Jaa


A little script to check for the NT AUTHORITYSELF full access right on mailboxes

In case someone is looking for a script that works with mailbox permissions like this, here's a small example of what I came up with to help someone check that all mailboxes have the SELF right in the permissions:

#Script to check mailboxes for fullaccess rights for NT AUTHORITYSELF
#Written by jtedoff@microsoft.com 4/21/2012

$logfile = "c:selfrightstest.log"
if (test-path $logfile) {remove-item $logfile}

function WriteLog
{
 PARAM($msg)
 END
 {
 Add-Content -Path $logfile -encoding ASCII -value $msg
 }
}

#Modify the next line to narrow the scope of the Get-Mailbox results
#For example, set it to -> $mailboxes = Get-Mailbox -server <servername> -resultsize unlimited <- to only check mailboxes on a particular server

$mailboxes = Get-ExchangeServer | ?{$_.ServerRole -like "*mailbox*"} | Get-Mailbox -resultsize unlimited

WriteLog "Checking for FullAccess rights for NT AUTHORITYSELF"

$mailboxes | foreach {
 $perms = get-mailboxpermission $_.identity | ?{$_.user -like "NT AUTHORITYSELF" -and $_.accessrights -like "*fullaccess*"}
 if ($perms) {
  Write-Host "Mailbox for $_" -nonewline
  Write-Host " OK" -foregroundcolor green

   }
 else { $erruser = $_.Identity
  Write-Host "FullAccess right for NT AUTHORITYSELF not detected on the mailbox for " -foregroundcolor red -nonewline
  Write-Host $_.Identity -foregroundcolor red -backgroundcolor white
  WriteLog "FullAccess right for NT AUTHORITYSELF not detected on the mailbox for $erruser"
  }
 }

Here's an output example where one user doesn't in fact have SELF rights over their mailbox: