Share via


Exchange 2010, 2013, Office 365–Auto Mapping Feature: Audit Full Access Mailbox permissions on your environment before migrating

Hi all,

   
 

long time no see !

As these days, many companies are migrating their E-mail infrastructures either to Exchange 2013 or Office 365, we often see the behavior that after being migrated, some users' profiles got automatically loaded with all mailboxes for which these users had full access permissions in Outlook. That could surprise some users and affect Outlook opening's performance as well.

There is an article that describes the behavior and the workaround solution, although it says it's for Outlook 2010 and 2007 on Office 365, it's also valid for Outlook 2013, and also for Outlook 2007/2010/2013 on Exchange 2013 private clouds or Exchange 2013 on-premise deployments. As long as the back-end is Exchange 2010 SP1 and later, the auto mapping feature is used by default.

   
 

To summarize the above article, the only solution to work around this is to remove the current "Full Access" rights to these mailboxes, and to re-enable these "full access" rights along with the "AutoMapping" property set to "$False". But you can do this in bulk by searching all mailboxes with "Full Access" permissions, storing the list of these in a PowerShell variable, then removing the "Full Access" permissions, and then re-adding the "Full Access" permissions along with the "-Automapping $false" parameter…

   
 

Prior to this, you may want to evaluate the amount of mailboxes that have been set with this "Full Access" permissions. To do this, you can use the following Powershell command line which works both on Exchange 2007 and Exchange 2010:

Get-Mailbox -resultsize Unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false -and $_.AccessRights -match "FullAccess" -and ($_.User -notlike 'S-1-5*')} | Select Identity,User,@{Name='AccessRights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation c:\temp\FullMailboxAccessPermissionsReport.csv

NOTE: CAREFUL on huge environments, you may wish to stagger the "Get-Mailbox –Resultsize Unlimited" by servers groups for example (Get-Content servers_list.txt | % {Get-Mailbox –Resultsize Unlimited –Server $_}) to avoid waiting hours and using GBs of RAM on your server/management station where you execute the above command from… for example, querying this on a 155,000 mailboxes environment will make powershell use more than 25GB of RAM and run for up to 24 hours … so staggering by group of servers is always best. And if possible, don't run any Get-mailbox –resultsize Unlimited directly from a server's shell, but use a dedicated management server/workstation instead to not use the servers RAM uselessly…

… so that you can use this format as well:

Get-Mailbox –Server <Server_name> –resultSize Unlimited | Get-MailboxPermission | where { ($_.AccessRights -eq "FullAccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") } | Select Identity,User,@{Name='AccessRights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation c:\temp\FullMailboxAccessPermissionsReport.csv

as shown in this Exchangepedia.com page

   
 

While it is simple to build a report of the mailbox that have "Full access" permissions using Powershell, we don't have Powershell to get such reports for Exchange 2003 environments. There is a VBS script somewhere, but remember, Exchange 2003 is not supported anymore, and this script is not supported either … so this script is only to help you with pre-migration reporting tasks or for your information. Leave a comment if you still have E2003 and are planning to migrate to E2003 or O365

   
 

Sam.