apapiccio/Update-DGPermissions.ps1

## Update-DGPermissions.ps1
<#
	.NOTES
	===========================================================================
	 Created on:   	22/09/2017 10:58 AM
	 Created by:   	papicc0a
	 Organization: 	RAC of WA
	 Filename:     	Update-DGPermissions.ps1
		===========================================================================
	.DESCRIPTION
		This script is used to update the Managed By Attribute (aka Owners field) on Distribution Groups. Exchange 2007 only allowed for a single
		value to be placed in the Managed By attribute through ADUC.
		Exchange 2013+ allows multi values and is controlled through Exchange instead of ADUC. It is part of the RBAC groups.

		Exchange 2013+ prefers that you add individual names to the existing RBAC group rather than assign Universal Security Groups access to
		manage Distribution Groups.

	.SYNOPSIS
		This script does the following:
		- Reads the current values for the ManagedBy attribute into an array
		- It will go through the array in a loop and check if the object has an ObjectClass of "Group".
		--> If it is a group it will get the members of the group and place them into an array (recursively in case there are nested groups)
		--> It then loops through the array to make sure that the users in the group have not also been added as explict Owners
		--> It then places the Distinguished names into a new Managers Array
		--> Lastly it goes through and pipes the unique values (where a user is a member of multiple nested groups) into a final list before setting
			the new members
		- If the Object class is not a group (i.e. a user) it adds the existing users to a seprate array which will be used to re-add them once the DL has been modified.

		The reason for this approach was due to errors when attempting to remove legacy groups using the set-distributiongroup -managedby @{remove="groupname"}

	.NOTES
		WISHLIST
		- Create some parameters to replace the Read-Host
		- Add functionality to do all Distribution Groups as well as individaul ones
		- Add reporting
#>
Import-Module ActiveDirectory
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
[console]::ForegroundColor = "Green"
[console]::BackgroundColor = "black"

$DLExpr = Read-Host "Enter the string of the groups you want updated"
$DLList = Get-DistributionGroup -ResultSize unlimited -Anr $DLExpr
$NewOwnersList = New-Object System.Collections.ArrayList
$ExistingUser = New-Object System.Collections.ArrayList

foreach ($DL in $DLList) {
	$DLName, $OwnerList = $null
	$DLName = $DL.Name
	$OwnerList = $DL.ManagedBy

	#Identify whether the managed by is a Security group or User
	foreach ($Owner in $OwnerList) {
		$OwnerDN = $Owner.DistinguishedName
		$OwnerObjInfo = Get-ADObject -id $OwnerDN
		If ($OwnerObjInfo.ObjectClass -eq "Group") {
			$UserList = Get-ADGroupMember -id $OwnerDN -Recursive
			foreach ($user in $UserList) {
				#Check to see if the group member already exists as an Explicitly named owner
				$CheckUser = $OwnerList -contains $user.DistinguishedName
				If ($CheckUser -eq $false) {
					$NewOwnersList = $NewOwnersList += $user.DistinguishedName
				}
			}
		}
		else {
			$ExistingUser = $ExistingUser += $OwnerDN
		}
	}
	$FinalList = $NewOwnersList | select -Unique
	Set-DistributionGroup -BypassSecurityGroupManagerCheck -ManagedBy $FinalList -Identity $DLName
	#Add back Existing User
	foreach ($Exuser in $ExistingUser) {
		Set-DistributionGroup -Identity $DLName -BypassSecurityGroupManagerCheck -ManagedBy @{
			Add = $Exuser
		}
	}
}
Write-Host "##########################################"
Write-Host "##             Groups Updated           ##"
Write-Host "##########################################"
	<#
	.NOTES
	===========================================================================
	Created on: 22/09/2017 10:58 AM
	Created by: papicc0a
	Organization: RAC of WA
	Filename: Update-DGPermissions.ps1
	===========================================================================
	.DESCRIPTION
	This script is used to update the Managed By Attribute (aka Owners field) on Distribution Groups. Exchange 2007 only allowed for a single
	value to be placed in the Managed By attribute through ADUC.
	Exchange 2013+ allows multi values and is controlled through Exchange instead of ADUC. It is part of the RBAC groups.

	Exchange 2013+ prefers that you add individual names to the existing RBAC group rather than assign Universal Security Groups access to
	manage Distribution Groups.

	.SYNOPSIS
	This script does the following:
	- Reads the current values for the ManagedBy attribute into an array
	- It will go through the array in a loop and check if the object has an ObjectClass of "Group".
	--> If it is a group it will get the members of the group and place them into an array (recursively in case there are nested groups)
	--> It then loops through the array to make sure that the users in the group have not also been added as explict Owners
	--> It then places the Distinguished names into a new Managers Array
	--> Lastly it goes through and pipes the unique values (where a user is a member of multiple nested groups) into a final list before setting
	the new members
	- If the Object class is not a group (i.e. a user) it adds the existing users to a seprate array which will be used to re-add them once the DL has been modified.

	The reason for this approach was due to errors when attempting to remove legacy groups using the set-distributiongroup -managedby @{remove="groupname"}

	.NOTES
	WISHLIST
	- Create some parameters to replace the Read-Host
	- Add functionality to do all Distribution Groups as well as individaul ones
	- Add reporting
	#>
	Import-Module ActiveDirectory
	Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
	[console]::ForegroundColor = "Green"
	[console]::BackgroundColor = "black"

	$DLExpr = Read-Host "Enter the string of the groups you want updated"
	$DLList = Get-DistributionGroup -ResultSize unlimited -Anr $DLExpr
	$NewOwnersList = New-Object System.Collections.ArrayList
	$ExistingUser = New-Object System.Collections.ArrayList

	foreach ($DL in $DLList) {
	$DLName, $OwnerList = $null
	$DLName = $DL.Name
	$OwnerList = $DL.ManagedBy

	#Identify whether the managed by is a Security group or User
	foreach ($Owner in $OwnerList) {
	$OwnerDN = $Owner.DistinguishedName
	$OwnerObjInfo = Get-ADObject -id $OwnerDN
	If ($OwnerObjInfo.ObjectClass -eq "Group") {
	$UserList = Get-ADGroupMember -id $OwnerDN -Recursive
	foreach ($user in $UserList) {
	#Check to see if the group member already exists as an Explicitly named owner
	$CheckUser = $OwnerList -contains $user.DistinguishedName
	If ($CheckUser -eq $false) {
	$NewOwnersList = $NewOwnersList += $user.DistinguishedName
	}
	}
	}
	else {
	$ExistingUser = $ExistingUser += $OwnerDN
	}
	}
	$FinalList = $NewOwnersList \| select -Unique
	Set-DistributionGroup -BypassSecurityGroupManagerCheck -ManagedBy $FinalList -Identity $DLName
	#Add back Existing User
	foreach ($Exuser in $ExistingUser) {
	Set-DistributionGroup -Identity $DLName -BypassSecurityGroupManagerCheck -ManagedBy @{
	Add = $Exuser
	}
	}
	}
	Write-Host "##########################################"
	Write-Host "## Groups Updated ##"
	Write-Host "##########################################"