Exchangepedia Blog is read by visitors from all 50 US States and 150 countries world-wide
HOW TO: List mailboxes with Full Mailbox Access permission assigned
Posted by Bharat Suneja at 7:29 AM
Instead of running this against all mailboxes in the Organization, it makes sense to filter it against a sub-set of mailboxes.
Filtering mailboxes returned by Get-Mailbox
Mailboxes returned by the Get-Mailbox command can be filtered using -Server, -Database, -RecipientTypeDetails, and -OrganizationalUnit parameters. Note, the -Filter parameter can also be used and allows granular filtering of mailboxes that are returned, based on a number of filterable properties.
Get-Mailbox -Server "e12postcard" | Get-MailboxPermission
This produces a long list of permissions - inherited and assigned explicitly to the mailbox(es).Let's filter the above to reveal only the explicitly assigned permissions:
Get-Mailbox -Server "e12postcard" | Get-MailboxPermission | where { $_.IsInherited -eq $false }
The output shows all explicitly-assigned permissions, including the permissions assigned to the mailbox owner (NT AUTHORITY\SELF). Not quite what we want! Let's filter that out:Get-Mailbox -Server "e12postcard" | Get-MailboxPermission | where { ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") }
Now we have a list of all mailboxes with explicitly assigned permissions.We can filter this further to list only the ones that have Full Mailbox Access permission assigned:
Get-Mailbox -Server "e12postcard" | Get-MailboxPermission | where { ($_.AccessRights -eq "FullAccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") }
Similarly, you can filter users that have other mailbox permissions assigned, such as SendAs, DeleteItem, ReadPermission, ChangePermission, ChangeOwner, or ExternalAccount.List users with SendAs permission assigned
The following code lists mailboxes with the SendAs permission assigned. Unlike mailbox permission, is an Active Directory permission.
Get-Mailbox -ResultSize unlimited | Get-ADPermissions | Where {$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORIT\SELF" -and $_.Deny -eq $false} | ft Identity,User,IsInherited -AutoSize
Related Posts:
- HOW TO: Grant Full Mailbox Access permission
- HOW TO: Assign SendAs right using Exchange shell
Labels: Exchange Server 2007, Exchange Shell, Mailbox, Security
11 Comments:
Nice job on this report. Keep em coming! The power of the EMS is very cool.
Scott B
Thanks!
FYI - I had to do a | format-list at the end of the command to get anyting readable. (I have a long domain name any "almost always" the default format "sucks" for me.
SendAs is not a permission on the mailbox so you cannot filter it
It is a mailbox permission/"AccessRight", that can be assigned using Add-MailboxPermission, and viewed using Get-MailboxPermission.
Also look at HOW TO: Assign SendAs right using Exchange shell.
How would you revoke such rights through the shell?
Can be revoked using Remove-MailboxPermission.
how would you search for a particular user who has full manager rights?
I love this blog! Great info
Thanks for the tutorial Bharat
Found your post whilst searching on Google
This might sound silly but how do you expand the EMS window? I've used the commands recommended in the tutorial with great success (Thank you, by the way.) But the window is so small that I can't read all the information presented. If I click the maximize button in the corner of the window, it just makes the window taller & I need it to be wider. I've tried to drag the side of the window to make it wider & that didn't work either. I feel pretty stupid even asking but the things that I know to maximize the window aren't working.
Anyone have any thoughts?
Hi guys, to maximise the window, create a shortcut on your desktop to EMS, then right click it and select properties and layout.
I have a couple of challenges for someone feeling brave...
I need to list all the mailboxes a particular user has full access permissions to and export it to a CSV using export-csv.
I also need to be able to list all the mailboxes showing who has full access to it. Again this will need to be presented in a CSV file.
Any ideas?
Post a Comment
Links to this post:
Create a Link
<< Home