none
Get list of delegate access for user

    Question

  • I'm trying to find a way of getting a list of all delegate access for a single user through powershell.  I'm familiar for looking by Get-MailboxFolderPermission, but how would I generate it to show every calendar the individual has delegate access to?



    • Edited by DeathSauce Friday, April 10, 2015 12:06 AM
    Thursday, April 9, 2015 11:07 PM

Answers

  • Hi,

    This script might be helpful for you.

    $Report = @()
       
        $Mailboxes = Get-Mailbox -ResultSize Unlimited -Filter 
    
    {RecipientTypeDetails -eq "UserMailbox"} 
    
       ForEach ($Mailbox in $Mailboxes) 
         {
           $Calendar = $Mailbox.PrimarySmtpAddress.ToString() + ":\Calendar"
           $Permissions = Get-MailboxFolderPermission -Identity $Calendar |  where-object {$_.User -like "User1" -and $_.AccessRights –notlike “None”} 
    
          foreach ($Permission in $Permissions) 
             { 
      $permission | Add-Member -MemberType NoteProperty -Name 
    
    "Calendar" -value $Mailbox.DisplayName
      $Report = $Report + $permission
    
            }
          }
     $Report | Select-Object Calendar,User,@
    
    {label="AccessRights";expression={$_.AccessRights}} | Export-Csv -Path 
    
    "C:\.CalendarPermissions$(Get-Date -f 'MMddyy').csv" -NoTypeInformation

    Note: replace the user on the underline to that single user in the script above.

    Best Regards.



    Friday, April 10, 2015 9:26 AM
    Moderator
  • You would need to check every mailbox in your organization to see if this account had rights to it.  Checking a mailbox to find all the delegates is simple, but there is no easy way in the delegate's account that says the account has access to "these mailboxes".

    Of course, to get all the mailbox delegates across the organization isn't that difficult - a little PowerShell and a Get-Mailbox command to load things up would do the job fairly easily.


    Friday, April 10, 2015 2:09 AM

All replies

  • You would need to check every mailbox in your organization to see if this account had rights to it.  Checking a mailbox to find all the delegates is simple, but there is no easy way in the delegate's account that says the account has access to "these mailboxes".

    Of course, to get all the mailbox delegates across the organization isn't that difficult - a little PowerShell and a Get-Mailbox command to load things up would do the job fairly easily.


    Friday, April 10, 2015 2:09 AM
  • check this out

    http://thoughtsofanidlemind.com/2014/09/05/reporting-delegate-access-to-exchange-mailboxes/


    Blog: http://theinfraguys.com

    Follow me at Facebook The Infra Guys Facebook Page

    Please remember to click Mark as Answer on the answer if it helps you in anyway

    Friday, April 10, 2015 7:26 AM
  • Hi,

    This script might be helpful for you.

    $Report = @()
       
        $Mailboxes = Get-Mailbox -ResultSize Unlimited -Filter 
    
    {RecipientTypeDetails -eq "UserMailbox"} 
    
       ForEach ($Mailbox in $Mailboxes) 
         {
           $Calendar = $Mailbox.PrimarySmtpAddress.ToString() + ":\Calendar"
           $Permissions = Get-MailboxFolderPermission -Identity $Calendar |  where-object {$_.User -like "User1" -and $_.AccessRights –notlike “None”} 
    
          foreach ($Permission in $Permissions) 
             { 
      $permission | Add-Member -MemberType NoteProperty -Name 
    
    "Calendar" -value $Mailbox.DisplayName
      $Report = $Report + $permission
    
            }
          }
     $Report | Select-Object Calendar,User,@
    
    {label="AccessRights";expression={$_.AccessRights}} | Export-Csv -Path 
    
    "C:\.CalendarPermissions$(Get-Date -f 'MMddyy').csv" -NoTypeInformation

    Note: replace the user on the underline to that single user in the script above.

    Best Regards.



    Friday, April 10, 2015 9:26 AM
    Moderator
  • Sauce,

    Lynn's script does exactly what I suggested.  And to be honest, it shouldn't take very long to run, even with a large number of mailboxes.  We have over 15,000 mailboxes in our organization, and a similar script takes about 90 minutes to run.  No, you don't want to sit idle while it's running, but it shouldn't take days or weeks to complete.  Good luck ...

    Will Martin

    Friday, April 10, 2015 1:45 PM
  • did you managed to find script for this task I would like to have it too
    Thursday, November 17, 2016 10:49 AM
  • You don't need a script for this...

    (Get-Mailbox).PrimarySMTPAddress + ':\Calendar' |  Get-MailboxFolderPermission -user 'upn'

    You will get an error message for every mailbox the user doesn't have permissions on but at the end it will print all the calendars he DOES have permissions on :)

    Obviously you can format the output by selecting the fields you want etc...

    Keep in mind that mailboxfolderpermission only shows the calendars where the user has FOLDER permissions. If the user has full access delegations on a maibox he/she will also be able to see the calendar of that mailbox but he will not have specific permissions on that folder so it won't show up.

    To find these kinda thingies you have to use Get-MailboxPermission like this:

    Get-Mailbox |  Get-MailboxPermission -user 'upn'

    also: the user will be able to see calendars of mailboxes that have default access permissions set.

    The above script is incomplete for these reasons :)

    Friday, February 10, 2017 1:06 PM
  • Wim, the original question was specifically about delegate access, not full mailbox access.  The script Lynn-Li gave will deliver the list of anyone who has rights to the calendar folder, which answers that question.

    Nauman, Lynn-Li did put a script in her response.

    DeathSauce, did Lynn-Liu's script work for you?


    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Friday, February 17, 2017 1:43 PM
  • I know this is an old post, but the Google led me here. I have the following to get Delegates for a mailbox, and who a user a delegate of. It does require the Quest cmdlets be installed.

    # Prompt for Username
    $User = Read-Host "Enter Username"
    
    # Get mailboxes that the entered username is a delegate of
    $IsDelegateOf = (Get-QADUser $User -includedproperties name,mailnickname,publicdelegates,publicdelegatesbl |
    	Select-Object name, publicdelegatesbl).PublicDelegatesBL
    
    # Get users that are delegates of the mailbocmx entered
    $MailboxDelegates = (Get-QADUser $User -includedproperties name,mailnickname,publicdelegates,publicdelegatesbl |
    	Select-Object name, publicdelegates).PublicDelegates
    
    Write-Output "`nThis user, $User, is a delegate of these mailboxes:"
    # Get a readable name for the data and output it
    If($IsDelegateOf -ne $null){
        $IsDelegateOf | ForEach-Object{
         
            New-Object -TypeName PSCustomObject -Property @{
    
            User = (Get-ADUser $User).Name
            IsDelegateOf = (Get-ADUser $_).Name
            Username = (Get-ADUser $_).SamAccountName
    
        }
            } | Select User, IsDelegateOf, Username | Format-Table -AutoSize
    }Else{
        Write-Output "User is not a delegate of any mailboxes"
    }
    
    Write-Output "`nThese people are delegates of this user, $($User):"
    # Get a readable name for the data and output it
    If($MailboxDelegates -ne $null){
        $MailboxDelegates | ForEach-Object{
         
    
            New-Object -TypeName PSCustomObject -Property @{
    
            Mailbox = (Get-ADUser $User).Name
            Delegate = (Get-ADUser $_).Name
            Username = (Get-ADUser $_).SamAccountName
       
            }
        } | Select Mailbox, Delegate, Username | Format-Table -AutoSize
    }Else{
        Write-Output "User does not have any delegates"
    }
    Read-Host "Hit enter to close"

    Thursday, June 28, 2018 3:33 PM