none
Report of mailboxes with full access permissions

    Question

  • So I'm wanting to build a report of all mailboxes in Exchange that have full access management rights set.

    I've found the following site and command to get the data out of Exchange:

    https://exchangeserverpro.com/list-users-access-exchange-mailboxes/

    get-mailbox -resultsize unlimited | get-mailboxpermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}

    That gets me data from Exchange of each mailbox that has full access and who has the full access to it (and removes all the SELF permissions and any that are inherited).  This takes a LONG TIME.  Is there a better command to get this data more quickly?

    Also, I would like to take the identity data from the Exchange data and then run a get-aduser query against that information, but the identity value from the get-mailboxpermission is essentially the canonicalname in AD which it appears you cannot run a filter against.  Any other way to take that data and run against get-aduser?

    Wednesday, November 04, 2015 3:56 PM

Answers

  • Sorry I must have pasted the wrong version.

    This gets it all:

    Get-MailboxPermission * |
    	Where{$_.AccessRights -contains 'FullAccess'} |
    	select -expand identity -unique|
    	select distinguishedname
    


    \_(ツ)_/

    • Marked as answer by bandrgeorge Friday, November 06, 2015 7:49 PM
    Friday, November 06, 2015 5:35 PM
    Moderator

All replies

  • Hi George,

    That's the best available, easy to use cmdlet available. Time taken is expected and mostly depend on your Exchange server's performance and current load.

    You have to manually map the attributes when using two different cmdlets what won't pipe automatically.

    Get-Mailbox Satyajit | %{Get-ADUser $_.SamAccountName}

    Adding this to the end of your query should help, but you need to handle the error as well.

    So it will be no longer a one-liner,

    | %{Get-ADuser "$($_.User.rawidentity)".split("\")[1]}

    See here for the error handling part.

    get-mailbox error handling


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Satyajit321 Thursday, November 05, 2015 11:48 AM
    Thursday, November 05, 2015 11:35 AM
  • I'm getting an error when I try that option.

    If I do the following:

     get-mailboxpermission username | select identity

    the result is a full AD path:

    domain.net/Corporate/AM/United States/Office/Users/Department/User Name

    Your split command, if I'm reading it correctly and substitute / for \, would only give me Corporate...

    When I type:

    get-mailboxpermission username | %{get-aduser "$($_.user.identity)".split("/")[1]}

    The error I get is:

    ForEach-Object : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and
     try the command again.
    At line:1 char:34
    + get-mailboxpermission bgeorge | % <<<< {get-aduser "$($_.user.identity)".split("/")[1]}
        + CategoryInfo          : InvalidData: (:) [ForEach-Object], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.ForEachObjectCommand

    Thursday, November 05, 2015 4:58 PM
  • For those who may come across this in the future looking for the same, I stumbled across a way to get the distinguishedname out of the identity value from get-mailboxpermission.

    If I do the following:

    $identity = get-mailboxpermission username | select identity
    $identity = $identity | select -unique
    ($identity.identity).distinguishedname

    That will give me the DN of the user I'm looking for

    Thursday, November 05, 2015 6:13 PM

  • Get-MailboxPermission useralias | select -expand identity -unique|select name, distinguishedname


    \_(ツ)_/

    Thursday, November 05, 2015 6:34 PM
    Moderator
  • Hmm..

    Get-MailboxPermission * |
    	Where{$_.AccessRights -contains 'FullAccess'} |
    	select -expand identity -unique |
    	select distinguishedname


    \_(ツ)_/


    • Edited by jrvModerator Friday, November 06, 2015 5:36 PM Posted correct code
    Thursday, November 05, 2015 6:38 PM
    Moderator
  • jrv -

    If I take your recommendation and add it to my search:

    get-mailbox -resultsize unlimited | get-mailboxpermission | where {($_.user.tostring() -ne "NT AUTHORITY\SELF") -and ($_.IsInherited -eq $false) -and ($_.user.tostring() -notlike "S-1-5-21*")} | select identity | select distinguishedname | Export-Csv -notypeinformation c:\Temp\test110615.csv

    All I get on a single line of the excel report is:

    distinguishedname (just the word, not an actual dn of a user)

    Friday, November 06, 2015 5:13 PM
  • I feel like I'm so close but I'm not getting the results I want.

    Tell me what I'm doing wrong in the following code:

    $sharedusers = get-mailbox -resultsize unlimited | get-mailboxpermission | where {($_.user.tostring() -ne "NT AUTHORITY\SELF") -and ($_.IsInherited -eq $false) -and ($_.user.tostring() -notlike "S-1-5-21*")} | select identity
    $sharedusers = $sharedusers | Sort-Object {$_.identity}
    $sharedusers = $sharedusers | select -Unique identity
    
    $table="First Name,Last Name,Display Name,Location,Title,Account Enabled,Last Logon,Mailbox Shared With"
    $table | Set-Content c:\Temp\test110515.csv
    
    foreach ($identity in $sharedusers)
    {
    $permissions = get-mailboxpermission $_.identity | where {($_.user.tostring() -ne "NT AUTHORITY\SELF") -and ($_.IsInherited -eq $false) -and ($_.user.tostring() -notlike "S-1-5-21*")} | select user
    $dn = ($identity.identity).distinguishedname
    
    $u = get-aduser $dn -properties name,givenname,surname,office,title,enabled,lastlogondate
    
    Add-Content c:\Temp\test110515.csv "$u.givenname,$u.surname,$u.name,$u.office,$u.title,$u.enabed,$u.lastlogondate,$permissions"
    } 


    I have manually run the first 3 lines and get exactly what I want - a list of the identities without duplicates

    I have then run the following and got exactly what I want - a list of the distinguishedname like the list of identities

    foreach ($identity in $sharedusers)
    {
    ($identity.identity).distinguishedname
    }

    but somehow, the original code above that assigns the $dn value and then does the get-aduser ends up giving me the distinguishedname of each user in the csv file on each line (part in each column since it's separated by commas), instead of the data I asked for it to put.

    Also, the $permissions code gives me an error for every user.


    Friday, November 06, 2015 5:21 PM
  • Sorry I must have pasted the wrong version.

    This gets it all:

    Get-MailboxPermission * |
    	Where{$_.AccessRights -contains 'FullAccess'} |
    	select -expand identity -unique|
    	select distinguishedname
    


    \_(ツ)_/

    • Marked as answer by bandrgeorge Friday, November 06, 2015 7:49 PM
    Friday, November 06, 2015 5:35 PM
    Moderator
  • Sorry I must have pasted the wrong version.

    This gets it all:

    Get-MailboxPermission * |
    	Where{$_.AccessRights -contains 'FullAccess'} |
    	select -expand identity -unique|
    	select distinguishedname


    \_(ツ)_/

    Thanks jrv!  That worked. 

    It's a pain to test this as it takes me 15 minutes for each pass :-)

    Now to take this list of dn's and figure out how to use it.  Many thanks!

    Friday, November 06, 2015 6:49 PM
  • Glad it works.  Good luck.

    \_(ツ)_/

    Friday, November 06, 2015 7:08 PM
    Moderator
  • Ok, what am I doing wrong:

    $sharedusers = get-mailbox -resultsize unlimited | get-mailboxpermission | where {($_.user.tostring() -ne "NT AUTHORITY\SELF") -and ($_.IsInherited -eq $false) -and ($_.user.tostring() -notlike "S-1-5-21*")} | select -expand identity -unique| select distinguishedname
    
    $table="First Name,Last Name,Display Name,Location,Title,Account Enabled,Last Logon,Mailbox Shared With"
    $table | Set-Content c:\Temp\test110515.csv
    
    foreach ($dn in $sharedusers)
    {
    $u = get-aduser $dn -properties name,samaccountname,givenname,surname,office,title,enabled,lastlogondate
    $permissions = get-mailboxpermission $u.samaccountname | where {($_.user.tostring() -ne "NT AUTHORITY\SELF") -and ($_.IsInherited -eq $false) -and ($_.user.tostring() -notlike "S-1-5-21*")} | select user
    
    Add-Content c:\Temp\test110515.csv "$u.givenname , $u.surname , $u.name , $u.office , $u.title , $u.enabed , $u.lastlogondate , $permissions"
    } 
    

    The resulting csv file still has the distinguishedname in it along with .givenname, etc appended every so often.

    I know the $sharedusers statement should give me a list of distinguishedname unique for each mailbox that has full access

    What is going on with the $u statement that doesn't get me the values?

    Friday, November 06, 2015 7:31 PM
  • I highly recommend creating objects instead of doing what you're doing, but if you want to continue down this road you need to use subexpressions:

    http://ss64.com/ps/syntax-operators.html


    Friday, November 06, 2015 7:35 PM
    Moderator
  • I highly recommend creating objects instead of doing what you're doing, but if you want to continue down this road you need to use subexpressions:

    http://ss64.com/ps/syntax-operators.html


    Ok, I'm giving it a try with subexpressions.

    Could you give me an example of how I could do this by creating objects?  Not sure I'm familiar with that approach.

    Friday, November 06, 2015 7:44 PM
  • Ok, what am I doing wrong:

    $sharedusers = get-mailbox -resultsize unlimited | get-mailboxpermission | where {($_.user.tostring() -ne "NT AUTHORITY\SELF") -and ($_.IsInherited -eq $false) -and ($_.user.tostring() -notlike "S-1-5-21*")} | select -expand identity -unique| select distinguishedname
    
    $table="First Name,Last Name,Display Name,Location,Title,Account Enabled,Last Logon,Mailbox Shared With"
    $table | Set-Content c:\Temp\test110515.csv
    
    foreach ($dn in $sharedusers)
    {
    $u = get-aduser $dn -properties name,samaccountname,givenname,surname,office,title,enabled,lastlogondate
    $permissions = get-mailboxpermission $u.samaccountname | where {($_.user.tostring() -ne "NT AUTHORITY\SELF") -and ($_.IsInherited -eq $false) -and ($_.user.tostring() -notlike "S-1-5-21*")} | select user
    
    Add-Content c:\Temp\test110515.csv "$u.givenname , $u.surname , $u.name , $u.office , $u.title , $u.enabed , $u.lastlogondate , $permissions"
    } 

    The resulting csv file still has the distinguishedname in it along with .givenname, etc appended every so often.

    I know the $sharedusers statement should give me a list of distinguishedname unique for each mailbox that has full access

    What is going on with the $u statement that doesn't get me the values?

    You have an uncanny ability to break everything posted. This is usually because of lack of understanding of PwoerShell and the system you are managing.

    You do not need Get-Mailbox.  It is redundant.  You do not need so many different bits either:

    You can't just keep changing the question and asking for a fix.  You asked for the DNs of all accounts with full access.  You have that.  Please mark the question as answered.


    \_(ツ)_/

    Friday, November 06, 2015 7:46 PM
    Moderator
  • Ah jrv, once again you reduce to insults.

    The code I posted is using your recommendation and I gave you the answer credit.  Just trying to figure out how to now use the array of dn's to create the csv file output I want.  You don't want to help, that's fine.

    Good day

    Friday, November 06, 2015 7:51 PM
  • Ah jrv, once again you reduce to insults.

    The code I posted is using your recommendation and I gave you the answer credit.  Just trying to figure out how to now use the array of dn's to create the csv file output I want.  You don't want to help, that's fine.

    Good day

    Not an insult. It is a reminder of what you are doing and why it is very hard for us to be of assistance.

    You asked for DNs and you have them.  If you need more assistance with a another part of your script then please ask a clear question in a new topic and try to resolve the next piece.

    See this for some information on how to proceed: https://social.technet.microsoft.com/Forums/en-US/c47b1bc2-f7fd-4d2e-8ff2-e8a81ce090d4/this-forum-is-for-scripting-questions-rather-than-script-requests?forum=ITCG

    Having a well though out single question will get you further faster then just adding variations of a request.


    \_(ツ)_/

    Friday, November 06, 2015 8:00 PM
    Moderator
  • this is aan example of shared mailboxes, but you can change it to normal mailboxes too:

    $sharedMailboxes = Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails  SharedMailbox

    foreach($shared in $sharedMailboxes){Get-MailboxPermission $shared.Identity | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | select @{N="Identity";E={$shared.PrimarySMTPAddress}},User,AccessRights,IsInherited,Deny | Export-Csv $home\desktop\Sharedmailbox.csv -NoTypeInformation -Append}

    Thursday, May 17, 2018 3:39 PM
  • this is aan example of shared mailboxes, but you can change it to normal mailboxes too:

    $sharedMailboxes = Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails  SharedMailbox

    foreach($shared in $sharedMailboxes){Get-MailboxPermission $shared.Identity | where { ($_.AccessRights -eq “FullAccess”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | select @{N="Identity";E={$shared.PrimarySMTPAddress}},User,AccessRights,IsInherited,Deny | Export-Csv $home\desktop\Sharedmailbox.csv -NoTypeInformation -Append}

    Question was marked as answered three years ago.

    Never post colorized code in these forums as it is unreadable in most browsers and cannot be copied.


    \_(ツ)_/

    Thursday, May 17, 2018 3:42 PM
    Moderator