locked
Get mailbox permissions RRS feed

  • Question

  • Hi all,

    I'd like to get a list of Archived Users and their permissions. To do that I'm running the following:

    get-mailbox -archive| get-mailboxpermission | select-object Identity, User, AccessRights, IsInherited | where {$_.IsInherited -eq $False}

    This works fine but I don't quite like the output. The result will show the Identity (so the path of the OU where the object is contained to and the object name). Is it possible to actually show the AD Username associated to that identity?

    So what I'm getting now is something like this (omitting accessrights and isinherited):
    domain.local/EU/site1/John Blue, NT AUTHORITY\SELF
    domain.local/EU/site1/John Blue, DOMAIN\john.blue

    As you can see, sometimes the user has got permissions for itself, even when there's the SELF permissions in place. This was due a migration and we still need to clean that up. However I still need my informations. So what I would like to see is:
    DOMAIN\john.blue, NT AUTHORITY\SELF
    DOMAIN\john.blue, DOMAIN\john.blue

    This will make my life way easier and I'll tell you why: I can just copy the first column (username associated to the identity) in excel. Then I copy the second column (username having permissions against that mailbox) underneath the previously pasted usernames and then excel can remove the duplicates. I can even filter out all NT AUTHORITY\SELF, but that'll work either ways.

    Thanks a lot! 

    Saturday, August 30, 2014 12:20 PM

All replies

  • Hi

    Look at the available objects to select with that statement, for example replace identity with Name. You can also use the | Export-csv option.


    Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Saturday, August 30, 2014 3:20 PM
  • Thanks, unfortunately the objects returned by this command is very limited and the only one related to the mailbox itself is the identity.

    What's the best way to run another script against the identities and translate them to user accounts?

    What I'll do is run a for cycle and run this command against each line (the below works on a single user):
    Get-QADUser -SearchRoot "dc=domain,dc=com" -Identity "sdomain.com/site/2014/July/Users/Name Lastname" | Select-Object UserPrincipalName

    Saturday, August 30, 2014 4:24 PM