none
Powershell command to display users having Send As and Send on Behalf of permissions RRS feed

  • Question

  • I need to display which users have Send As and Send on Behalf permissions to shared mailboxes on exchange 2010 SP1.  When I display the permission using a Get-MailboxPermission the best I'll get is {FullAccess} even though the EMC will show the user has Send on Behalf permission.

     


    - Jim
    Tuesday, March 29, 2011 8:06 PM

Answers

  • The issue was I need to use the GAL display name in the -Idenity perameter - the issue was not the DC.

    How can I determine what extended attribute is am displaying?  Will like *send* display Send Ad and Send in Behalf?

    The results of the query will display this  - Access risghts {ExtendedRight} is rather non descript.

    User                : NT AUTHORITY\SELF
    Identity            : ERF.AMERIPRISE.COM/Hosting/BT_Rep/CMG/Muni Trading Desk
    Deny                : False
    AccessRights        : {ExtendedRight}
    IsInherited         : False
    Properties          :
    ChildObjectTypes    :
    InheritedObjectType :
    InheritanceType     : All

     

     

     


    - Jim
    • Marked as answer by Jimmy-D Monday, April 4, 2011 8:15 PM
    Friday, April 1, 2011 4:12 PM

All replies

  • try this for the send as rights

    Get-ADPermission -Identity user1 | Where-Object {$_.extendedrights -like "*send*"}

     


    -join("74686979616775313440686F746D61696C2E636F6D"-split"(?<=\G.{2})",21|%{[char][int]"0x$_"})
    http://www.myExchangeWorld.com
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, March 29, 2011 8:30 PM
  • for send on behalf of , you can use the get-mailbox cmdlet itself like this

    Get-Mailbox rock | fl displayname, GrantSendOnBehalfTo

    this will give the list of users who has send on behalf of rights

     


    -join("74686979616775313440686F746D61696C2E636F6D"-split"(?<=\G.{2})",21|%{[char][int]"0x$_"})
    http://www.myExchangeWorld.com
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, March 29, 2011 8:36 PM
  • Exchnage mailbox is in a resource forest with users in user resource forest - one way trust in place.

    How to can I pass credentials to Get-ADPermission to access user object in user AD forest?

     


    - Jim
    Tuesday, March 29, 2011 8:46 PM
  • what happens when you run the above command?,

     


    -join("74686979616775313440686F746D61696C2E636F6D"-split"(?<=\G.{2})",21|%{[char][int]"0x$_"})
    http://www.myExchangeWorld.com
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, March 29, 2011 8:51 PM
  • [PS] C:\Windows\system32>Get-ADPermission -Identity safchjxd | Where-Object {$_.extendedrights -like "*send*"}
    The operation couldn't be performed because object 'safchjxd' couldn't be found on 'AMPF43-CHDC3.ERF.AMERIPRISE.COM'.
        + CategoryInfo          : InvalidData: (:) [Get-ADPermission], ManagementObjectNotFoundException
        + FullyQualifiedErrorId : FEC2902B,Microsoft.Exchange.Management.RecipientTasks.GetADPermission

    - Jim
    Tuesday, March 29, 2011 9:17 PM
  • is it possible to open a powershell session with credentials of the resource forest?

    then you can use the -domaincontroller parameter to specify some dc name in that forest


    -join("74686979616775313440686F746D61696C2E636F6D"-split"(?<=\G.{2})",21|%{[char][int]"0x$_"})
    http://www.myExchangeWorld.com
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, March 29, 2011 9:23 PM
  • The issue was I need to use the GAL display name in the -Idenity perameter - the issue was not the DC.

    How can I determine what extended attribute is am displaying?  Will like *send* display Send Ad and Send in Behalf?

    The results of the query will display this  - Access risghts {ExtendedRight} is rather non descript.

    User                : NT AUTHORITY\SELF
    Identity            : ERF.AMERIPRISE.COM/Hosting/BT_Rep/CMG/Muni Trading Desk
    Deny                : False
    AccessRights        : {ExtendedRight}
    IsInherited         : False
    Properties          :
    ChildObjectTypes    :
    InheritedObjectType :
    InheritanceType     : All

     

     

     


    - Jim
    • Marked as answer by Jimmy-D Monday, April 4, 2011 8:15 PM
    Friday, April 1, 2011 4:12 PM
  • Please read http://blogs.technet.com/b/tkern/archive/2011/07/08/get-adpermission-anomaly.aspx for details on how to view the {ExtendedRight} details..

    Naaman Campbell - VCP, RHCE, BCFP Brisbane, Q, Australia
    Thursday, December 8, 2011 12:01 AM
  • Get-Mailbox -Identity <account> | Get-ADPermission | ? { $_.ExtendedRights -like "*send*" } | FT -auto User,ExtendedRights

    That should actually display the right that's been granted.

    • Proposed as answer by Wasterman Friday, April 21, 2017 1:37 PM
    Wednesday, August 31, 2016 6:59 PM
  • This works. Thank you
    Wednesday, July 17, 2019 1:55 AM