
  #Now repeat for other users in the ACL
  #if changes were 0, then log that no changes were made
  if ($changes -eq 0)
  Write-Output "No changes were made." >> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "---------------------------------------------------------------------------------" >> $logfile
  Write-Output " FINISHED ADDING PERMISSIONS" >> $logfile
  Write-Output "---------------------------------------------------------------------------------" >> $logfile
  Write-Output " " >> $logfile
  # The second part of this will REMOVE permissions from the mailbox, reading from an associated ACL.
  ## Check for all mailboxes where the type is SHARED. These are the only ones we would
  ## want to apply group mailbox permissions to.
  foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  Write-Output "| MAILBOX REMOVALS : $mailbox " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  $mailbox=$mailbox.ExchangeGuid.ToString()
  #Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
  $changes = 0
  # For the current mailbox, get a list of all users with FULLACCESS, and then for each of them
  # check if they exist in the ACL
  foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.Accessrights -like "FullAccess" })
  # Get the security identifier (SSID) of the FULLACCESS user to store for later.
  $fullaccessuserSSID=$fullaccessuser.user.SecurityIdentifier.ToString()
  $fullaccessuser=$fullaccessuser.User.ToString()
  #If user needs to be excluded then skip this bit
  #Users added or removed will only start with 07 (07$, 07T, so only run if the user starts with this.
  #This stops it trying to remove NT AUTHORITY\SELF and other System entries
  if ($fullaccessuser -like "DOMAIN\07*")
  # Set $userexists to be 0. if we find the use user needs to remain, then change it to 1.
  $userexists=0
  # Check if this user exists in the ACL, if not, remove.
  foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
  $distributiongroup=$distributiongroup.user.tostring()
  #Write-Output "Found associated distribution group $distributiongroup" >> $logfile
  # Get each user in this group and for each of them, See if it matches the user in the mailbox.
  foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
  # Get the user to try, convert to DOMAIN\USER to use shortly
  $userguid = $user.Guid.ToString()
  $user="DOMAIN\" + $user.alias.ToString()
  if ($fullaccessuser -eq $user)
  $userexists=1
  #we have found the user exists so no need to continue
  break
  # If userexists = 0, then they are NOT in the ACL, and should be removed from
  # the full access permissions. Run the code to remove them from full access.
  #CONVERT FULLACCESSUSER TO GUID AND REMOVE $FULLACCESSUSERGUID NOT $USERGUID
  if ($userexists -eq 0)
  Remove-MailboxPermission -Identity $mailbox –user $fullaccessuserSSID –accessrights "FullAccess" -Confirm:$false
  Write-Output "Removed $fullaccessuser " >> $logfile
  $changes = 1
  $totalremovalsfrommailboxes = $totalremovalsfrommailboxes + 1
  # if changes = 0, no changes were made to this mailbox, so log this fact.
  if ($changes -eq 0)
  Write-Output "No changes were made." >> $logfile
  #Put the time in a displayable format
  $endtime = Get-Date
  $runtime = $endtime - $starttime
  $runtime = $runtime.ToString()
  $runtime1 = $runtime.split(".")
  $totaltime = $runtime1[0]
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
  Write-Output "| SCRIPT COMPLETE : STATS " >> $logfile
  Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
  Write-Output "| Total Mailboxes Processed : $totalmailboxesprocessed " >> $logfile
  Write-Output "| Total Additions : $totaladditionstomailboxes " >> $logfile
  Write-Output "| Total Removals : $totalremovalsfrommailboxes " >> $logfile
  Write-Output "| Total Mailboxes Skipped due to ACL : $totalmailboxesskipped " >> $logfile
  Write-output "| Start time : $starttime ">> $logfile
  Write-output "| End time : $endtime ">> $logfile
  Write-Output "| **END OF RUN** - Elapsed time : $totaltime " >> $logfile
  Write-Output "|---------------------------------------------------------------------------------------" >> $logfile
  Write-Output " " >> $logfile