In “HOW TO: Grant Full Mailbox Access permission“, we saw how to assign and view mailbox permissions, including Full Access. Here’s how you can get a list of mailboxes with explicitly-assigned (i.e. not inherited) Full Access permissions.
You can specify a single mailbox and retrieve the permissions assigned on it by using the Get-MailboxPermission cmdlet. Alternatively, you can use the Get-Mailbox cmdlet to retrieve all or a subset of mailboxes, and then pipe the results to the Get-MailboxPermission cmdlet. Instead of running this against all mailboxes in the Organization, it makes sense to filter it against a sub-set of mailboxes.
Filtering mailboxes returned by Get-Mailbox
Mailboxes returned by the Get-Mailbox command can be filtered using -Server, -Database, -RecipientTypeDetails, and -OrganizationalUnit parameters. You can also use the -Filter parameter and specify an OPATH filter, which allows you to granularly filter the mailboxes that are returned by the Get-Mailbox cmdlet, based on a number of filterable properties.
In this example, we use the -Server parameter to filter mailboxes on a particular server, and pipe it to the Get-MailboxPermission command:
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission
This produces a long list of permissions – inherited and assigned explicitly to the mailbox(es).
Let’s filter the above to reveal only the explicitly assigned permissions:
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { $_.IsInherited -eq $false }
The output shows all explicitly-assigned permissions, including the permissions assigned to the mailbox owner (NT AUTHORITY\SELF). Not quite what we want! Let’s filter out permissions assigned to the mailbox owner:
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) }
Now we have a list of all mailboxes with explicitly assigned permissions.
We can filter this further to list only the ones that have Full Access permission assigned:
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) }
Similarly, you can filter users that have other mailbox permissions assigned:
- SendAs
- DeleteItem
- ReadPermission
- ChangePermission
- ChangeOwner
- ExternalAccount
List users with SendAs permission assigned
The following code lists mailboxes with the SendAs permission assigned. Unlike the mailbox permission, is an Active Directory permission. Use the Get-ADPermssion cmdlet to retrieve Active Directory Permisions.
Get-Mailbox -ResultSize unlimited | Get-ADPermission | Where {$_.ExtendedRights -like “Send-As” -and $_.User -notlike “NT AUTHORIT\SELF” -and $_.Deny -eq $false} | ft Identity,User,IsInherited -AutoSize
{ 29 comments… read them below or add one }
Nice job on this report. Keep em coming! The power of the EMS is very cool.
Scott B
Thanks!
FYI – I had to do a | format-list at the end of the command to get anyting readable. (I have a long domain name any “almost always” the default format “sucks” for me.
SendAs is not a permission on the mailbox so you cannot filter it
It is a mailbox permission/”AccessRight”, that can be assigned using Add-MailboxPermission, and viewed using Get-MailboxPermission.
Also look at HOW TO: Assign SendAs right using Exchange shell.
How would you revoke such rights through the shell?
Can be revoked using Remove-MailboxPermission.
how would you search for a particular user who has full manager rights?
I love this blog! Great info
Thanks for the tutorial Bharat
Found your post whilst searching on Google
This might sound silly but how do you expand the EMS window? I've used the commands recommended in the tutorial with great success (Thank you, by the way.) But the window is so small that I can't read all the information presented. If I click the maximize button in the corner of the window, it just makes the window taller & I need it to be wider. I've tried to drag the side of the window to make it wider & that didn't work either. I feel pretty stupid even asking but the things that I know to maximize the window aren't working.
Anyone have any thoughts?
Hi guys, to maximise the window, create a shortcut on your desktop to EMS, then right click it and select properties and layout.
I have a couple of challenges for someone feeling brave…
I need to list all the mailboxes a particular user has full access permissions to and export it to a CSV using export-csv.
I also need to be able to list all the mailboxes showing who has full access to it. Again this will need to be presented in a CSV file.
Any ideas?
That last command is wrong. The command is Get-ADPermission. Singular.
Can we geta list of all the mailboxes that a specific user has access to( Like Full Access or Send as). for example : need to check all mailboxes in the environment and ask “does user X have access on this mailbox” … and then you will get a complete list.. Bharat can you able to find a query for this. Thanks in Advance Jobin
Hi, Microsoft now.
Did you find a way to get a list of all the mailboxes user X has full access to?
Best regards Monica
How about mailboxes on Exchange 2003 – how do you find who has access to multiple mailboxes explicitly?
same question, did you ever figure this out?
Can we get a list of all the mailboxes that a specific user has access to( Like Full Access or Send as). for example : need to check all mailboxes in the environment and ask “does user X have access on this mailbox” … and then you will get a complete list..
Thanks! That’s just what I was looking for.
@Microsoft now :
For full access permissions, use the same command but add :
-and ($_.User -like “DomainUsername”)
Like this :
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and ($_.User -like “DomainUsername”) -and -not ($_.User -like “NT AUTHORITYSELF”) } |format-list
This will list all mailboxe that user X ( specified in -and ($_.User -like “DomainUsername”) ) as full access on.
Using : |format-list at the end of the command helps…
Didn’t try for the “send as” rights but my guess is it should be the same ;)
typo in last message :
forgot a “” between AUTHOROTY and SELF.
Command should read :
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and ($_.User -like “DomainUsername”) -and -not ($_.User -like “NT AUTHORITYSELF”) } |format-list
Does anyone know how to do this on exchange 2003?
Hi Vincent,
I would realy like to run jthis command but when I execute it nothing happens. It does appear to be thinking for a while, but I get no results. All I have changed in your command is the server and domain username. Is this correct? Any idea what might be going wrong?
The Identity field contains long strings because it includes the full directory path to the mailbox user, so it may get truncated on your screen. In that case you could export the output to CSV file.
Hi Suneja,
Thank you for the tips! Really saved a lot of my time!
Cheers!
-aneesh-
Hi team,
My company has a lot of exchange servers. Therefore for my site it is very tricky to get list of list of mailboxes with the list of users which have access to them.
I want to import a list of mailboxes, and due to this list it will give me the list of accesses.
Get-MailboxPermission -Import-Csv c:\temp\MBX.csv |where { ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } |Select Identity, user, AccessRights | Export-Csv c:\temp\test111.csv
I am doing something, somewhere is a mistake, maybe somebody can take a look on it.
Hello
I have a request where a user has rebuild the machine and forgot how many mailboxes she had access to. Is there a shell command to find how many mailboxes she has access to. And this not just full access, I need to find even delegate access rights.
Thanks,
Mrugesh
Although you can list mailbox permissions as shown in this post and list folder permissions using Get-MailboxFolderPermission cmdlet, you may want to ask the user what she really *needs* access to? If users don’t remember what they have access to, it’s a good indicator that they probably don’t need access. :)
Thanks Bharat!
I thought the same and tried to bypass her but she is persistent on knowing the answer and that is the reason I came here.
I had tried the Get-MailboxFolderPermission cmdlet but I get this error message:
“There is no existing permission entry found for user: .
+ CategoryInfo : NotSpecified: (1442:Int32) [Get-MailboxFolderPermission], UserNotFoundInPermissionEntryE
xception
+ FullyQualifiedErrorId : 427FC71C,Microsoft.Exchange.Management.StoreTasks.GetMailboxFolderPermission ”
Can you help??
Hi Bharat,
I’m facing some strange issue, If I granted induvidully full access on any mailbox its working fine for me but if I granted full access via any group its doesn’t work. However I tested with lots of scenerio but no Luck.
can you help me pls ?
Regards.
Sukhdev