v2.3.1 (#22)

GruberMarkus · web-flow · commit 2b92fa39c990 · 2022-11-28T12:53:47.000+01:00
## <a href="https://github.com/GruberMarkus/Export-RecipientPermissions/releases/tag/v2.3.1" target="_blank">v2.3.1</a> - 2022-11-28 ### Added - New FAQ in '`README`': 'How to export permissions for specific public folders?' ### Fixed - Sample code '`compare.ps1`' now additionally outputs the original identity of a trustee and not only the primary SMTP address. This helps with permissions granted to 'Anonymous' and 'Default', as well as with recipients which have been deleted in the time between the old and the new export. - Always include trustee groups in '`GrantorFilter`' when '`ExportDistributionGroups`' is set to '`OnlyTrustees`'
diff --git a/.github/workflows/build, draft release.yml b/.github/workflows/build, draft release.yml
@@ -15,12 +15,12 @@ jobs:
           fetch-depth: 0
 
       - name: Install GitVersion
-        uses: gittools/actions/gitversion/setup@v0.9.14
+        uses: gittools/actions/gitversion/setup@v0.9.15
         with:
           versionSpec: "5.x"
 
       - name: Determine SemVer
-        uses: gittools/actions/gitversion/execute@v0.9.14
+        uses: gittools/actions/gitversion/execute@v0.9.15
         with:
           additionalArguments: '/overrideconfig major-version-bump-message="^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\\([\\w\\s]*\\))?(!:|:.*\\n\\n((.+\\n)+\\n)?BREAKING CHANGE:\\s.+)" /overrideconfig minor-version-bump-message="^(feat)(\\([\\w\\s]*\\))?:" /overrideconfig patch-version-bump-message="^(build|chore|ci|docs|fix|perf|refactor|revert|style|test)(\\([\\w\\s]*\\))?:"'
 
diff --git a/build/build.ps1 b/build/build.ps1
@@ -58,7 +58,7 @@ function main {
         $tempFileContent = $tempFileContent -replace 'XXXRemoveWhenBuildingXXX-->', ''
         $tempFileContent | Set-Content $($_[0])
         # convert to HTML
-        & pandoc.exe $($_[0]) --resource-path=".;docs" -f gfm -t html --self-contained -H .\build\pandoc_header.html --css .\build\pandoc_css_empty.css --metadata pagetitle="$(([System.IO.FileInfo]"$($_[0])").basename) - $(($env:GITHUB_REPOSITORY -split '/')[1])" -o $($_[1])
+        & pandoc.exe $($_[0]) --resource-path=".;docs" -f gfm -t html --embed-resources --standalone -H .\build\pandoc_header.html --css .\build\pandoc_css_empty.css --metadata pagetitle="$(([System.IO.FileInfo]"$($_[0])").basename) - $(($env:GITHUB_REPOSITORY -split '/')[1])" -o $($_[1])
     }
 
 
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -15,6 +15,13 @@
   ### Fixed
 -->
 
+## <a href="https://github.com/GruberMarkus/Export-RecipientPermissions/releases/tag/v2.3.1" target="_blank">v2.3.1</a> - 2022-11-28
+### Added
+- New FAQ in '`README`': 'How to export permissions for specific public folders?'
+### Fixed
+- Sample code '`compare.ps1`' now additionally outputs the original identity of a trustee and not only the primary SMTP address. This helps with permissions granted to 'Anonymous' and 'Default', as well as with recipients which have been deleted in the time between the old and the new export.
+- Always include trustee groups in '`GrantorFilter`' when '`ExportDistributionGroups`' is set to '`OnlyTrustees`'
+
 ## <a href="https://github.com/GruberMarkus/Export-RecipientPermissions/releases/tag/v2.3.0" target="_blank">v2.3.0</a> - 2022-10-25
 ### Added
 - When '`ExportFromOnPrem`' is set to '`$true`' and '`ExchangeConnectionUriList`' is not specified, '`ExchangeConnectionUriList`' defaults to '`http://<server>/powershell`' for each Exchange server with the mailbox server role
diff --git a/docs/README.md b/docs/README.md
@@ -76,6 +76,7 @@ Compare exports from different times to detect permission changes (sample code i
   - [2.9. Is there a GUI available?](#29-is-there-a-gui-available)
   - [2.10. Which resources does a particular user or group have access to?](#210-which-resources-does-a-particular-user-or-group-have-access-to)
   - [2.11. How to find distribution lists without members?](#211-how-to-find-distribution-lists-without-members)
+    - [2.11.1. How to export permissions for specific public folders?](#2111-how-to-export-permissions-for-specific-public-folders)
 - [3. Sample code](#3-sample-code)
   - [3.1. Get-DependentRecipients.ps1](#31-get-dependentrecipientsps1)
   - [3.2. Compare-RecipientPermissions.ps1](#32-compare-recipientpermissionsps1)
@@ -705,6 +706,76 @@ $params = @{
 }
 
 
+& .\Export-RecipientPermissions\Export-RecipientPermissions.ps1 @params
+```
+### 2.11.1. How to export permissions for specific public folders?
+You need three things for this:
+- GrantorFilter should only include Public Folder Mailboxes
+- ExportFileFilter needs to remove everything not of interest
+
+The following example shows how to export permissions granted on the public folder '/X', '/Y' and their subfolders, plus all members of groups granted permissions:
+```
+$params = @{
+    ExportFromOnPrem                            = $true
+    UseDefaultCredential                        = $true
+
+    ExportMailboxAccessRights                   = $false
+    ExportMailboxAccessRightsSelf               = $false
+    ExportMailboxAccessRightsInherited          = $false
+    ExportMailboxFolderPermissions              = $false
+    ExportMailboxFolderPermissionsAnonymous     = $true
+    ExportMailboxFolderPermissionsDefault       = $true
+    ExportMailboxFolderPermissionsOwnerAtLocal  = $true
+    ExportMailboxFolderPermissionsMemberAtLocal = $true
+    ExportSendAs                                = $false
+    ExportSendAsSelf                            = $false
+    ExportSendOnBehalf                          = $true
+    ExportManagedBy                             = $false
+    ExportLinkedMasterAccount                   = $false
+    ExportPublicFolderPermissions               = $true
+    ExportPublicFolderPermissionsAnonymous      = $true
+    ExportPublicFolderPermissionsDefault        = $true
+    ExportForwarders                            = $false
+    ExportManagementRoleGroupMembers            = $false
+    ExportDistributionGroupMembers              = 'OnlyTrustees'
+    ExportGroupMembersRecurse                   = $true
+    ExpandGroups                                = $false
+    ExportGuids                                 = $true
+    ExportGrantorsWithNoPermissions             = $true
+    ExportTrustees                              = 'All'
+
+    RecipientProperties                         = @()
+    GrantorFilter                               = "if ( (`$Grantor.RecipientTypeDetails.Value -ieq 'PublicFolderMailbox') ) { `$true } else { `$false }"
+    TrusteeFilter                               = $null
+    ExportFileFilter                            = "
+                                                    if (
+                                                        (
+                                                            (`$ExportFileLine.'Grantor Recipient Type' -ieq 'UserMailbox/PublicFolderMailbox') -and
+                                                            (
+                                                                (`$ExportFileLine.'Folder' -ieq '/X') -or
+                                                                (`$ExportFileLine.'Folder' -ilike '/X/*') -or
+                                                                (`$ExportFileLine.'Folder' -ieq '/Y') -or
+                                                                (`$ExportFileLine.'Folder' -ilike '/Y/*')
+                                                            )
+                                                        ) -or
+                                                        (
+                                                            `$ExportFileLine.'Grantor Recipient Type' -ine 'UserMailbox/PublicFolderMailbox'
+                                                        )
+                                                    ) {
+                                                        `$true
+                                                    } else {
+                                                        `$false 
+                                                    }
+                                                 "
+
+    ExportFile                                  = '..\export\Export-RecipientPermissions_Result.csv'
+    ErrorFile                                   = '..\export\Export-RecipientPermissions_Error.csv'
+    DebugFile                                   = ''
+
+    verbose                                     = $true
+}
+
+
 & .\Export-RecipientPermissions\Export-RecipientPermissions.ps1 @params
 ```
 # 3. Sample code
diff --git a/src/Export-RecipientPermissions.ps1 b/src/Export-RecipientPermissions.ps1
@@ -6423,6 +6423,10 @@ try {
                     if ($AllGroupMembers.ContainsKey($AllRecipients[$x].Identity.ObjectGuid.Guid)) {
                         $tempQueue.enqueue($x)
                     }
+
+                    if (($ExportDistributionGroupMembers -ieq 'OnlyTrustees') -and (($x -notin $GrantorsToConsider))) {
+                        $null = $GrantorsToConsider.add($x) # makes $ExportGrantorsWithNoPermissions work for these groups
+                    }
                 }
             }
         }
@@ -7085,8 +7089,21 @@ try {
             $tempQueue = [System.Collections.Queue]::Synchronized([System.Collections.Queue]::new($AllRecipients.count))
 
             foreach ($x in $GrantorsToConsider) {
-                $tempQueue.enqueue($x)
+                if (($AllRecipients[$x].RecipientTypeDetails.Value -ilike 'Group*') -or ($AllRecipients[$x].RecipientTypeDetails.Value -ilike '*Group')) {
+                    if ($ExportDistributionGroupMembers -ieq 'None') {
+                        # do nothing
+                    } elseif ($ExportDistributionGroupMembers -ieq 'OnlyTrustees') {
+                        if ($AllRecipients[$x].IsTrustee -eq $true) {
+                            $tempQueue.enqueue($x)
+                        }
+                    } else {
+                        $tempQueue.enqueue($x)
+                    }
+                } else {
+                    $tempQueue.enqueue($x)
+                }
             }
+
             $tempQueueCount = $tempQueue.count
 
             $ParallelJobsNeeded = [math]::min($tempQueueCount, $ParallelJobsLocal)
diff --git a/src/sample code/Compare-RecipientPermissions/Compare-RecipientPermissions.ps1 b/src/sample code/Compare-RecipientPermissions/Compare-RecipientPermissions.ps1
@@ -21,12 +21,11 @@ Param(
     $newCsv = '.\Export-RecipientPermissions_Output_new.csv',
 
     # Display results on screen before creating file showing changes
-    $DisplayResults = $false,
-
+    $DisplayResults = $true,
 
     # Path for export file showing changes
     # Set to '' or $null to not create this file
-    $ChangeFile = '.\changes.csv'
+    $ChangeFile = '.\comparison.csv'
 )
 
 
@@ -91,11 +90,11 @@ if ($DisplayResults) {
         Write-Host "  $($GrantorPrimarySmtp)"
         foreach ($DatasetObject in $Dataset[$($GrantorPrimarySmtpOrder.IndexOf($GrantorPrimarySmtp))..$($GrantorPrimarySmtpReverseOrder.count - 1 - $GrantorPrimarySmtpReverseOrder.IndexOf($GrantorPrimarySmtp))]) {
             if ($DatasetObject.Change -eq 'Deleted') {
-                Write-Host ("    Deleted: $($DatasetObject.'Trustee Primary SMTP') no longer has the '$($DatasetObject.'Permission')' right" + $(if ($DatasetObject.'Folder') { " on folder '$($DatasetObject.'Folder')'" }))
+                Write-Host ("    Deleted: '$($DatasetObject.'Trustee Original Identity')' (E-Mail '$($DatasetObject.'Trustee Primary SMTP')') no longer has the '$($DatasetObject.'Permission')' right" + $(if ($DatasetObject.'Folder') { " on folder '$($DatasetObject.'Folder')'" }))
             } elseif ($DatasetObject.change -eq 'New') {
-                Write-Host ("    New: $($DatasetObject.'Trustee Primary SMTP') now has the '$($DatasetObject.'Permission')' right" + $(if ($DatasetObject.'Folder') { " on folder '$($DatasetObject.'Folder')'" }))
+                Write-Host ("    New: '$($DatasetObject.'Trustee Original Identity')' (E-Mail '$($DatasetObject.'Trustee Primary SMTP')) now has the '$($DatasetObject.'Permission')' right" + $(if ($DatasetObject.'Folder') { " on folder '$($DatasetObject.'Folder')'" }))
             } else {
-                Write-Host ("    Unchanged: $($DatasetObject.'Trustee Primary SMTP') still has the '$($DatasetObject.'Permission')' right" + $(if ($DatasetObject.'Folder') { " on folder '$($DatasetObject.'Folder')'" }))
+                Write-Host ("    Unchanged: '$($DatasetObject.'Trustee Original Identity')' (E-Mail '$($DatasetObject.'Trustee Primary SMTP')') still has the '$($DatasetObject.'Permission')' right" + $(if ($DatasetObject.'Folder') { " on folder '$($DatasetObject.'Folder')'" }))
             }
         }
     }
@@ -115,4 +114,4 @@ if ($ChangeFile) {
 
 
 Write-Host
-Write-Host "End script @$(Get-Date -Format 'yyyy-MM-ddTHH:mm:sszzz')@"
+Write-Host "End script @$(Get-Date -Format 'yyyy-MM-ddTHH:mm:sszzz')@"

-Original file line number
+Diff line change
           fetch-depth: 0
       - name: Install GitVersion
 -        uses: gittools/actions/gitversion/[email protected].14
 +        uses: gittools/actions/gitversion/[email protected].15
         with:
           versionSpec: "5.x"
       - name: Determine SemVer
 -        uses: gittools/actions/gitversion/[email protected].14
 +        uses: gittools/actions/gitversion/[email protected].15
         with:
           additionalArguments: '/overrideconfig major-version-bump-message="^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\\([\\w\\s]*\\))?(!:|:.*\\n\\n((.+\\n)+\\n)?BREAKING CHANGE:\\s.+)" /overrideconfig minor-version-bump-message="^(feat)(\\([\\w\\s]*\\))?:" /overrideconfig patch-version-bump-message="^(build|chore|ci|docs|fix|perf|refactor|revert|style|test)(\\([\\w\\s]*\\))?:"'
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ function main {`
`58`	`58`	`$tempFileContent = $tempFileContent -replace 'XXXRemoveWhenBuildingXXX-->', ''`
`59`	`59`	`$tempFileContent \| Set-Content $($_[0])`
`60`	`60`	`# convert to HTML`
`61`		`- & pandoc.exe $($_[0]) --resource-path=".;docs" -f gfm -t html --self-contained -H .\build\pandoc_header.html --css .\build\pandoc_css_empty.css --metadata pagetitle="$(([System.IO.FileInfo]"$($_[0])").basename) - $(($env:GITHUB_REPOSITORY -split '/')[1])" -o $($_[1])`
	`61`	`+ & pandoc.exe $($_[0]) --resource-path=".;docs" -f gfm -t html --embed-resources --standalone -H .\build\pandoc_header.html --css .\build\pandoc_css_empty.css --metadata pagetitle="$(([System.IO.FileInfo]"$($_[0])").basename) - $(($env:GITHUB_REPOSITORY -split '/')[1])" -o $($_[1])`
`62`	`62`	`}`
`63`	`63`
`64`	`64`