While preparing for an Exchange Server 2007 to 2010 migration I needed to work out which users had been granted access to other mailboxes. This applied both to shared mailboxes (eg a Help Desk) and individual mailbox access (eg a personal assistant with access to the CEO’s mailbox).
Exchange 2007/2010 provide the Get-MailboxPermission cmdlet that can be used to query the permissions on a mailbox. For example:
Get-MailboxPermission helpdesk
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
exchangeserverpro... NT AUTHORITY\SELF {FullAccess, Rea... False False
exchangeserverpro... ESPNET\Alex.Heyne {FullAccess} False False
exchangeserverpro... ESPNET\Debbie.Lisa {FullAccess} False False
exchangeserverpro... ESPNET\Kevin.Douglas {FullAccess} False False
To get the same information about all of the mailboxes in the environment we could run this command.
Get-Mailbox | Get-MailboxPermission
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
exchangeserverpro... NT AUTHORITY\SELF {FullAccess, Rea... False False
exchangeserverpro... ESPNET\BR-EX2007-MB$ {ReadPermission} True False
exchangeserverpro... ESPNET\Exchange S... {FullAccess} True True
exchangeserverpro... ESPNET\Domain Admins {FullAccess} True True
exchangeserverpro... ESPNET\Enterprise... {FullAccess} True True
exchangeserverpro... ESPNET\Exchange O... {FullAccess} True True
exchangeserverpro... ESPNET\administrator {FullAccess} True True
exchangeserverpro... ESPNET\Exchange S... {FullAccess} True False
exchangeserverpro... ESPNET\Exchange P... {ReadPermission} True False
exchangeserverpro... NT AUTHORITY\NETW... {ReadPermission} True False
exchangeserverpro... ESPNET\Exchange S... {ReadPermission} True False
exchangeserverpro... ESPNET\Exchange V... {ReadPermission} True False
exchangeserverpro... ESPNET\Exchange O... {FullAccess, Del... True False
exchangeserverpro... ESPNET\administrator {FullAccess, Del... True False
exchangeserverpro... ESPNET\Enterprise... {FullAccess, Del... True False
exchangeserverpro... ESPNET\Domain Admins {FullAccess, Del... True False
.....
The problem with that is it gives us more information than we really need, with a lot of SELF permissions and inherited permissions that aren’t relevant to the task we’re trying to accomplish.
You could export the output to CSV and manipulate it using Excel to get just the permissions information you want, but another method is to filter the PowerShell output.
For example, to filter out all of the SELF permissions and the inherited permissions we can run this command.
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}
That gives us a much smaller output that is more useful.
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
exchangeserverpro... ESPNET\Alannah.Shaw {FullAccess} False False
exchangeserverpro... ESPNET\Payroll Team {FullAccess} False False
exchangeserverpro... ESPNET\Alex.Heyne {FullAccess} False False
exchangeserverpro... ESPNET\Debbie.Lisa {FullAccess} False False
exchangeserverpro... ESPNET\Kevin.Douglas {FullAccess} False False
The Identity field contains long strings because it includes the full directory path to the mailbox user, so it may get truncated on your screen. In that case you could export the output to CSV file.
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Export-Csv -NoTypeInformation mailboxpermissions.csv
The trouble you may notice with that is that the access rights do not appear correctly in the output CSV file.
AccessRights,Deny,InheritanceType,User,Identity,IsInherited,IsValid,ObjectState Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Alannah.Shaw,"exchangeserverpro.net/Company/Head Office/Users/Mark.Patel",False,True,Unchanged Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,"ESPNET\Payroll Team","exchangeserverpro.net/Company/Head Office/Users/Payroll",False,True,Unchanged Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Alex.Heyne,"exchangeserverpro.net/Users/Help Desk",False,True,Unchanged Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Debbie.Lisa,"exchangeserverpro.net/Users/Help Desk",False,True,Unchanged Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Kevin.Douglas,"exchangeserverpro.net/Users/Help Desk",False,True,Unchanged
So to fix that we need to use a slightly different command. This single-line command will export to CSV a list of any mailboxes where other users have permissions to access them, and will also list what level of access those users have.
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv
About Paul Cunningham
paul,
great tip
how can do this on Exchange 2003 SP2 without introdcuing Exchange 2007 or 2010
is it possible?
thanks
edward
Hi Edward, it isn’t possible with the same powershell technique I demonstrated here. There might be a way to do it with some AD scripting but I’ve never really looked into it.
HI
you can use ADModify.NET to export the mailbox right for exchange 2000 and 2003.
http://www.msexchange.org/articles-tutorials/exchange-server-2003/tools/ADModify-Change-Exchange-Specific-AD-User-Attributes.html
there is an option to export mailbox right.
Hello,
i need to add in every line of the file also the alias. How i can do this ?
thanks
I don’t understand your question Bodo.
With your powershell command, the result is a csv file with the following colums:
“Identity,”User”,”Access Rights”
i need to add also the samaccountname of the identity. So i will have the following colums:
“Identity”,SAMAccountname”,”User”,”Access Rights
i hope it’s clear…
thanks !
Now I see what you mean. Yes you can do it, you’d just need to do a bit of scripting to fetch and join two different bits of data together. I’ll see if I can come up with the exact code and post an article with it.
Any update on this one?
how would you export the permissions for only a specific set of users in a text file?
forEach ($user in $list)
Get-Mailbox -Identity $user…
Hey Paul, Great article as always, just a tiny question, Deny equals True in the output means the user listed has been deny access to the mailbox by explicitly removing them from Manage Full mailbox access?
Basically, I have previously removed the user that appears listed when running this command and when going to Manage Full mailbox access I don’t see them anymore. So i just wanted to confirm if even after revoking access this script will show return results with Deny True?
Hope this makes sense
Thanks!!!!
I just tested this, removed full mailbox access from a shared mailbox, run the command again and there you go now you see it listed with Deny equals True, even if you cant see this on EMC you can see who has been denied access when using EMS. Interesting stuff
I’m wondering if the FullAccess permission will allow users to delete emails within the shared mailbox. Inherited permissions show FullAccess, DeleteItem, ReadPermission, ChangePermission, etc. I added some users to a shared mailbox and gave them full permissions, but some need not delete emails. Will the full access give them delete rights and what is the mininum permission(s) that a user needs to view and read emails in a shared mailbox? Thanks.
Just ReadPermission should do it.
Hi Paul,
I had similar issue as Daniel Crawford Jr – I needed for some users to be able to see Shared Mailbox, without a right to delete any emails.
I have applied following cmd:
Add-MailboxPermission “shared box name” -User domain\username -AccessRights ReadPermission -InheritanceType all
Right is applied correctly, but then when I add mailbox to some users outlook I cannot expand the added shared box (folder cannot be expanded). It seems it only works with FullAccess right.
Would you have any tips?
Hi Paul.
I have 3 domain with 5k above users. I get the below error and each time i get different result. Can you advice
WARNING: By default, only the first 1000 items are returned. Use the ResultSize parameter to specify the number of
items returned. To return all items, specify “-ResultSize Unlimited”. Be aware that, depending on the actual number of
items, returning all items can take a long time and consume a large amount of memory. Also, we don’t recommend storing
the results in a variable. Instead, pipe the results to another task or script to perform batch changes.
So, after “get-mailbox” but before the ” | get-mailboxpermission” you put “-ResultSize Unlimited”. That lets you get back more than 1000 results at a time.
For example,
get-mailbox -resultsize unlimited | get-mailboxpermission | where {… etc.
Hi Paul,
Do you have a cmdlet for a specific user … for instance I need to know what permissions a particular user has for any mailbox/public folder.
Scenario: user A needs to have the same access and permissions to all mailboxes, public folders and mailgroups as user B. What command could I run that would give me a list of all permissions for user B?
The user may have permissions by dint of membership in some group, but if the individual user is granted permission, the following might help.
Replace ” | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} ” with “-user USERB” to get the mailboxes’ permissions.
get-distributiongroup | get-adpermission -user USERB should get the permissions for distribution groups
Public folders are the harder one. I think you’d have to do get-mailpublicfolder -recurse | get-publicfolderclientpermission -user USERB, but I’m not 100% sure because I don’t have public folders anymore.
Thanks for your response! Would the script be the same on PS version 1 as oppose to version 2.0? We are currenlty using version 1.0 on Exchange Server 2010
Hello,
I would really appreciate some help with this. I’m not versed in PowerShell to this level. Before SP1 on exchange 2010, the AD attribute was not set to automatically open mailboxes in outlook. I’ve recently moved this exchange server to new fully serviced packed virtualised server. Any new users I grant full access to other mailboxes load automatically.
Is there a way to export the current full access permissions for all users (about 500) and then clear them and then import again to set the AD attribute?
This would be a massive time saver.
Many thanks.
I think this is what you’re looking for:
http://technet.microsoft.com/en-us/library/hh529943.aspx
Would this powershell command also display groups (security and distribution) with acces to mailboxes?
It should, yes.
Hi
Would this work in an Exch 2K3 / Exch 2K10 co-existance scenario, and would it give the info for the users that have yet to be migrated to 2K10?
Thanks
I’m not sure, and I don’t have a 2003 environment to check. You could always just give it a try and see if you get the expected result for a user you know has other users wil access to their mailbox.
How about MailboxFolderPermission, I know how to get a list of user that have access to a specific folder within a mailbox
Get-MailboxFolderPermission – Identity “PrimarySMTPAdd:\Inbox\AutomatedEmail” | Select User, FolderName, AccessRights | fl User, FolderName, AccessRights.
But what should I do if I want to know which folders a user has access to (any kind of access rights aka reviewer, owner, etc)
I need to include all folders within the mailbox and the user in question would be an unresolved SID so would be something like “NT User:S-1-5-21-etc”
Any help would be appreciated!
Thanks
THANK YOU!! Was stuck on -ExpandProperty and could not recall how to get the “readable” Access Rights. Thanks!
Dear Paul
Hi and Thanks
but i have a problem
the script shows an account having full permission on lot and lots of mailboxes but when i go to some of those and right click – manage full permission .. his user is not there !!
he is the previous exchange admin here ! could he have made something hidden (to have permission but not to show in the GUI)
It depends which command you mean when you say “this script”, but its possible what you’re seeing is an inherited permission from a higher level object (eg the database, server, or organization level).
Dear Paul, Thanks so much
I did a get-mailbox and then remove his permission but i have two more questions
1- when i get-mailboxpermission i still see him in an entry (although it says full access is denied) – how can i remove him completely
2- how can we do it ? i mean his permission is on newly created mailboxes too. can a full permission be set on a DB, server or organizational level ?? can u teach me how to do that and how to remove it ?
Thanks again
Hello Paul,
This script is awesome and has helped me. I would like to thank you.
I would like to ask you if it’s possible to generate a list, the other way around that this command does.
This command displays the mailboxes one by one, and the users that have access to it.
something like:
mailbox1 user1,user2,user2
mailbox2 user2,user3,user4 etc
Is it possible to make it generate a list like this:
user1 mailbox1, mailbox2, mailbox3
user2 mailbox1,mailbox3, mailbox4
Thank you,
Nonis
Possible? Sure, PowerShell is very flexible. You’re basically collecting the same data just outputting it in different ways, so you just need to write the PowerShell code to do that
Well, that’s my problem at the moment, I’ve been trying to do this for the past couple of days, but to no avail.
I understand it’s the same data, but I didn’t find a way to output it the way I needed it.
Could you please help in this regard?
sorry
i have not my answer yet
is it possible to make some one have full access to all mailboxes in a database now and the future ?
or even on all organization
i know we can use powershell command to do this (get mailboxdatabase users and set-permission ,,,)
but what about the future users
should it be run on a schedule to do this or is there any better way ?
Paul,
You have provided the below script to pull what level of access for other users/shared mailboxes.
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv
Is it possible to pull the list of users accessing shared mailboxes in specific storage group. If so please update me the exact script.
Thanks in Advance !!
Sure. Where “Get-Mailbox” is piping into the next cmdlet just modify how you want Get-Mailbox to run, eg “Get-Mailbox -Database YourDatabaseName”.
Just a quick question. I used the following modification of your script.
get-content c:\admin\generic.txt | Get-Mailbox | Get-MailboxPermission | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation c:\admin\permissions.csv
And it worked fine however it is not displaying groups that have access to the mailbox.. how would i include this in the script?
Hi Paul,
I just wanted to thank you for this good tip, exectly what I was looking for.
I like the way you explain each step of the Command.
Great Work!
Thanks a lot!
Jan
Thanks, Paul. Very useful information. I have used this as a starting point for some reporting/auditing scripts.
How much more complicated would it be to add a recursive lookup for the groups that have permission to each mailbox too?