Issue with parameter ExcludeServiceAcctsCSV in Find-MailboxDelegates

Question

Issue with parameter ExcludeServiceAcctsCSV in Find-MailboxDelegates

bezibaerchen opened this issue a year ago · 16 comments

Dear FastTrack team,

we are currently planning our migration and have a longer list of accounts that should not be analyzed or included into batches.

For that purpose we created a file named "exclude.csv" containing no headers and one primary SMTP per line.

However, after the script finishes running all of those accounts are still included in batches and permission analysis.

Anything we potentially missed?

Answer 1 · 2023-06-22T10:35:30.000Z

Addition:

Script is called like this:

\Find-MailboxDelegates.ps1 -SendAs -EnumerateGroups -SendOnBehalfTo -Calendar -ExcludeServiceAcctsCSV "C:\scripts\ps\_ExchangeOnline\exclude.csv"

Answer 2 · 2023-06-22T12:03:49.000Z

Hi @bezibaerchen , can you check the log file for any issues when excluding the service accounts? The log file should be located here:

$LogFile = "$scriptPath\Find-MailboxDelegates-$yyyyMMdd.log"

Glad to take a look as well if you're okay with sharing.

Answer 3 · 2023-06-22T12:39:25.000Z

Hi @bezibaerchen , can you check the log file for any issues when excluding the service accounts? The log file should be located here:

$LogFile = "$scriptPath\Find-MailboxDelegates-$yyyyMMdd.log"

Glad to take a look as well if you're okay with sharing.

Unfortunately nothing obvious. Only occurence is with "passed script parameters".

In which of the phases should that be referenced?

Unfortunately can't share the file as it contains more or less all of our mail addresses :-)

Answer 4 · 2023-06-22T12:54:08.000Z

Completely understand :) It's hard to say what might be going wrong with the current info. One suggestion here, would be to temporarily write out the excluded service accounts:

$ExcludedServiceAccts

within the Get-Permissions() function in Line 251.

If that does dump the list of service accounts, then the issue is likely in the comparison logic (if/else).
Otherwise, there might be an issue with the way we're collecting the list of service accounts.

Answer 5 · 2023-06-22T12:57:55.000Z

Maybe I am also misinterpreting the way that this switch works.
How would the script behave if a mail address is found in that CSV? Shall it not be added to any batch or will it end up in no-dependencies?
I would have expected that it doesn't even analyze and not add them to any batch but I might be wrong.

Answer 6 · 2023-06-22T13:34:58.000Z

Addition: list of accounts is dumped correctly.

Answer 7 · 2023-06-22T13:57:11.000Z

It'll skip the mail address when it's collecting permissions. The batching uses the permissions found, so that service account would not be a part of the analysis.

Assuming the list of accounts is getting dumped correctly within the function, then something might be off with the comparison logic. Line 371 for example:

if(-not ($ExcludedServiceAccts -contains $usrTmpEmail -or $ExcludedServiceAccts -contains $mailbox.primarySMTPAddress.ToString()))

You could add $usrTmpEmail and $mailbox.primarySMTPAddress.ToString() within that "if" statement to see if the condition evaluated to "true" which it shouldn't have if it was in the excluded service accounts list.

Answer 8 · 2023-06-22T14:10:20.000Z

Could you precise what to add where and what to look for?

Answer 9 · 2023-06-22T14:24:36.000Z

We added those 2 variables to the write-log entry. Doesn't seem to match so line 371 obviously never turns true.

For whatever reason script always seems to jump into the else in line 377

Answer 10 · 2023-06-22T14:51:01.000Z

Could you precise what to add where and what to look for?

Within the if statement that's on Line 371, add both $usrTmpEmail and $mailbox.primarySMTPAddress.ToString() in there to see if it dumps out your service accounts. If it does it means that the condition on Line 371 resulted in "true" even when there's a service account, which is unexpected.

We added those 2 variables to the write-log entry. Doesn't seem to match so line 371 obviously never turns true. For whatever reason script always seems to jump into the else in line 377

Line 371 is a nested if condition which doesn't have a matching else statement. Whenever there's a service account found, it should skip adding the permission, ie the if condition should return false and not collect permission.

Answer 11 · 2023-06-26T11:45:05.000Z

Still kinda lost :-)
Would we expect all accounts from service account csv to show up in no dependencies batch or nowhere?

Answer 12 · 2023-06-26T15:42:23.000Z

No worries, let me know where I can guide more and happy to expand.

To answer your question, service accounts should not show up in any of the outputs, including dependencies/batching, permissions.

Answer 13 · 2023-07-04T11:28:50.000Z

Hi soya,
we've been playing around in the code but can't come to a conclusion. We still see users in excluded service accounts file being processed and added to batches, namely in nodependencies one.
Can you maybe try to reproduce on your end?
Or maybe we can somehow have joint session.

Answer 14 · 2023-07-06T19:00:31.000Z

Hi @bezibaerchen , let me see if I can get a repro internally. What exchange on prem version are you using?

Answer 15 · 2023-07-06T20:50:24.000Z

@bezibaerchen - I was able to spin up an Exchange 2016 environment. See below screenshot of what you should expect to see.

UserA has permissions to UserB and UserC
ServiceAcct1 has permissions to UserB

Answer 16 · 2023-07-12T08:07:20.000Z

Okay, then this is clarified that excluded mailboxes are not being analyzed and put into nodependencies. Thanks for your efforts, highly appreciated!