Partager via


Powershell: Enumerating access rights on mailboxes

Don’t you just hate it when auditing times come around and they ask a list of each and every person who has access to each and every mailbox in your environment  –_-. Since this happened to one of my clients I wrote the following powershell command for exchange 2010. Take in to consideration the following:

  • This will not display rights inherited from the top level information store (database wide rights)
  • This will exclude all SELF rights

List what mailboxes a user has access on:

 Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

 

This little gem will try to retrieve all mailboxes in the organization, get there permission, exclude the “NTAUTHORITY\SELF” and all inherited rights. It will then dump the User, what user had rights and the kind of rights in csv file.

 

The same but in alternate order:

    1: Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions2.csv

Warning!

Both commands will make your cpu spike and will take some time to process dependant on the size of your environment!

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Not sure if it's my browser or what, but the code blocks above show just a horizontal scroll bar, and vertical buttons. :(

  • Anonymous
    May 09, 2012
    Strange! Shows fine here... What browser are you using?

  • Anonymous
    July 09, 2014
    If I'm not mistaken, the two codes are identical.

  • Anonymous
    October 02, 2014
    Thanks, really useful code snippet!