Powershell: Enumerating access rights on mailboxes
Don’t you just hate it when auditing times come around and they ask a list of each and every person who has access to each and every mailbox in your environment –_-. Since this happened to one of my clients I wrote the following powershell command for exchange 2010. Take in to consideration the following:
- This will not display rights inherited from the top level information store (database wide rights)
- This will exclude all SELF rights
List what mailboxes a user has access on:
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv
This little gem will try to retrieve all mailboxes in the organization, get there permission, exclude the “NTAUTHORITY\SELF” and all inherited rights. It will then dump the User, what user had rights and the kind of rights in csv file.
The same but in alternate order:
1: Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions2.csv
Warning!
Both commands will make your cpu spike and will take some time to process dependant on the size of your environment!
Comments
Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Not sure if it's my browser or what, but the code blocks above show just a horizontal scroll bar, and vertical buttons. :(Anonymous
May 09, 2012
Strange! Shows fine here... What browser are you using?Anonymous
July 09, 2014
If I'm not mistaken, the two codes are identical.Anonymous
October 02, 2014
Thanks, really useful code snippet!