In “HOW TO: Grant Full Mailbox Access permission“, we saw how to assign and view mailbox permissions, including Full Access. Here’s how you can get a list of mailboxes with explicitly-assigned (i.e. not inherited) Full Access permissions.
You can specify a single mailbox and retrieve the permissions assigned on it by using the Get-MailboxPermission cmdlet. Alternatively, you can use the Get-Mailbox cmdlet to retrieve all or a subset of mailboxes, and then pipe the results to the Get-MailboxPermission cmdlet. Instead of running this against all mailboxes in the Organization, it makes sense to filter it against a sub-set of mailboxes.
Filtering mailboxes returned by Get-Mailbox
Mailboxes returned by the Get-Mailbox command can be filtered using -Server, -Database, -RecipientTypeDetails, and -OrganizationalUnit parameters. You can also use the -Filter parameter and specify an OPATH filter, which allows you to granularly filter the mailboxes that are returned by the Get-Mailbox cmdlet, based on a number of filterable properties.
In this example, we use the -Server parameter to filter mailboxes on a particular server, and pipe it to the Get-MailboxPermission command:
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission
This produces a long list of permissions – inherited and assigned explicitly to the mailbox(es).
Let’s filter the above to reveal only the explicitly assigned permissions:
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { $_.IsInherited -eq $false }
The output shows all explicitly-assigned permissions, including the permissions assigned to the mailbox owner (NT AUTHORITY\SELF). Not quite what we want! Let’s filter out permissions assigned to the mailbox owner:
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) }
Now we have a list of all mailboxes with explicitly assigned permissions.
We can filter this further to list only the ones that have Full Access permission assigned:
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) }
Similarly, you can filter users that have other mailbox permissions assigned:
- SendAs
- DeleteItem
- ReadPermission
- ChangePermission
- ChangeOwner
- ExternalAccount
List users with SendAs permission assigned
The following code lists mailboxes with the SendAs permission assigned. Unlike the mailbox permission, is an Active Directory permission. Use the Get-ADPermssion cmdlet to retrieve Active Directory Permisions.
Get-Mailbox -ResultSize unlimited | Get-ADPermission | Where {$_.ExtendedRights -like “Send-As” -and $_.User -notlike “NT AUTHORIT\SELF” -and $_.Deny -eq $false} | ft Identity,User,IsInherited -AutoSize
{ 22 comments… read them below or add one }
Nice job on this report. Keep em coming! The power of the EMS is very cool.
Scott B
Thanks!
FYI – I had to do a | format-list at the end of the command to get anyting readable. (I have a long domain name any “almost always” the default format “sucks” for me.
SendAs is not a permission on the mailbox so you cannot filter it
It is a mailbox permission/”AccessRight”, that can be assigned using Add-MailboxPermission, and viewed using Get-MailboxPermission.
Also look at HOW TO: Assign SendAs right using Exchange shell.
How would you revoke such rights through the shell?
Can be revoked using Remove-MailboxPermission.
how would you search for a particular user who has full manager rights?
I love this blog! Great info
Thanks for the tutorial Bharat
Found your post whilst searching on Google
This might sound silly but how do you expand the EMS window? I've used the commands recommended in the tutorial with great success (Thank you, by the way.) But the window is so small that I can't read all the information presented. If I click the maximize button in the corner of the window, it just makes the window taller & I need it to be wider. I've tried to drag the side of the window to make it wider & that didn't work either. I feel pretty stupid even asking but the things that I know to maximize the window aren't working.
Anyone have any thoughts?
Hi guys, to maximise the window, create a shortcut on your desktop to EMS, then right click it and select properties and layout.
I have a couple of challenges for someone feeling brave…
I need to list all the mailboxes a particular user has full access permissions to and export it to a CSV using export-csv.
I also need to be able to list all the mailboxes showing who has full access to it. Again this will need to be presented in a CSV file.
Any ideas?
That last command is wrong. The command is Get-ADPermission. Singular.
Can we geta list of all the mailboxes that a specific user has access to( Like Full Access or Send as). for example : need to check all mailboxes in the environment and ask “does user X have access on this mailbox” … and then you will get a complete list.. Bharat can you able to find a query for this. Thanks in Advance Jobin
Hi, Microsoft now.
Did you find a way to get a list of all the mailboxes user X has full access to?
Best regards Monica
How about mailboxes on Exchange 2003 – how do you find who has access to multiple mailboxes explicitly?
same question, did you ever figure this out?
Can we get a list of all the mailboxes that a specific user has access to( Like Full Access or Send as). for example : need to check all mailboxes in the environment and ask “does user X have access on this mailbox” … and then you will get a complete list..
Thanks! That’s just what I was looking for.
@Microsoft now :
For full access permissions, use the same command but add :
-and ($_.User -like “DomainUsername”)
Like this :
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and ($_.User -like “DomainUsername”) -and -not ($_.User -like “NT AUTHORITYSELF”) } |format-list
This will list all mailboxe that user X ( specified in -and ($_.User -like “DomainUsername”) ) as full access on.
Using : |format-list at the end of the command helps…
Didn’t try for the “send as” rights but my guess is it should be the same ;)
typo in last message :
forgot a “” between AUTHOROTY and SELF.
Command should read :
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and ($_.User -like “DomainUsername”) -and -not ($_.User -like “NT AUTHORITYSELF”) } |format-list
Does anyone know how to do this on exchange 2003?
Hi Vincent,
I would realy like to run jthis command but when I execute it nothing happens. It does appear to be thinking for a while, but I get no results. All I have changed in your command is the server and domain username. Is this correct? Any idea what might be going wrong?