Exchange Server 2007, 2010: How to query user mailboxes, its permissions using Exchange PowerShell?
In Exchange Server 2007/2010, you can use Exchange PowerShell cmdlets (especially using Get-Mailbox, Get-MailboxPermission, Get-ADPermission, Get-MailboxFolderPermission) to get a verity of info. I played with couple of the below in different scenarios and want to share the same with you – so that you can give a shot and make use of.
Scenario # 1: How to query permissions on a mailbox (testuser1)?
> Get-MailboxPermission test1
Scenario #2: How to query permissions of all the mailboxes on a particular server?
> Get-Mailbox –Server “ServerName” | Get-MailboxPermission
Scenario #3: How to query permissions of all the mailboxes?
> Get-Mailbox | Get-MailboxPermission
Note: This will get the list of all permissions (including SELF permissions and inherited permissions)
Scenario # 4: How to query permissions of all the mailboxes (filter out SELF and inherited permissions)?
> Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}
Scenario #5: How to query mailbox permissions and Security permissions (only enumerate permissions that are not Inherited)?
> Get-Mailbox | Get-MailboxPermission | where {$_.IsInherited -eq $False}
Note: The above query will get you the “explicitly assigned permissions”
Scenario #6: How to query the explicitly assigned permissions (filter out SELF permissions)?
> Get-Mailbox | Get-MailboxPermission | where { ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) }
Scenario #7: How to query list of all mailboxes with Send-As permission assigned on them?
> Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”)} | FT –Wrap
Note: This will get the list of mailboxes with Send-As permission assigned. Also you can notice that it shows Send-As permissions assigned to SELF on all mailboxes also.
Scenario #8: How to query list of all mailboxes with Send-As permission assigned on them (filter out SELF and inherited permissions as similar to Scenario #4)?
> Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT –Wrap
Scenario #9: How to query the permissions of shared calendar in Exchange 2010?
> Get-MailboxFolderPermission –identity “mailboxaccount*:\Calendar”
Note: If you just try Get-MailboxFolderPermission with identity with mailboxaccount won’t get you the above.
Scenario #10: How to query the users rights to a specific users mailbox?
> Get-MailboxPermission –identity “username” | fl user, accessrights
Scenario #11: How to query the permissions for every users mailbox?
> Get-MailboxPermission –identity * | fl user, identity, accessrights
Note:
+ Exporting the data:
At anypoint of time, if you want to export the above results to a CSV file, then you can use “Export-csv”. Say, let we try with one of the above scenario – try with scenario # 2:
> Get-Mailbox | Get-MailboxPermission | Export-csv C:\permissions.csv
+ Automation using .Net Framework:
If you want to like to add Exchange management capabilities to your Microsoft .NET Framework–based applications then you can try the above by referring the following: https://msdn.microsoft.com/en-us/library/bb332449(v=exchg.80).aspx and https://msdn.microsoft.com/en-us/library/ff326159(v=exchg.140).aspx.
Happy PowerShelling and automation…!!
Comments
- Anonymous
April 20, 2014
The comment has been removed - Anonymous
April 21, 2014
Laeeq, Thanks for the update. In case of Exchange Server 2007, you can try the following: Get-Mailbox | Get-MailboxPermissions - it will work for you.