List mailboxes with Full Mailbox Access permission assigned

by Bharat Suneja

In “HOW TO: Grant Full Mailbox Access permission“, we saw how to assign and view mailbox permissions, including Full Access. Here’s how you can get a list of mailboxes with explicitly-assigned (i.e. not inherited) Full Access permissions.

You can specify a single mailbox and retrieve the permissions assigned on it by using the Get-MailboxPermission cmdlet. Alternatively, you can use the Get-Mailbox cmdlet to retrieve all or a subset of mailboxes, and then pipe the results to the Get-MailboxPermission cmdlet. Instead of running this against all mailboxes in the Organization, it makes sense to filter it against a sub-set of mailboxes.

Filtering mailboxes returned by Get-Mailbox

Mailboxes returned by the Get-Mailbox command can be filtered using -Server, -Database, -RecipientTypeDetails, and -OrganizationalUnit parameters. You can also use the -Filter parameter and specify an OPATH filter, which allows you to granularly filter the mailboxes that are returned by the Get-Mailbox cmdlet, based on a number of filterable properties.

In this example, we use the -Server parameter to filter mailboxes on a particular server, and pipe it to the Get-MailboxPermission command:

Get-Mailbox -Server “e12postcard” | Get-MailboxPermission

This produces a long list of permissions – inherited and assigned explicitly to the mailbox(es).

Let’s filter the above to reveal only the explicitly assigned permissions:

Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { $_.IsInherited -eq $false }

The output shows all explicitly-assigned permissions, including the permissions assigned to the mailbox owner (NT AUTHORITY\SELF). Not quite what we want! Let’s filter out permissions assigned to the mailbox owner:

Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) }

Now we have a list of all mailboxes with explicitly assigned permissions.

We can filter this further to list only the ones that have Full Access permission assigned:

Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) }

Similarly, you can filter users that have other mailbox permissions assigned:

  • SendAs
  • DeleteItem
  • ReadPermission
  • ChangePermission
  • ChangeOwner
  • ExternalAccount

List users with SendAs permission assigned

The following code lists mailboxes with the SendAs permission assigned. Unlike the FullAccess mailbox permission, SendAs is an Active Directory permission. Use the Get-ADPermssion cmdlet to retrieve Active Directory Permisions.

Get-Mailbox -ResultSize unlimited | Get-ADPermission | Where {$_.ExtendedRights -like “Send-As” -and $_.User -notlike “NT AUTHORIT\SELF” -and $_.Deny -eq $false} | ft Identity,User,IsInherited -AutoSize

{ 42 comments… read them below or add one }

Anonymous February 5, 2008 at 9:08 am

Nice job on this report. Keep em coming! The power of the EMS is very cool.

Scott B

Reply

Anonymous February 5, 2008 at 9:38 am

Thanks!
FYI – I had to do a | format-list at the end of the command to get anyting readable. (I have a long domain name any “almost always” the default format “sucks” for me.

Reply

Anonymous February 14, 2008 at 2:52 am

SendAs is not a permission on the mailbox so you cannot filter it

Reply

Bharat Suneja February 14, 2008 at 6:21 am

It is a mailbox permission/”AccessRight”, that can be assigned using Add-MailboxPermission, and viewed using Get-MailboxPermission.

Also look at HOW TO: Assign SendAs right using Exchange shell.

Reply

Anonymous February 14, 2008 at 8:31 am

How would you revoke such rights through the shell?

Reply

Bharat Suneja February 14, 2008 at 8:34 am

Can be revoked using Remove-MailboxPermission.

Reply

totalnet32 February 6, 2009 at 1:21 pm

how would you search for a particular user who has full manager rights?

Reply

Anonymous February 13, 2009 at 10:07 am

I love this blog! Great info

Reply

zee August 13, 2009 at 12:36 pm

Thanks for the tutorial Bharat

Found your post whilst searching on Google

Reply

Anonymous August 25, 2009 at 9:34 am

This might sound silly but how do you expand the EMS window? I've used the commands recommended in the tutorial with great success (Thank you, by the way.) But the window is so small that I can't read all the information presented. If I click the maximize button in the corner of the window, it just makes the window taller & I need it to be wider. I've tried to drag the side of the window to make it wider & that didn't work either. I feel pretty stupid even asking but the things that I know to maximize the window aren't working.
Anyone have any thoughts?

Reply

Anonymous January 25, 2010 at 7:11 pm

Hi guys, to maximise the window, create a shortcut on your desktop to EMS, then right click it and select properties and layout.

I have a couple of challenges for someone feeling brave…

I need to list all the mailboxes a particular user has full access permissions to and export it to a CSV using export-csv.

I also need to be able to list all the mailboxes showing who has full access to it. Again this will need to be presented in a CSV file.

Any ideas?

Reply

john April 14, 2010 at 11:58 am

That last command is wrong. The command is Get-ADPermission. Singular.

Reply

Microsoft now July 26, 2010 at 10:50 am

Can we geta list of all the mailboxes that a specific user has access to( Like Full Access or Send as). for example : need to check all mailboxes in the environment and ask “does user X have access on this mailbox” … and then you will get a complete list.. Bharat can you able to find a query for this. Thanks in Advance Jobin

Reply

Monica November 3, 2010 at 5:46 am

Hi, Microsoft now.
Did you find a way to get a list of all the mailboxes user X has full access to?
Best regards Monica

Reply

Vinh D August 28, 2014 at 12:36 pm

# See what mailboxes user has permissions to
Get-Mailbox -ResultSize unlimited | Get-MailboxPermission | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and ($_.User -like “domain\Username”) -and -not ($_.User -like “NT AUTHORITYSELF”) } | format-list

Reply

Jody Bull January 6, 2011 at 11:19 am

How about mailboxes on Exchange 2003 – how do you find who has access to multiple mailboxes explicitly?

Reply

mike x August 26, 2011 at 10:51 am

same question, did you ever figure this out?

Reply

Jamei January 20, 2011 at 4:13 am

Can we get a list of all the mailboxes that a specific user has access to( Like Full Access or Send as). for example : need to check all mailboxes in the environment and ask “does user X have access on this mailbox” … and then you will get a complete list..

Reply

waykool February 9, 2011 at 11:27 am

Thanks! That’s just what I was looking for.

Reply

Vincent May 2, 2011 at 11:35 am

@Microsoft now :
For full access permissions, use the same command but add :
-and ($_.User -like “DomainUsername”)

Like this :
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and ($_.User -like “DomainUsername”) -and -not ($_.User -like “NT AUTHORITYSELF”) } |format-list

This will list all mailboxe that user X ( specified in -and ($_.User -like “DomainUsername”) ) as full access on.

Using : |format-list at the end of the command helps…

Didn’t try for the “send as” rights but my guess is it should be the same ;)

Reply

Vincent May 2, 2011 at 11:47 am

typo in last message :
forgot a “” between AUTHOROTY and SELF.

Command should read :
Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and ($_.User -like “DomainUsername”) -and -not ($_.User -like “NT AUTHORITYSELF”) } |format-list

Reply

mike x August 26, 2011 at 10:49 am

Does anyone know how to do this on exchange 2003?

Reply

James White August 31, 2011 at 3:51 am

Hi Vincent,

I would realy like to run jthis command but when I execute it nothing happens. It does appear to be thinking for a while, but I get no results. All I have changed in your command is the server and domain username. Is this correct? Any idea what might be going wrong?

Reply

Ira Khan May 14, 2012 at 12:38 am

The Identity field contains long strings because it includes the full directory path to the mailbox user, so it may get truncated on your screen. In that case you could export the output to CSV file.

Reply

aneesh October 15, 2012 at 6:22 pm

Hi Suneja,

Thank you for the tips! Really saved a lot of my time!

Cheers!
-aneesh-

Reply

Igor January 24, 2013 at 2:29 am

Hi team,

My company has a lot of exchange servers. Therefore for my site it is very tricky to get list of list of mailboxes with the list of users which have access to them.
I want to import a list of mailboxes, and due to this list it will give me the list of accesses.

Get-MailboxPermission -Import-Csv c:\temp\MBX.csv |where { ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } |Select Identity, user, AccessRights | Export-Csv c:\temp\test111.csv

I am doing something, somewhere is a mistake, maybe somebody can take a look on it.

Reply

Mrugesh April 4, 2013 at 5:10 am

Hello

I have a request where a user has rebuild the machine and forgot how many mailboxes she had access to. Is there a shell command to find how many mailboxes she has access to. And this not just full access, I need to find even delegate access rights.

Thanks,
Mrugesh

Reply

Bharat Suneja April 4, 2013 at 1:02 pm

Although you can list mailbox permissions as shown in this post and list folder permissions using Get-MailboxFolderPermission cmdlet, you may want to ask the user what she really *needs* access to? If users don’t remember what they have access to, it’s a good indicator that they probably don’t need access. :)

Reply

Mrugesh April 5, 2013 at 2:36 am

Thanks Bharat!
I thought the same and tried to bypass her but she is persistent on knowing the answer and that is the reason I came here.
I had tried the Get-MailboxFolderPermission cmdlet but I get this error message:
“There is no existing permission entry found for user: .
+ CategoryInfo : NotSpecified: (1442:Int32) [Get-MailboxFolderPermission], UserNotFoundInPermissionEntryE
xception
+ FullyQualifiedErrorId : 427FC71C,Microsoft.Exchange.Management.StoreTasks.GetMailboxFolderPermission ”

Can you help??

Reply

Sukhdev May 21, 2013 at 6:14 am

Hi Bharat,
I’m facing some strange issue, If I granted induvidully full access on any mailbox its working fine for me but if I granted full access via any group its doesn’t work. However I tested with lots of scenerio but no Luck.
can you help me pls ?
Regards.
Sukhdev

Reply

Vala March 13, 2015 at 11:48 am

Really helpful, thanks a lot

Reply

Saurabh April 29, 2015 at 1:46 pm

Hi,

One correction in the command. As per command in Writeup :-

Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) }

This will list users with FMA which is NOT Inherited and also exclude “NT Authority\Self” accounts.

But, i have seen a behaviour wherein if a mailbox has following permission for example :-

Identity User AccessRights
——– —- ————
Mailbox1 User1 {FullAccess, ReadPermission}
Mailbox1 User2 {FullAccess, DeleteItem, ReadPermission, ChangePermission}
Mailbox1 User3 {Fullaccess}

The command will only list “User3” in the output and NOT User1 and User2, All the 3 mailbox permissions are NOT inherited.

To Rectify this, we have to use -LIKE parameter with a * while filtering Accessrights, changed below

Get-Mailbox -Server “e12postcard” | Get-MailboxPermission | where { ($_.AccessRights -LIKE “FullAccess*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) }

Cheers,

Reply

Saurabh April 29, 2015 at 1:48 pm

After this you will be able to list all 3 users from the example

Reply

Tom Sam June 28, 2015 at 2:31 am

Greetings,

I like your site and will always go back to it in daily basis. I am an IT manager and looking for help. I was cleaning up our exchange server and found one of my engineers having full access to a manager’s email. Is there a way that I can find:
1- who assigned full access to the engineer?
2- When was the full access assigned?
I really appreciate your help.

Tom Sam
[email protected]

Reply

Bharat Suneja June 29, 2015 at 12:16 pm

Hello! You can find out who assigned full mailbox access permission to a mailbox if you have Admin Audit Logging enabled (it’s enabled by default) and the audit logs are still available. By default, admin audit logs are retained for 90 days.

See Administator audit logging in Exchange 2013 documentation.

You can email me (bharat at suneja dot com) if you need assistance with this.

Reply

Ben December 17, 2015 at 11:48 pm

Hi,
Im interested in using something like for a cross-forest migration.

The migration itself seems to be all good – and I can use the script above to get out a csv of tall the permissions – but post migration I would be really keen to update the paths and use this as an import in the new forest.

Is that possible ?

Reply

Bharat Suneja December 18, 2015 at 6:06 pm

You mean replicate the same permissions in the new forest? Sure.

Reply

Ben December 21, 2015 at 11:03 pm

Ok – would you be able to give me some advice on how to do this ?
I’m having trouble working how to get the information back in once it has been exported.

Reply

Bharat Suneja January 6, 2016 at 11:27 am

Can you provide more details?

Reply

JC Jensen June 28, 2016 at 6:55 am

So basically I am looking to do the same thing. I need to find all the mail files 3 users have access to. I want to export it to a CSV. This is the script I found on another site.

Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | ?{($_.AccessRights -eq “FullAccess”) -and ($_.User -like ‘prod\SVC_ITSM’) -and ($_.IsInherited -eq $false)} | Export-Csv e:\temp\test.csv

Once I run it, it takes a long time to run, then I get this error back. Please help. Thanks!

Sending data to a remote command failed with the following error message: The total data received from the remote clien
t exceeded allowed maximum. Allowed maximum is 524288000. For more information, see the about_Remote_Troubleshooting He
lp topic.
+ CategoryInfo : OperationStopped: (System.Manageme…pressionSyncJob:PSInvokeExpressionSyncJob) [], PSRe
motingTransportException
+ FullyQualifiedErrorId : JobFailure

Invoke-Command : Cannot write input as there are no more running pipelines
At C:\Users\jensej07\AppData\Roaming\Microsoft\Exchange\RemotePowerShell\maexca30.prod.ishealth.net\maexca30.prod.ishealth.net.psm1:14681 char:29
+ $scriptCmd = { & <<<< $script:InvokeCommand `
+ CategoryInfo : InvalidOperation: (:) [Invoke-Command], PSInvalidOperationException
+ FullyQualifiedErrorId : NoMoreInputWrite,Microsoft.PowerShell.Commands.InvokeCommandCommand

Reply

Bharat Suneja June 30, 2016 at 10:01 am

You’re hitting Remote PowerShell quotas. See “HOW TO SET AND CHANGE QUOTAS” in about_Remote_Troubleshooting (https://technet.microsoft.com/en-us/library/hh847850.aspx?f=255&MSPPError=-2147217396).

Reply

Derek November 5, 2016 at 3:20 am

Does this work in Exchange 2013. I have ran

Get-Mailbox -ResultSize unlimited | Get-MailboxPermission | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and ($_.User -like “Username”) -and -not ($_.User -like “NT AUTHORITYSELF”) } | format-list

However, it appears to just be returning every mailbox on the platform, the user I have tested this with only has permissions to 1 or 2 additional Mailbox’s but after running this for 5 mins the list returned was just growing and growing

Reply

Cancel reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: