none
PFdavadmin tool RRS feed

  • Question

  • Does anyone know if the pfdavadmin tool can produce a report for the permissions for ALL mailboxes on an exchange server, or do you have to supply a parameter of a mailbox to check its permissions?
    Wednesday, May 11, 2011 11:31 AM

Answers

  • Why they have been done in two different ways is unknown, only the admin who done this know.

    In my experience, it's best to do this on the client end (Outlook).  This way the user has more control to what another user can see and do.  Where as, giving fullmailbox permission give the user extra access they may not be needed.

    Sukh

    • Marked as answer by cf090 Wednesday, May 11, 2011 1:38 PM
    Wednesday, May 11, 2011 1:29 PM

All replies

  • You can export all the permission for all maiboxes  by choosing the option from the menu.

    Load PFDAVAdmin>connect to Exchange server and select mailboxes>then go to tools>export permissions>All mailboxes on this server.

    Sukh

    Wednesday, May 11, 2011 11:38 AM
  • You can export all the permission for all maiboxes  by choosing the option from the menu.

    Load PFDAVAdmin>connect to Exchange server and select mailboxes>then go to tools>export permissions>All mailboxes on this server.

    Sukh


    You are a legend my freind :)
    Wednesday, May 11, 2011 12:01 PM
  • You can export all the permission for all maiboxes  by choosing the option from the menu.

    Load PFDAVAdmin>connect to Exchange server and select mailboxes>then go to tools>export permissions>All mailboxes on this server.

    Sukh


    Will it show both delegate rights and people who have "send as" rights, as well as domain groups added to the mailboxes ACL?

    It our org their are many domain groups named such as "eft mailbox access group" which I assume they add tot he mailbox ACL, but other folk (mailbox owners) manually add people via delegate rights. So there seems a few ways to give access to a mailbox, I just wondered if pfdavadmin will cover both.

    Wednesday, May 11, 2011 12:03 PM
  • You can export all the permission for all maiboxes  by choosing the option from the menu.

    Load PFDAVAdmin>connect to Exchange server and select mailboxes>then go to tools>export permissions>All mailboxes on this server.

    Sukh


    PS - I dont suppose you could upload or show me a sample of the export "output", i.e. the text file/csv or whatever?
    Wednesday, May 11, 2011 12:09 PM
  • pfdavadmin does it within the mailbox, at folder level.  e.g below.  See permission in bolf which I have given directlt on the Junk email folder within Outlook to myself (Sukh).

     

    Created with PFDAVAdmin 2.8
    # Mittwoch, 11. Mai 2011 14:11:09
    # ************************************************************************
    #
    # This export format is only usable with PFDAVAdmin 2.0 and later.
    #
    # ************************************************************************
    SETACL Mailboxes\GMS02 NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Common Views NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Deferred Action NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Finder NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Finder\Unread Mail NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Freebusy Data NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Reminders NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Schedule  NO
    SETACL Mailboxes\GMS02\Shortcuts NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Spooler Queue NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\To-Do Search NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Inbox NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Inbox\T NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Outbox NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Sent Items NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Deleted Items NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Calendar NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Contacts NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Drafts NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Journal NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Notes NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Tasks NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Junk E-mail Mydomain\Sukh Editor NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Restored Items NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Sync Issues NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Sync Issues\Conflicts NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Sync Issues\Local Failures NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Top of Information Store\Sync Issues\Server Failures NT AUTHORITY\ANONYMOUS LOGON None NO
    SETACL Mailboxes\GMS02\Views NT AUTHORITY\ANONYMOUS LOGON None NO

     

    Wednesday, May 11, 2011 12:16 PM
  • Thanks

    So GMS02 is the mailbox? Or the user (mailbox owner)?

    Where does it list the mailbox owner, i.e.

    if I gave you delegate access to my inbox

    Where in that output you have sent would it show me (as mailbox) owner, and you as inbox access only?

    (excuse my ignorance - new to this)

    Wednesday, May 11, 2011 12:26 PM
  • As mentioned above, pfdavadmin works at the folder level.  This will report permissions at the folder level.

    In the e.g above, the gms02 is a user, and Sukh has access to the Junk email folder in gms02's mailbox.

    The below may help you for the mailbox level.

    http://forums.techarena.in/windows-server-help/704459.htm

    http://support.microsoft.com/kb/310866

    Which version of Exchange are you using?


    • Edited by Sukh828 Wednesday, May 11, 2011 12:34 PM Added in links
    Wednesday, May 11, 2011 12:29 PM
  • Thanks again Sukh

    Its exchange 2003 (soon to be migrated to exchange 2010).

    Can you just confirm for me (to set my mind at ease). As I see it there are 2 different ways to grant people access to a mailbox they dont own.

    I (user x) could in MS outlook (tools > options > delegates) give you (user y) access to my inbox. (delegate access)

    But also, it would seem, our active direcotory admin can create a windows domain group, i.e. "user X mailbox access group" - add the neccesary people to that group, and then somehow attach that domain group to the mailbox, therefore just by logging in with their domain credentials (them being members of the group "user X mailbox access), they can also see the inbox for that mailbox.

    I just wanted to confirm pfdavadmin will show both the users setup via outlook delegate rights, and the users added to a domain group which was then (some how) added to the mailboxes ACL would BOTH be returned in the pfdavadmin output in terms of permissions to user X's mailbox.

    I hope that makes sense.

    There is also I beleive "send as" option, whereby instead of granting delegate access, which in this case they would reply "user Y on behalf of user X" in an email, it just appears as the original sender, i.e. user X. Will pfdavadmin show me which users have delegate access, and which has "send as" access on all my mailboxes?

    Wednesday, May 11, 2011 12:41 PM
  • Correct.  Both ways people can access the mailbox in the way you have descripbed above.

    pfdavadmin works at the folder level.  The AD admin access is different.  You can try and use the links above to retrieve that information.

    For Exchange 2010 you can try the links below 

    http://exchangepedia.com/2008/02/how-to-list-mailboxes-with-full-mailbox-access-permission-assigned.html

    http://exchangeshare.wordpress.com/2008/09/01/how-to-find-all-mailboxes-with-send-as-permission-assigned/

    Sukh

    Wednesday, May 11, 2011 1:00 PM
  • Correct.  Both ways people can access the mailbox in the way you have descripbed above.

    pfdavadmin works at the folder level.  The AD admin access is different.  You can try and use the links above to retrieve that information.

    For Exchange 2010 you can try the links below 

    http://exchangepedia.com/2008/02/how-to-list-mailboxes-with-full-mailbox-access-permission-assigned.html

    http://exchangeshare.wordpress.com/2008/09/01/how-to-find-all-mailboxes-with-send-as-permission-assigned/

    Sukh


    I'm getting a bit lost now (doesnt take much lol). So to summarize, is this accurate:

    Pfdavadmin is typically then reporting on permissions set via outlook via delegate access.

    The scripts you link to are reporting on where domain users have been granted access to a mailbox based on their domain account, or based on them being the member of a domain group, which is then granted access to the mailbox?

    Wednesday, May 11, 2011 1:09 PM
  • Correct.

     

    Wednesday, May 11, 2011 1:23 PM
  • Correct.

     


    Are there any issues / best practices doing it one way or the other?

    I.e. is setting it via AD groups a more secure/effective way than doing it via outlook delegate access?

    I just wonder why some of ours seem to be done one way and others done another way?

    Wednesday, May 11, 2011 1:25 PM
  • Why they have been done in two different ways is unknown, only the admin who done this know.

    In my experience, it's best to do this on the client end (Outlook).  This way the user has more control to what another user can see and do.  Where as, giving fullmailbox permission give the user extra access they may not be needed.

    Sukh

    • Marked as answer by cf090 Wednesday, May 11, 2011 1:38 PM
    Wednesday, May 11, 2011 1:29 PM
  • Why they have been done in two different ways is unknown, only the admin who done this know.

    In my experience, it's best to do this on the client end (Outlook).  This way the user has more control to what another user can see and do.  Where as, giving fullmailbox permission give the user extra access they may not be needed.

    Sukh


    Good points - thanks so much for the help with this...
    Wednesday, May 11, 2011 1:38 PM