Monthly Archives

Top 10 Visitor Locations:
APRIL 2008

  • 1. London, UK
  • 2. New York, NY
  • 3. Sydney, Australia
  • 4. Melbourne, Australia
  • 5. Chicago, IL
  • 6. Bellevue, WA
  • 7. Paris, France
  • 8. Houston, TX
  • 9. Stockholm, Sweden
  • 10. San Francisco, CA

    • Exchangepedia Blog is read by visitors from all 50 US States and 150 countries world-wide


Tuesday, February 05, 2008

 

HOW TO: List mailboxes with Full Mailbox Access permission assigned

Posted by Bharat Suneja at 7:29 AM
In "HOW TO: Grant Full Mailbox Access permission", we saw how to assign and view mailbox permissions, including Full Mailbox Access. Here's how you can get a list of mailboxes with explicitly-assigned (i.e. not inherited) Full Mailbox Access permissions.

Instead of running this against all mailboxes in the Organization, it makes sense to filter it against a sub-set of mailboxes.

Filtering mailboxes returned by Get-Mailbox

Mailboxes returned by the Get-Mailbox command can be filtered using -Server, -Database, -RecipientTypeDetails, and -OrganizationalUnit parameters. Note, the -Filter parameter can also be used and allows granular filtering of mailboxes that are returned, based on a number of filterable properties.

In this example, we use the -Server parameter to filter mailboxes on a particular server, and pipe it to the Get-MailboxPermission command:

Get-Mailbox -Server "e12postcard" | Get-MailboxPermission

This produces a long list of permissions - inherited and assigned explicitly to the mailbox(es).

Let's filter the above to reveal only the explicitly assigned permissions:

Get-Mailbox -Server "e12postcard" | Get-MailboxPermission | where { $_.IsInherited -eq $false }

The output shows all explicitly-assigned permissions, including the permissions assigned to the mailbox owner (NT AUTHORITY\SELF). Not quite what we want! Let's filter that out:

Get-Mailbox -Server "e12postcard" | Get-MailboxPermission | where { ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") }

Now we have a list of all mailboxes with explicitly assigned permissions.

We can filter this further to list only the ones that have Full Mailbox Access permission assigned:

Get-Mailbox -Server "e12postcard" | Get-MailboxPermission | where { ($_.AccessRights -eq "FullAccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") }

Similarly, you can filter users that have other mailbox permissions assigned, such as SendAs, DeleteItem, ReadPermission, ChangePermission, ChangeOwner, or ExternalAccount.

Related Posts:
- HOW TO: Grant Full Mailbox Access permission
- HOW TO: Assign SendAs right using Exchange shell

Labels: , , ,

posted by Bharat Suneja on Tuesday, February 05, 2008 at 7:29 AM

6 Comments:

February 5, 2008 9:08 AM
Anonymous Anonymous said...

Nice job on this report. Keep em coming! The power of the EMS is very cool.

Scott B

 
February 5, 2008 9:38 AM
Anonymous Anonymous said...

Thanks!
FYI - I had to do a | format-list at the end of the command to get anyting readable. (I have a long domain name any "almost always" the default format "sucks" for me.

 
February 14, 2008 2:52 AM
Anonymous Anonymous said...

SendAs is not a permission on the mailbox so you cannot filter it

 
February 14, 2008 6:21 AM
Blogger Bharat Suneja said...

It is a mailbox permission/"AccessRight", that can be assigned using Add-MailboxPermission, and viewed using Get-MailboxPermission.

Also look at HOW TO: Assign SendAs right using Exchange shell.

 
February 14, 2008 8:31 AM
Anonymous Anonymous said...

How would you revoke such rights through the shell?

 
February 14, 2008 8:34 AM
Blogger Bharat Suneja said...

Can be revoked using Remove-MailboxPermission.

 

Post a Comment

Links to this post:

Create a Link

<< Home