Remove GrantSendOnBehalfTo disabled user accounts - A novice at scripting

Hello.  Can anyone help please
In our exchange 2010 environment we have users who are granted send on behalf to access.  Obviously some users leave and I m finding that there are ghosts left behind which are causing issues with our team who add users into the grantsendonbehalfto
option using the EMC.  Using the log view we coy out the command and then remove the disabled user from the command and then paste this into an Exchange Powershell command line.  This wrks because it is doing what Exchange EMC does which is rewrites
the -GrantSendOnBehalfTo option in it new entirety.  
The problem occurs because I need to remove these en-mass from approx 700 plus accounts.  
I have tried to modify one user in order to get the script to work but it doesn't.
This is the error message that happens when I run the script below against a known account with at least 2 disabled users in:-
Couldn't find object "xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2013-08/Gaynor Collins-Punter". Please make sure that i
 was spelled correctly or specify a different object. Reason: The recipient xxxxxxxx.xx.xxxxxxx.xxx.xx/DisabledUsers/2
13-08/Gaynor Collins-Punter isn't the expected type.
    + CategoryInfo          : NotSpecified: (:) [], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : F6498844
    + PSComputerName        : ex02-0029.xx.xxxxxxx.xxx.xx
Am running the script from my local PC
This is the script I have used.
# Gather info use get-mailbox -resultsize unlimited$mailboxes = Get-Mailbox zplew1
Foreach($mailbox in $mailboxes)
for($i = ($mailbox.GrantSendOnBehalfTo.count)-1; $i -ge 0; $i--)
$address=$mailbox.GrantSendOnBehalfTo[$i]
$addressString=$address.addressString
If($addressString -like "*disabled*")
$mailbox.GrantSendOnBehalfTo.removeat($i)
$info >> "C:\Scripts\grantsendonbehalfto.csv"
$mailbox |set-mailbox -GrantSendOnBehalfTo $mailbox.grantsendonbehalfto
}If you requiere any more info please let me know.

#1 - I recommend posting in xchange forum fo rhow to do this
#2 - Wen an account is disabled most on the information in the object is hidden.  YOu would need to undelete to use the object.
#3 - Get list as text and validaye al values are not deleted accounts.  Remove deleted and save back.
¯\_(ツ)_/¯

Similar Messages

  • Disabling User Account Control - CUBAC

    Installing Cisco Unified Business Attendant Console.  Documentation says that on server 2003 / sever 2008 installations, disabling of the user account control is required.  It gives a procedure to do this on Server 2008.
    The install I'm working on is on Server 2003.  I cannot find anything like this.  Googling on the subject has led me to believe that this is likely a documentation bug, as I can find no reference to Server 2003 having this feature.
    Has anyone else run into this?  The documentation appears to have been written by someone who speaks english as a second language, and not thoroughly vetted for correctness.

    Hi Clifford,
    This would just be for Windows server 2008
    CSCtc77367            Bug Details
    CUBAC 3.1.1.5 docs need to say "disable User Account  Contol" in win2008w.
    It appears UAC (user account Control) a new feature found in   Windows Server 2008 will block license files from being properly applied  in CUBAC 3.1.1.5.
    The installation and requirement docs should  reflect that UAC needs to be disabled before installing CUBAC on Windows  Server 2008.
    Observations:
    Go to webadmin, licensing
    When  you look at that page, you will not see any licensing info; no eval.
    It  says, no licensing info.
    When we turned off UAC, the licensing  page showed the eval info for 5 days.
    At which point we were able  to add the license
    Status
    Fixed             
    Severity
    2 - severe
    Last Modified
    In Last Year        
    Product
    Cisco Unified Attendant Consoles         
    Technology
    1st Found-In
    3.1(1.5)       
    Fixed-In
    Release-Pending
    Cheers!
    Rob

  • Disable user accounts on Unix, Linux resorces

    Hi Everyone
    I try to understand disable user account action on Unix, Linux systems
    In Resource reference doc. I see the next:
    Linux does not natively support Waveset enable and disable actions.
    Waveset simulates enabling and disabling accounts by changing the
    user password. The changed password is exposed on enable actions,
    but it is not exposed on disable actions.
    As a result, enable and disable actions are processed as update actions.
    Any before or after actions that have been configured to operate on
    updates will execute.
    So what kind of commands waveset using for this action:
    passwd -l <Username>
    or just change password?
    Thanks

    Hi,
    The out of the box adapter changes the user's Linux password on disable action.
    To Implement locking of account by running "passwd -l username", you need to write a resource action and call it explicitly. Hope it helps
    Regards
    Arjun

  • Disable user account on Active Directory??

    I sync user account from iPlanet DS to Active Directory through Meta Directory. If I disable user account on iPlanet DS, can meta directory disable the user account on Active Directory Server?

    AD has an attribute called userAccountControl. This attribute has a value of 512 when an AD account is active and 546 when it has been disabled. I flow a constructed attribute called userAccountControl with two rules, one for enable and one for disable. The selection criteria for the enable/disable rule is based upon a change in employee status. For example, (%mv.employeestatus%==T). Another way to do this would be a single attribute constructrion rule that calls an external script (written in Perl) that accounts for multiple conditions and then enables/disables the AD account accordingly. In the attribute flow rule, you flow the constructed attribute userAccountControl to mdsAdUserAccountControl (assuming an AD-Specific schema setting in the AD connector).

  • How to disable user account

    Hi,
    How to disable user account after few failed login attempt.
    We have the password policy settings.  But we also like to disable account after 5 failed login attempt.
    thanks

    This function is not available in Connect.

  • No Start Menu, removed and added User Account then no "Built In" Apps - Build 1049

    So quick history, was having problem with start menu not working under build 1044 for the second user I'd added to the machine (Microsoft account). Rebuilt using "Remove everything and reinstall windows". Seemed to resolve the problem for the newly
    added user and was still working under the original user (also Microsoft Account).  Then along came build 1049 and now the same start menu issue occurred for the original user account.  So, as both were setup as admins, removed the original
    user account, restarted, checked all data removed and added the account again. 
    First attempt added the account as a local account then added the Microsoft account after login, result = start menu working but no "built in" apps (store beta, insider app etc).
    So removed account again and added again, this time using Microsoft account immediately, logged in and exactly the same result.
    Any ideas how to resolve?

    You cannot use the Start Menu logging in as anything that would be in the BUILTIN\administrator group on the computer.  I had the same problem when I added the machine to a domain, thus domain admins is in the BUILTIN\Administrator group.
    The reason being that the Windows 10 Start Menu is an appxpackage, and you can't run appxpackages using the built-in administrator account.  As is the case for example with Windows Store.  It doesn't however give you a warning message, you
    just click on the windows button and nothing happens.
    This is just total madness imv.  It kind of made sense when all the appxpackages where apps, but now they include parts of the OS, the OS is essentially non-functional when you log in using anything in the BUILTIN\ administrator group.
    If you really want to blow your mind, go into PowerShell and run the command: get-appxpackage|remove-appxpackage
    If you run that on Windows 8.1 it will remove all the bloatware apps for the logged on user.  Run it in Windows 10 and it removes various parts of the OS for that user as well, such as the Start Menu!

  • OIM 9.1.0.2 Group Membership Removal for Disabled Users

    Hello
    In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
    Thanks
    Nick

    Today, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
    Thanks
    Nick

  • Disabling User account

    Hi all,
    We have an attribute *"nsaccountlock"* in LDAP.
    We have a requirement that if "*nsaccountlock*" is set to "*true*" then the user account must be disabled or locked in SIM as well.
    If anyone has any pointers regarding the same, please post how this can be achieved.
    Any pointers may be helpful.
    Thanks

    To do this you need to use activesync so that the changes on LDAP are detected in SIM. We are using that process today however version 6.1 seems to have an issue when nsaccountlock is not present in LDAP.
    Here are some notes from version 7 document:
    Set the nsAccountLock attribute
    To use the nsAccountLock attribute to disable and enable accounts, configure the LDAP resource as follows:
    On the Resource Parameters page, set the LDAP Activation Method field to nsaccountlock.
    Set the LDAP Activation Parameter field to IDMAttribute=true. (IDMAttribute will be specified on the schema in the next step.) For example, accountLockAttr=true.
    On the Account Attributes page, add the value specified in the LDAP Activation Parameter field as an Identity System User attribute. Set the Resource User attribute to nsaccountlock. The attribute must be of type string.
    Set the nsAccountLock LDAP attribute on the resource to true.
    Identity Manager sets nsaccountlock to true when disabling an account. It also assumes that pre-existing LDAP users that have nsaccountlock set to true are disabled. If the nsaccountlock has any value other than true (including null), the system concludes the user is enabled.

  • Disabling user accounts programmactically

    Hello,
    I have an application that one of its functions is user management. I’m trying to find a way to disable and enable user accounts programmatically with the Sun Directory Server 6.3. From what I have found, using the nsAccountLock attribute seems the easiest but I can’t seem to set it using ldapmodify from the command line.
    I’ve seen some posts about setting the activation method to nsaccountlock but I can’t find where to do that, no feature oid, or server attribute by that name is listed in the schema that I can find. The pages that I have found sound like the option is set from some management console/page, but I’d like to do it using LDIF if possible.
    Anyone know where this configuration option is hiding?
    Thanks!

    nsAccountLock is an operational attribute so you need to specify it explicitly (in ldapsearch list of attributes) to see its value. You can use ldapmodify to set it to true or false. Not setting it, equals to "false".

  • Disabling user account after 24hrs

    Hi all.
    We have a requirement to disable new user accounts if they are not logged into within 24hrs of creation, I suspect this can be done with some Powershell however I can't really think how.... Any ideas?
    Cheers :)

    Hi there,
    This should get you started.
    $when = (get-date) - (new-timespan -days 5)
    Get-ADUser -properties created,lastlogondate -filter { created -gt $when } | ? { $_.lastlogondate -eq $null }
    It's not a perfect answer to your question but it should get you in the right direction.

  • Automatically disable user accounts after specific number days Oracle Apps

    Hi All,
    Is there a way, using group policy or any other method to automatically disable a user account if it hasnt been used (ie,, no has logged on using that account) after a certain amount of days??
    This is something I would like to apply enterprise wide, so setting expiry dates on each users object is out, and obviously I only want to apply this to inactive accounts.
    Thanks in advance
    Saquib

    Saquib,
    There is no such profile option. However, you can write a code to check LAST_LOGON_DATE in FND_USER table and based on this you can disable/lock the account.

  • OIM 11g - Approval workflows for disabled user accounts

    Hi,
    We have a scenario wherein a user will be created in OIM with a future start date resulting in a Disabled Untill Start Date user status. Once the user is created, we should let anyone submit a New Hire form for the user and the submitted form needs to be approved by the Manager. Once the Manager approves the form, the target accounts should get created with disabled status. These accounts should get enabled on the start date.
    As submission of New Hire Form is not a straightforward process, we came up with the following design.
    A dummy resource object corresponding to the New Hire Form will be created and can be requested for a newly hired person by anyone who has OIM access. An approval workflow will be configured for the New Hire Form Resource object and provisioning of target accounts will be based on Manager's approval for this resource object.
    However the challenge that we see with this design is, it wasn't possible to place a request for New Hire Form dummy resource object for a disabled user. But the requirement is to complete the New Hire Form submission process befor the user becomes active.
    How can these workflows be invoked for a disbaled user? Is there any other way to implement this requirement?
    Any kind of help/guidance is greatly appreciated.
    Thanks and Regards
    Deepa

    911709 wrote:
    If I create a dummy resource, called "Group Membership" for example, and use this to show the groups that are available in AD, how can I have the request be routed to different approvers? For example, group cn=HR Users,cn=Users,dc=company,dc=com needs to be routed to HR for approval. Group cn=IT,cn=Users,dc=company,dc=com needs to be routed to IT for approval. How can I change the approvers dynamically?
    Re: Spawning multiple approval tasks in parallel in OIM11g SOA Composite
    You can have dynamic task assignment in BPEL; where you defne a variable in the task assignment and update the variable with the approver group name before triggering the task assignment task. Check BPEL docs for same.
    If every group needs a different approver, and there are 5000 groups, can I make 5000 resources and use the built-in routing of approvals? Or, use the dummy resource approach and handle the management of the approvals in some other way.Just make one resource with one field attached to it which takes in the group name and handle approval in SOA by reading a lookup which has AD group to Approval Group mapping.
    >
    Thank you.-Bikash
    Edited by: Bikash Bagaria on Feb 18, 2012 1:00 AM

  • Disable User Account Icon

    I want to disable the user account icon (circled yellow in the attached image) which is visible on pressing windows key after user log on.
    Let me know how to disable this for a single user using registry.
    Thank You,
    Sagar

    Hi,
    I don't think this is possible. As this is by design.
    Besides, if you want to disable the user account picture, we might follow the below steps:
    Go here: C:\ProgramData\Microsoft\User Account Pictures
    Rename user.bmp and guest.bmp to user.ren and guest.ren respectively. (The suffix actually doesn't matter -  Just chose ren (stands for 'renamed')
    Reboot
    Best regards
    Michael Shao
    TechNet Community Support

  • Randomly Disabled User Accounts in Server 10.3.9

    For various political reasons, we've chosen to skip 10.4 server and wait for 10.5.
    So, the problem is that users will be unable to log in, and once I go to Workgroup manager, they're "log in" checkbox is unchecked, but their user icon isn't crossed out (which would happen in someone had manually disabled them). Once I re-check the box, they're able to log in again normally. Most of them have aliases created on their docks, so I know they're not just typing their passwords in wrong enough to be disabled.
    So, two questions:
    1) Would upgrading to 10.4.8 fix this?
    2) Is there any way to fix this in 10.3.9?

    I've had a lot of trouble even in 10.4 with users being automatically disabled while the "wrong password protection" is enabled. Try disabling it for a few days and see if any accounts are disabled. If that's the problem, it will probably be difficult to track down the source of the bad login attempts. Are you authenticating Windows clients or just Macs?

  • Archive disabled user accounts

    We would like to archive off our disabled accounts based on certain aging criteria. Does sunidm have any out of the box feature that does this. Otherwise what are the other options

    First of all, what do you mean exactly by archiving ?
    Secondly, your question should better be asked on the Sun IDM forum. Anyway, I would say there's nothing out of the box, but you could
    develop a workflow to do such a task.
    Some customers just disable the users without moving or archiving them. Others move them to a new DIT (directory branch) or a new directory.
    As you understand, there're many options to accomplish this.
    Basically, why just disabling the users isn't enough for you ? (assuming you already have a backup an archive and backup strategy for your regular
    users at least)

Maybe you are looking for

  • Assign Type conflict with field symbols

    I have two tables tab1 & tab2, want to assign field values from tab1 to tab2 suing field symbols. Deatils are : TYPES: BEGIN OF ty_tab1,     item1   TYPE char20,     item2   TYPE char20,     val1 type i,     val2 type i, END OF ty_tab1, BEGIN OF ty_t

  • Trying to restore a TM backup to a 3-month old clone

    The HD was getting errors back in December, so I cloned it on a new, larger drive. Now it's 2+ months later, and I had a hard failure of the original drive. DIskWarrior brought it back, but I've now swapped to the new drive that was cloned in Decembe

  • My apple tv says no signal on tv.i check all the connections but still says no signal

    apple tv not connecting to tv...i tried all the possible solutions but still tv says no signal

  • Ideapad U110 Linux drivers

    I managed to install ubuntu on ideapad u110. Only big problem is the resolution , i can't manage to get higher then 800*600  using Vesa I would like to make the intel driver work , for acceleration on 1368*768 Seems to be an issue with chipset  00:02

  • Error in Loading New York Times Reader 2.0 and other AIR apps

    I downloaded Adobe AIR successfully on my Windows 7 laptop running Mozilla Firefox. When I install the Times Reader 2.0 I get the message: Sorry, an error has occured. The application could not be installed because the AIR file is damaged. Try obtain