none
Get-MailboxPermission

    Question

  • Get-Mailbox | Get-MailboxPermission | Where-Object { ($_.AccessRights -eq "*fullaccess*") -and ($_.User -like "*THEUSER*") }

    Hi All,

    I used the above command to find out which mailboxes "THEUSER" has full access to, there was no output of the command, so it means that they don't have full access to no mailbox ?

    Now, what I cannot understand is that "THEUSER" actually can open all mailboxes via outlook / owa but the above command doesn't outputs anything ?

    any thoughts on the above ? "THEUSER" and myself have exactly the same permissions and groups assigned in AD Users and Computers.

    Also, when I change eq to like in the following command : Get-Mailbox | Get-MailboxPermission | Where-Object { ($_.AccessRights -Like "*fullaccess*") -and ($_.User -like "*THEUSER*") } it shows me some mailboxes which are generic ones but "THEUSER" can open all mailboxes in outlook / owa

    Will be grateful for your expert clarification !
    Kind Regards

    Wednesday, November 24, 2010 12:51 PM

All replies

  • Hi,

    I tested the PS you wrote, but mine came up empty as well. I then changed a little so it looks like this:

    [PS] C:\Get-Mailbox | Get-MailboxPermission  | where-object {$_.user -like "*USER*" -and $_.accessrights -eq "FullAccess"}

    That showed me the correct list of permissions.

    /Martin


    Exchange is a passion not just a collaboration software.
    Wednesday, November 24, 2010 2:50 PM
  • Hi Martin

     

    Once again thanks for the prompt response, Yes your command shows the output for "THEUSER" and lists the 4 Mailboxes they have full access to, BUT :-) it isn't showing all the other mailboxes "THEUSER" has full access too, as they can open any mailboxes in outlook / owa.

    I am lost here and trying to figure out why when both me and theuser have same permissions - i can't open any mailbox and they can ?

    Do one need to be a member of Exchange organization admin ? funny thing is that I was actually the admin of all exchange admin groups in ADUC but still wasn't able to open mailboxes, where as "TheUser" wasn't a member of any exchange admin group apart from PublicFolder group and yet they were able to open all mailboxes.

    any thoughts ?

     

    Wednesday, November 24, 2010 3:36 PM
  • You've filtered your results down to just the permssions explicitly granted to that user.  From the symptoms, it sounds like the user is a member of a group that's been granted full access to the mailboxes, that you are not a member of.

     

    [PS] C:\Get-Mailbox | Get-MailboxPermission  | where-object { $_.accessrights -like "*FullAccess*"}

    and investigate the membership of the groups that have full access.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Wednesday, November 24, 2010 3:59 PM
  • Hi,

    Could you please try and run this command to see what mailbox permissions is on the mailbox?

    get-mailbox user@domain.com | Get-MailboxPermission |ft

    It sounds a bit like some rights are messed up.

    When I ran the first command I got the complete list of mailboxes that the user has full access to.

    /Martin


    Exchange is a passion not just a collaboration software.
    Wednesday, November 24, 2010 4:03 PM
  • Sorry, I missed the fact that there's no filtering on get-mailbox.  The return is going to be really busy.  If the user in question has access to all the mailboxes, just pick one, and figure out where that access is being granted.  Chances are that's where all the rest are getting it, too.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Wednesday, November 24, 2010 4:12 PM
  • I am actually more worried about the fact that a user that shouldn't have access to the mailboxes actually has it and that is why i wanted to list of permissions on a specific mailbox. I am guessing that a certain security group is listed a place that it shouldn't be.

    /Martin


    Exchange is a passion not just a collaboration software.
    Wednesday, November 24, 2010 4:15 PM
  • Identity               User                         AccessRights                         IsInherited Deny
    --------               ----                         ------------                         ----------- ----
    domainname.internal/Users/virus NT AUTHORITY\SELF                   {FullAccess, ReadPermission}                    False    False
    domainname.internal/Users/virus domainname\Administrator             {FullAccess}                              True    False
    domainname.internal/Users/virus domainname\EXCHSRV1$          		   {ReadPermission}                            True    False
    domainname.internal/Users/virus domainname\Exchange Servers           {FullAccess}                              True    True
    domainname.internal/Users/virus domainname\Administrator             {FullAccess}                              True    True
    domainname.internal/Users/virus domainname\Domain Admins             {FullAccess}                              True    True
    domainname.internal/Users/virus domainname\Enterprise Admins           {FullAccess}                              True    True
    domainname.internal/Users/virus domainname\Exchange Organization Administrators {FullAccess}                              True    True
    domainname.internal/Users/virus NT AUTHORITY\NETWORK SERVICE           {ReadPermission}                            True    False
    domainname.internal/Users/virus domainname\Exchange Servers           {FullAccess}                              True    False
    domainname.internal/Users/virus domainname\Exchange Public Folder Administrators {ReadPermission}                            True    False
    domainname.internal/Users/virus domainname\Administrator             {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True    False
    domainname.internal/Users/virus domainname\Exchange Servers           {ReadPermission}                            True    False
    domainname.internal/Users/virus domainname\Exchange Organization Administrators {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True    False
    domainname.internal/Users/virus domainname\Exchange View-Only Administrators   {ReadPermission}                            True    False
    domainname.internal/Users/virus domainname\Enterprise Admins           {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True    False
    domainname.internal/Users/virus domainname\Domain Admins             {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True    False
    
    Hi Martin & Mjolinor,
    Above is the output of get-mailbox mailboxname | Get-MailboxPermission |ft
    Virus is the name of a mailbox""
    Both me and "THEUSER" are member of the ABOVE Listed Groups, hard to understand why theuser can open in outlook /owa and not me ?
    any thoughts !
    thanks for the prompt responses !!
    Wednesday, November 24, 2010 4:35 PM
  • The default is that noone can open other users mailboxes. I haven't actually tried using the public folder group for these settings. Normally I like to create ny own security groups for these purposes so I don't mess around with the defaults.

    To try and sort it out remove your two users from the above groups and create a new one called something like: SG_FullMailboxRights add your users to this group and try and give permissions to this group instead.

    Oh, and do remember to check that your permissions are the same when not in any of the default Exchange groups.

    /Martin


    Exchange is a passion not just a collaboration software.
    Wednesday, November 24, 2010 4:48 PM
  • Has the user been mad a delegate of the mailbox?


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Wednesday, November 24, 2010 4:57 PM
  • Hi Mjolinor,

    How can I check whether they are a delegate or not ? I am not sure, I am left with this mess to deal with :-) so I have to figure it out - I guess.

    Thanks Marting and Mjolinor for your prompt responses !
    Kind Regards

    Wednesday, November 24, 2010 5:02 PM
  • I think it's also possible the access is being done by impersonation:

    http://msdn.microsoft.com/en-us/library/bb204095.aspx


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Wednesday, November 24, 2010 5:03 PM
  • I think it's also possible the access is being done by impersonation:

    http://msdn.microsoft.com/en-us/library/bb204095.aspx


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    This is Exchange 2007 SP1, not sure whether this is applicable to it as the msdn link takes to a Ex2010 reference.
    Wednesday, November 24, 2010 5:08 PM
  • Here's a link that appears to be 2007 specific:

    http://msdn.microsoft.com/en-us/library/bb204095(EXCHG.80).aspx


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Wednesday, November 24, 2010 5:12 PM
  • Which Exchange Groups are you using as the one to give access to mailboxes?
    Exchange is a passion not just a collaboration software.
    Wednesday, November 24, 2010 5:25 PM
  • Hi Martin,

    As I have inherited this setup, those are the only groups listed in the above permissions, upon looking in ADUC, they have some security groups which are part off Enterprise admin / Domain admin etc and then the admin users are part of those security groups.

    What I cannot understand is that none of these security groups are part of any Exchange Admin groups..

    still cant understand what's going on :-)

    Will do more findings and post back !
    Thanks so much for your and mjolinor's prompt responses !!!

    Thursday, November 25, 2010 10:01 AM
  • Hi,

    Any news on the troubleshooting?

    Do try and find out which groups belongs to the Exchange groups so we can figure out how it is all put together. If the reason for the groups being in the Exchange groups is only giving full access to mailboxes I would remove the groups and start with making your own groups instead an using them.

    /Martin


    Exchange is a passion not just a collaboration software.
    Monday, November 29, 2010 4:53 PM
  • Hi,

    Any news on the troubleshooting?

    Do try and find out which groups belongs to the Exchange groups so we can figure out how it is all put together. If the reason for the groups being in the Exchange groups is only giving full access to mailboxes I would remove the groups and start with making your own groups instead an using them.

    /Martin


    Exchange is a passion not just a collaboration software.

    Hi Martin, sorry for the delayed response.

    "Do try and find out which groups belongs to the Exchange groups"

    By above line you mean, I should check for any Groups which are member of any Exchange Groups and make a note of them ?
    I will be on this site tomorrow and will do that - will update here when I have the details.

    Kind Regards

    Wednesday, December 01, 2010 9:26 AM
  • Hi,

    Yeah that is what I mean. That way you can try and sort out who has the permission you want and who might have permissions that you maybe didn't want them to have. It is important to know who has access to what because when strange things happen you will want to know who had access to doing things :-)

    If a "normal" user has Exchange Orgazation rights the user will actually be able to delete databases and so on, and all he/she actually needed was to view the inbox of a public mailbox.

    /Martin


    Exchange is a passion not just a collaboration software.
    Wednesday, December 01, 2010 12:38 PM
  • Hi Martin,

    Sorry for another delayed response - bad weather has restricted me - hence the delay - still awaiting for all to clear up and then would be on that site - meanwhile - I might try to seek remote access (if allowed) and will then be able to go through the groups etc.

    What my plan of action is :

    Will open up ADUC (dsa.msc) and then check for all "Default / built-in" Exchange groups and see who is the member of which groups, make a note of them and then see which users are members of those groups.

    Please keep an eye on this thread ! Will update this space soon.

    Meanwhile - a quick suggestion is required - one of my Exchange server is running out of space (still 30GB left on the DB partition), I was thinking to :

    a) Shrink the Logs partition (get 40GB) from there (leavin the logs with 20GB)

    b) Extend the DB Partition then via Diskmgmt.msc

    Any thoughts on that ? Is it a straight forward procedure or shall i dis-mount the db's first - stop exchange services - then do this ?

    Kind Regards!!

     

    Tuesday, December 07, 2010 9:57 AM
  • Hey,

    Been away on work these last days.

    Resizing the log drive really depends on the amount of mails you receive between backup windows and how often you are taking a full backup. The logs will only be flushed on when a full backup is done, so you need to be sure that you still have enough space on the log drive to support the mail flow.

    Are both log and db on the same drives (raid, lun) since you can shrink and extend the volumes? If so and you are sure that 20 GB is enough for the log drive i see no problem in doing the task mentioned.

    /Martin


    Exchange is a passion not just a collaboration software.
    Thursday, December 09, 2010 7:56 PM