Add 12 AI-generated PowerShell scripts with documentation

⚠️ IMPORTANT: These scripts are AI-GENERATED and UNTESTED

Exchange Scripts (5):
- Get-MailboxPermissions.ps1: Audit delegate access permissions
- Get-InactiveMailboxes.ps1: Identify stale mailboxes
- Compare-MailboxDatabases.ps1: Database health comparison
- Export-DistributionGroups.ps1: Distribution group inventory
- Get-MailflowStats.ps1: Transport log analysis

Active Directory Scripts (3):
- Get-ADUserLastLogon.ps1: True LastLogon across all DCs
- Export-OUStructure.ps1: OU hierarchy with GPO links
- Compare-ADGroupMemberships.ps1: Compare user group memberships

System Maintenance Scripts (4):
- Get-ServerInventory.ps1: Hardware/software inventory report
- Monitor-DiskSpace.ps1: Disk space monitoring with alerts
- Backup-ExchangeCertificates.ps1: Certificate backup to PFX
- Test-ExchangeHealth.ps1: Aggregated Exchange health checks

Documentation:
- Updated CLAUDE.md with AI-generated scripts section
- Added AI-GENERATED-SCRIPTS.md with warnings and testing guide

All scripts include prominent warnings and follow established patterns
from existing scripts. Require thorough testing before production use.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Exchange/Get-MailboxPermissions.ps1

@@ -0,0 +1,173 @@
+<#
+.SYNOPSIS
+  Audit mailbox delegate access permissions across Exchange environment
+
+.DESCRIPTION
+  Reports on SendAs, SendOnBehalf, and FullAccess permissions for all mailboxes.
+  Useful for security audits, compliance reviews, and migration planning.
+
+.PARAMETER OutputFolder
+  Destination folder for CSV reports. Default: .\MailboxPermissions-<date>
+
+.PARAMETER MailboxFilter
+  Optional filter for specific mailboxes. Default: all on-premises mailboxes
+
+.PARAMETER IncludeInherited
+  Include inherited permissions in the report (default: $false)
+
+.NOTES
+  ⚠️  AI-GENERATED SCRIPT - UNTESTED
+  This script was generated by Claude AI and has not been tested in production.
+  Review and test thoroughly in a non-production environment before use.
+
+  - Run in Exchange Management Shell with appropriate RBAC permissions
+  - Can take significant time with large mailbox counts
+  - Tested compatibility: Exchange 2013/2016/2019 (not validated)
+
+.EXAMPLE
+  .\Get-MailboxPermissions.ps1
+
+.EXAMPLE
+  .\Get-MailboxPermissions.ps1 -OutputFolder "D:\Reports\Permissions" -IncludeInherited $true
+#>
+
+[CmdletBinding()]
+param(
+    [string]$OutputFolder = (Join-Path -Path (Get-Location) -ChildPath ("MailboxPermissions-" + (Get-Date -Format "yyyyMMdd-HHmm"))),
+    [string]$MailboxFilter = "*",
+    [bool]$IncludeInherited = $false
+)
+
+function NowTag { (Get-Date).ToString("yyyy-MM-dd HH:mm:ss") }
+
+Write-Host "[$(NowTag)] ⚠️  AI-GENERATED SCRIPT - UNTESTED" -ForegroundColor Yellow
+Write-Host "[$(NowTag)] Starting mailbox permissions audit..." -ForegroundColor Green
+
+# Create output folder
+New-Item -ItemType Directory -Path $OutputFolder -Force | Out-Null
+
+# Get all on-premises mailboxes
+Write-Host "[$(NowTag)] Retrieving mailboxes..."
+$mailboxes = Get-Mailbox -Filter $MailboxFilter -ResultSize Unlimited -ErrorAction SilentlyContinue |
+    Where-Object { $_.RecipientTypeDetails -notmatch "^Remote" -and $_.Database }
+
+$mbCount = ($mailboxes | Measure-Object).Count
+Write-Host "[$(NowTag)] Found $mbCount mailboxes to audit"
+
+# Collections
+$fullAccessPerms = @()
+$sendAsPerms = @()
+$sendOnBehalfPerms = @()
+
+$current = 0
+foreach ($mb in $mailboxes) {
+    $current++
+    $pct = [int](($current / $mbCount) * 100)
+    Write-Progress -Activity "Auditing Mailbox Permissions" -Status "Processing $($mb.DisplayName) ($current/$mbCount)" -PercentComplete $pct
+
+    # FullAccess permissions
+    try {
+        $fullAccess = Get-MailboxPermission -Identity $mb.Identity -ErrorAction SilentlyContinue |
+            Where-Object {
+                $_.User -notlike "NT AUTHORITY\*" -and
+                $_.User -notlike "S-1-5-*" -and
+                $_.AccessRights -like "*FullAccess*" -and
+                ($IncludeInherited -or -not $_.IsInherited)
+            }
+
+        foreach ($perm in $fullAccess) {
+            $fullAccessPerms += [PSCustomObject]@{
+                Mailbox           = $mb.DisplayName
+                PrimarySmtpAddress = $mb.PrimarySmtpAddress
+                User              = $perm.User
+                AccessRights      = ($perm.AccessRights -join ", ")
+                IsInherited       = $perm.IsInherited
+                Deny              = $perm.Deny
+            }
+        }
+    } catch {
+        Write-Host "[$(NowTag)] ERROR getting FullAccess for $($mb.DisplayName): $_" -ForegroundColor Red
+    }
+
+    # SendAs permissions
+    try {
+        $sendAs = Get-ADPermission -Identity $mb.DistinguishedName -ErrorAction SilentlyContinue |
+            Where-Object {
+                $_.ExtendedRights -like "*Send-As*" -and
+                $_.User -notlike "NT AUTHORITY\*" -and
+                $_.User -notlike "S-1-5-*" -and
+                ($IncludeInherited -or -not $_.IsInherited)
+            }
+
+        foreach ($perm in $sendAs) {
+            $sendAsPerms += [PSCustomObject]@{
+                Mailbox           = $mb.DisplayName
+                PrimarySmtpAddress = $mb.PrimarySmtpAddress
+                User              = $perm.User
+                IsInherited       = $perm.IsInherited
+                Deny              = $perm.Deny
+            }
+        }
+    } catch {
+        Write-Host "[$(NowTag)] ERROR getting SendAs for $($mb.DisplayName): $_" -ForegroundColor Red
+    }
+
+    # SendOnBehalf permissions
+    if ($mb.GrantSendOnBehalfTo -and $mb.GrantSendOnBehalfTo.Count -gt 0) {
+        foreach ($user in $mb.GrantSendOnBehalfTo) {
+            $sendOnBehalfPerms += [PSCustomObject]@{
+                Mailbox           = $mb.DisplayName
+                PrimarySmtpAddress = $mb.PrimarySmtpAddress
+                User              = $user
+            }
+        }
+    }
+}
+
+Write-Progress -Activity "Auditing Mailbox Permissions" -Completed
+
+# Export results
+Write-Host "[$(NowTag)] Exporting results..."
+
+$fullAccessFile = Join-Path $OutputFolder "FullAccess-Permissions.csv"
+$sendAsFile = Join-Path $OutputFolder "SendAs-Permissions.csv"
+$sendOnBehalfFile = Join-Path $OutputFolder "SendOnBehalf-Permissions.csv"
+$summaryFile = Join-Path $OutputFolder "Permissions-Summary.txt"
+
+if ($fullAccessPerms.Count -gt 0) {
+    $fullAccessPerms | Export-Csv -NoTypeInformation -Encoding UTF8 -Path $fullAccessFile
+    Write-Host "[$(NowTag)] FullAccess permissions: $fullAccessFile"
+} else {
+    Write-Host "[$(NowTag)] No FullAccess permissions found"
+}
+
+if ($sendAsPerms.Count -gt 0) {
+    $sendAsPerms | Export-Csv -NoTypeInformation -Encoding UTF8 -Path $sendAsFile
+    Write-Host "[$(NowTag)] SendAs permissions: $sendAsFile"
+} else {
+    Write-Host "[$(NowTag)] No SendAs permissions found"
+}
+
+if ($sendOnBehalfPerms.Count -gt 0) {
+    $sendOnBehalfPerms | Export-Csv -NoTypeInformation -Encoding UTF8 -Path $sendOnBehalfFile
+    Write-Host "[$(NowTag)] SendOnBehalf permissions: $sendOnBehalfFile"
+} else {
+    Write-Host "[$(NowTag)] No SendOnBehalf permissions found"
+}
+
+# Summary
+$summary = @"
+Mailbox Permissions Audit Summary
+Generated: $(Get-Date)
+
+Mailboxes Audited: $mbCount
+FullAccess Permissions: $($fullAccessPerms.Count)
+SendAs Permissions: $($sendAsPerms.Count)
+SendOnBehalf Permissions: $($sendOnBehalfPerms.Count)
+
+Output Folder: $OutputFolder
+"@
+
+$summary | Out-File -FilePath $summaryFile -Encoding UTF8
+Write-Host "`n$summary"
+Write-Host "[$(NowTag)] Audit complete!" -ForegroundColor Green