Reputation: 2683
Auditing Exchange 2007 Mailbox Full Access Permissions with Powershell
I on occasion I get asked to produce a list of users who have Full Access rights to a particular Exchange 2007 Mailbox. At the moment I am doing this manually, and I'd ideally like to do it with Powershell.
Is there anyway to produce a list of Full Access Permissions (and Send On Behalf rights would also be useful).
Thanks, Jonny
Upvotes: 1
Views: 14906
Answers (5)
Reputation: 11
get-mailbox -identity MailBoxName | %{$foo = $_; Get-MailboxPermission $foo | ?{$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}} | ft {$foo},User,AccessRights
If you're looking for permissions for users on a specific mailbox. Replace the MailBoxName with the exact name of the mailbox you're attempting to run the report on. It is KeySensitive with regards to the name of the mailbox and alias.
Upvotes: 1
Reputation: 1
I know this is old, but just in case anyone else comes across this thread looking for help, to answer the OPs last question, $foo represents a variable that you have to define before running the command, so as n example:
$foo = 'Example User'
get-mailbox | %{$foo = $_; Get-MailboxPermission $foo | ?{$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}} | ft {$foo},User,AccessRights
Upvotes: 0
Reputation: 219
get-mailbox | %{$foo = $_; Get-MailboxPermission $foo | ?{$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}} | ft {$foo},User,AccessRights
in the above command, do i replace foo with the mailbox or the username ? I tried the command and it says cannot bind as object is null - will be grateful for your assistance.
Upvotes: 0
Reputation: 2683
In addition to Slipsecs answer there is an alternative to the Send-As permissions audit.
$(Get-Mailbox -Identity mailboxName).GrantSendOnBehalfTo | ft Name
This returns only manually added users and no auto generated ones.
Thanks again Slipsec with your help on this!
Upvotes: 2
Reputation: 3062
Send-As permissions are stored in active directory, so it's a bit tricky to get at them. You could use Add-Member if you like to combine the properties you care about from the two results.
Full Access:
get-mailbox | %{$foo = $_; Get-MailboxPermission $foo | ?{$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}} | ft {$foo},User,AccessRights
Send-As:
get-mailbox | %{$mailbox = $_; Get-ADPermission $mailbox.DistinguishedName | ?{$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF"}} | ft {$mailbox},user,{"Send-As"}
Upvotes: 2
Related Questions
- Gathering Outlook shared mailbox permissions with Powershell
- PowerShell to list Exchange mailbox that have Full Access delegate permission more than 1 person
- Get-MailboxPermissions cmdlet not working/recognised
- Exchange Powershell: Get-MailboxFolderPermission for all calendars
- Enable Mailbox Auditing
- Permissions for all filtered users to all mailboxes - Exchange 2010
- Get-Mailboxpermission for list of Mailboxes
- Exchange 2010: How can I check what permissions a user/mailbox has towards other mailboxes?
- How to find out who has full mailbox access for a list of users in exchange 2010
- Setting Exchange Mailbox ACL using Powershell