locked
Need help with script to export shared mailbox full access permissions and security group membership. RRS feed

  • Question

  • Pretty much every shared mailbox we have in our environment has a security group assigned to it that is the same name except starting with SG_.  I'm looking to have a script that can parse through all the shared mailboxes, review the security group assigned to it and export the members out with it.  I have something below but it's not complete and I'm unsure how to set it.  Any suggestions are appreciated.

    Ideally it would output something like:

    Mailbox Name     Security Group Name       Access

    Mailbox1                 SG_Mailbox1                 domain\user1

    mailbox1                sg_mailbox1                   domain\user2

    MailboxABC            SG_MailboxABC              domain\userA

    $sharedmailbox = Get-Mailbox -RecipientTypeDetails "shared" -ResultSize unlimited
    
    foreach ($mb in $sharedmailbox) { 
    
    $securitygroup = Get-Mailbox -id $mb | Get-MailboxPermission | where { ($_.User -like "domain\SG_*") } 
    $securitygroup = ($securitygroup.identity -split "/")[-1]
    #Write-Host "security group" $securitygroup.User
    
    foreach ($member in $securitygroup.User) {
    
    write-host $member
    $SGMember = Get-DistributionGroupMember -Identity $member
    
    Write-Host $SGMember
    
    $outarray += New-Object PsObject -property @{
    'Mailbox' = $mb
    'security group' = $securitygroup.User
    'SG Member' = $SGMember
    }
    }
    
    }
    
    $outarray
    

    Wednesday, August 7, 2019 7:02 PM

Answers

  • I figured it out.  It looks for the security group that has full access, pulls the members out then grants them explicit full access and send as permissions.

    $sharedmailbox = Get-Mailbox -RecipientTypeDetails "shared" -ResultSize unlimited
    
    $SGMember = @()
    $sharedmailbox = $null
    $mb = $null
    $securitygroup = $null
    $SGmember = $null
    $securitygroup2 = $null
    $displayname = $null
    $members= $null
    $report = @()
    $user = $null
    $account = @()
    
    
    foreach ($mb in $sharedmailbox) { 
    
    
    $securitygroup = Get-Mailbox -id $mb | Get-MailboxPermission | where { ($_.User -like "domain\SG_*") } 
    
    $securitygroup2 = $securitygroup.User
    
    $SGMember = Get-DistributionGroupMember -Identity $securitygroup2
    
    
    $members = (@($SGMember).alias -join ',')
    
    $output = New-Object System.Object
    $output | Add-Member -Type NoteProperty -Name Mailbox -Value $($mb)
    $output | Add-Member -Type NoteProperty -Name "security group" -Value $($securitygroup2)
    $output | Add-Member -Type NoteProperty -Name "SG members" -Value $members
    
    
    $report += $output
    
    $account = $members.Split(",")
    
    foreach ($user in $account){
    
    
    Add-MailboxPermission -Identity "$mb" -User $user -AccessRights Fullaccess -InheritanceType all -Automapping $false
    Add-ADPermission -Identity "$mb" -User $user -AccessRights ExtendedRight -ExtendedRights "send as"
    }
    
    }
    
    
    $report | Export-Csv C:\scripts\MailboxAddUsersExplicitly.csv -NoTypeInformation


    Friday, August 9, 2019 2:11 PM

All replies

  • I've seen that and it doesn't quite provide the data in a clean format.  I've searched and unless I'm not using the right search words, I'm not seeing anything that can do this.   I appreciate the response.  
    Thursday, August 8, 2019 12:43 PM
  • Try below, it might work for you:

    foreach($mailbox in (Get-Mailbox)) {
        foreach ($permission in (Get-MailboxPermission $mailbox | 
            Where-Object{$_.User -like "Domain\SG_*"})){
                Get-ADGroupMember $permission.User.ToString().split("\")[1]  |
                     Select-Object @{n="Mailbox"; e={$mailbox}}, @{n="Group"; e={$permission.User.ToString().split("\")[1]}}, @{n="Access"; e={$_.SamAccountName}} 
        }
    }

     
    Replace Get-Mailbox with the appropriate filters
    • Edited by DumbleD0re Friday, August 9, 2019 12:45 PM
    Friday, August 9, 2019 9:23 AM
  • I figured it out.  It looks for the security group that has full access, pulls the members out then grants them explicit full access and send as permissions.

    $sharedmailbox = Get-Mailbox -RecipientTypeDetails "shared" -ResultSize unlimited
    
    $SGMember = @()
    $sharedmailbox = $null
    $mb = $null
    $securitygroup = $null
    $SGmember = $null
    $securitygroup2 = $null
    $displayname = $null
    $members= $null
    $report = @()
    $user = $null
    $account = @()
    
    
    foreach ($mb in $sharedmailbox) { 
    
    
    $securitygroup = Get-Mailbox -id $mb | Get-MailboxPermission | where { ($_.User -like "domain\SG_*") } 
    
    $securitygroup2 = $securitygroup.User
    
    $SGMember = Get-DistributionGroupMember -Identity $securitygroup2
    
    
    $members = (@($SGMember).alias -join ',')
    
    $output = New-Object System.Object
    $output | Add-Member -Type NoteProperty -Name Mailbox -Value $($mb)
    $output | Add-Member -Type NoteProperty -Name "security group" -Value $($securitygroup2)
    $output | Add-Member -Type NoteProperty -Name "SG members" -Value $members
    
    
    $report += $output
    
    $account = $members.Split(",")
    
    foreach ($user in $account){
    
    
    Add-MailboxPermission -Identity "$mb" -User $user -AccessRights Fullaccess -InheritanceType all -Automapping $false
    Add-ADPermission -Identity "$mb" -User $user -AccessRights ExtendedRight -ExtendedRights "send as"
    }
    
    }
    
    
    $report | Export-Csv C:\scripts\MailboxAddUsersExplicitly.csv -NoTypeInformation


    Friday, August 9, 2019 2:11 PM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Friday, September 6, 2019 12:49 PM