While preparing for an Exchange Server 2007 to 2010 migration I needed to work out which users had been granted access to other mailboxes. This applied both to shared mailboxes (eg a Help Desk) and individual mailbox access (eg a personal assistant with access to the CEO’s mailbox).
Exchange 2007/2010 provide the Get-MailboxPermission cmdlet that can be used to query the permissions on a mailbox. For example:
|
1 2 3 4 5 6 7 8 |
Get-MailboxPermission helpdesk Identity User AccessRights IsInherited Deny -------- ---- ------------ ----------- ---- exchangeserverpro... NT AUTHORITY\SELF {FullAccess, Rea... False False exchangeserverpro... ESPNET\Alex.Heyne {FullAccess} False False exchangeserverpro... ESPNET\Debbie.Lisa {FullAccess} False False exchangeserverpro... ESPNET\Kevin.Douglas {FullAccess} False False |
To get the same information about all of the mailboxes in the environment we could run this command.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
Get-Mailbox | Get-MailboxPermission Identity User AccessRights IsInherited Deny -------- ---- ------------ ----------- ---- exchangeserverpro... NT AUTHORITY\SELF {FullAccess, Rea... False False exchangeserverpro... ESPNET\BR-EX2007-MB$ {ReadPermission} True False exchangeserverpro... ESPNET\Exchange S... {FullAccess} True True exchangeserverpro... ESPNET\Domain Admins {FullAccess} True True exchangeserverpro... ESPNET\Enterprise... {FullAccess} True True exchangeserverpro... ESPNET\Exchange O... {FullAccess} True True exchangeserverpro... ESPNET\administrator {FullAccess} True True exchangeserverpro... ESPNET\Exchange S... {FullAccess} True False exchangeserverpro... ESPNET\Exchange P... {ReadPermission} True False exchangeserverpro... NT AUTHORITY\NETW... {ReadPermission} True False exchangeserverpro... ESPNET\Exchange S... {ReadPermission} True False exchangeserverpro... ESPNET\Exchange V... {ReadPermission} True False exchangeserverpro... ESPNET\Exchange O... {FullAccess, Del... True False exchangeserverpro... ESPNET\administrator {FullAccess, Del... True False exchangeserverpro... ESPNET\Enterprise... {FullAccess, Del... True False exchangeserverpro... ESPNET\Domain Admins {FullAccess, Del... True False ..... |
The problem with that is it gives us more information than we really need, with a lot of SELF permissions and inherited permissions that aren’t relevant to the task we’re trying to accomplish.
You could export the output to CSV and manipulate it using Excel to get just the permissions information you want, but another method is to filter the PowerShell output.
For example, to filter out all of the SELF permissions and the inherited permissions we can run this command.
|
1 |
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} |
That gives us a much smaller output that is more useful.
|
1 2 3 4 5 6 7 |
Identity User AccessRights IsInherited Deny -------- ---- ------------ ----------- ---- exchangeserverpro... ESPNET\Alannah.Shaw {FullAccess} False False exchangeserverpro... ESPNET\Payroll Team {FullAccess} False False exchangeserverpro... ESPNET\Alex.Heyne {FullAccess} False False exchangeserverpro... ESPNET\Debbie.Lisa {FullAccess} False False exchangeserverpro... ESPNET\Kevin.Douglas {FullAccess} False False |
The Identity field contains long strings because it includes the full directory path to the mailbox user, so it may get truncated on your screen. In that case you could export the output to CSV file.
|
1 |
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Export-Csv -NoTypeInformation mailboxpermissions.csv |
The trouble you may notice with that is that the access rights do not appear correctly in the output CSV file.
|
1 2 3 4 5 6 |
AccessRights,Deny,InheritanceType,User,Identity,IsInherited,IsValid,ObjectState Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Alannah.Shaw,"exchangeserverpro.net/Company/Head Office/Users/Mark.Patel",False,True,Unchanged Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,"ESPNET\Payroll Team","exchangeserverpro.net/Company/Head Office/Users/Payroll",False,True,Unchanged Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Alex.Heyne,"exchangeserverpro.net/Users/Help Desk",False,True,Unchanged Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Debbie.Lisa,"exchangeserverpro.net/Users/Help Desk",False,True,Unchanged Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Kevin.Douglas,"exchangeserverpro.net/Users/Help Desk",False,True,Unchanged |
So to fix that we need to use a slightly different command. This single-line command will export to CSV a list of any mailboxes where other users have permissions to access them, and will also list what level of access those users have.
|
1 |
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv |
juuuuuust need a script to import these permissions when forced to do a migration by pst 🙁 don’t ask, it wont be a pretty response.
If anyone could point me in a rough direction, that would be great. Sadly no budget for 3rd party tools costing around 60k 🙁
Thanks for this. To add Send As and Send on Behalf permissions run this script:
https://ibenna.wordpress.com/2017/05/15/export-all-exchange-mailboxes-with-send-as-full-access-send-on-behalf-of-permissions/
I am beginning a migration for a customer and was looking for something just like this so that I could migrate users to Exchange Online in “batched groups” according to their mailbox permissions to not break the mailbox permissions when/if migrated at different times. This gave me a great and clean readable format after changing to an excel file to boot! Thank you again for your great contributions to the Exchange community Paul!
If you are ever in Nashville, let me buy you a pint!
-Ron
and if I want to get also last logon of these mailbox ?
for exemple:
identity – last logon -user – accessrights
and if an group has full access, If I want to get also user members ?
How Can I combine these output :
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox | Get-MailboxStatistics | Select Displayname, LastLogonTime
Get-mailboxpermission $Mailbox | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity, User, AccessRights | export-csv -delimiter “;” -path c:\temp\list.csv -notype
}
and if I want have also display name and upn of the members of the groups with full access ?
thank you
Hi Paul,
Love reading your Exchange blogs and always find them useful.
I keep running into the following error when trying to run your PS command (and I run into this quite often when running other complex commands in ExchPS)
Sending data to a remote command failed with the following error message: The WinRM client sent a request to the remote
WS-Management service and was notified that the request size exceeded the configured MaxEnvelopeSize quota. For more i
nformation, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OperationStopped: (System.Manageme…pressionSyncJob:PSInvokeExpressionSyncJob) [], PSRe
motingTransportException
+ FullyQualifiedErrorId : JobFailure
I can’t, for the life of me, figure out where to increase this MaxEnvelopeSize quota.
Thanks, in advance.
I took Matthew’s script and converted it to read users from a csv and report on which shared mailboxes they have access to:
$users = get-content “usernames.csv”
foreach ($user in $users) {
Get-Mailbox -ResultSize Unlimited –Recipienttypedetails SharedMailbox | %{Get-MailboxPermission $_.Name -user $user | Select User,Identity,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv C:\MailboxAccess.csv -NoTypeInformation -Append; Get-ADPermission $_.Name -user $user | Select User,Identity,@{Name=’Access Rights’;Expression={[String]$_.ExtendedRights}} | Export-Csv c:\MailboxAccess.csv -NoTypeInformation -Append}
}
Hi Paul. I am one of the fan of your Plural site courses.thanks alot!
I f we have an special user in O365, how can I as an Admin ,find out which mailboxes he has access to?
If you have multiple forests and/or domains, don’t forget this command first:
Set-ADServerSettings -ViewEntireForest $true
You will know you need this command if you only get output that is on the email server domain when you are expecting results from other domains.
I need to list mailboxes with Extended Rights ‘Send As’ permissions.
I tried following but it did not succeed. Any help will be highly appreciated !
Get-Mailbox -ResultSize Unlimited | Get-ADPermission | Where-Object {($_.ExtendedRights -like “*send-as*”) -and -not ($_.User -like “nt authority\self”)} | Format-Table Identity,User,ExtendedRights -wrap -AutoSize | Out-File -Encoding utf8 -FilePath c:\temp\SP.csv
Thanks
Dear, can you pls. give me command to get the list of mailbox users reaching limit exported in csv file
Hi Paul
I found the same aproach again and again and finally found out: it works, but for me only in a EMS on an Exchangeserver. When I use the same script on another server using powershell remote connection over https I get only “System.Collections.Arraylist”. Do you know why?
Thanks and best regards, Sven
Ok, one more. I am trying to find all “shared” mailboxes in an OU. I find all of the accounts, but am having trouble with my code to find the shared ones only.
Has anyone else done this one?
Thank you all!!!!!
Get-Mailbox -OrganizationalUnit “Subdomain.domain.com/ThisOU/SubOU” -RecipientTypeDetails SharedMailbox -ResultSize Unlimited
This will get all Shared Mailboxes in the OU specified, then recurse through any sub-OUs and select them as well.
I am looking to see how to modify the PowerShell script to look only within an Active Directory OU in order to see permissions on only those user’s mailboxes. This is my first PowerShell project.
Charlie…very simple.
“Get-Mailbox -OrganizationalUnit “OU=THIS,OU=THAT,OU=THeOtherThing,DC=YourDomain,DC=com” | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false}”
If that doesn’t work, then add the -Recurse switch behind the OU information, before you pipe it to the Get-MailboxPermission command.
You might have to change it a little, depending on how many mailboxes are in the OU.
I would probably do this, just to be safe:
Get-Mailbox -OrganizationalUnit “OU=THIS,OU=THAT,OU=THeOtherThing,DC=YourDomain,DC=com” -ResultSize Unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false}
Hey, this is great! Making progress. I only get two of the 5 accounts in the OU. I am now looking to show the mailboxes that are shared within that OU.
-Recurse did not work.
Thank you all! This is a great site!
You are amazing!!!
You saved me so much time!!!
Thank you!
Thanks!
I appreciate your work, very useful.
How can we get the user data without the domain. Ex- Just “Alex.Hyne” and not “ESPNET\Alex.Hyne”
I execute :
Get-Mailbox -ResultSize Unlimited -OrganizationalUnit “OU” | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv
but I am a erreur :
L’envoi de données à une commande distante a échoué avec le message d’erreur suivant : La totalité des données reçues d
e la part du client distant a dépassé le maximum autorisé. Le maximum autorisé est de 524288000. Pour plus d’informatio
ns, voir la rubrique d’aide about_Remote_Troubleshooting.
+ CategoryInfo : OperationStopped: (System.Manageme…pressionSyncJob:PSInvokeExpressionSyncJob) [], PSRe
motingTransportException
+ FullyQualifiedErrorId : JobFailure
Hello Paul,
Please, I need your help as soon as possible. I need a script or any help that helps me to find out or get a lists of USERS without NT AUTHORITY \SELF, all the scripts that I found haven´t help me at all. Please I need you help, I need to present to my supervisor and I couldn´t find out how to do it.
I´ll be waiting for your kindness comments.
Thank you
Wilson, Ecuador
I’m pretty sure this very blog post you’re commenting on answers that question.
HELLO
i am in a similar boat as Rob above and would liket o find out what mailbox have no other access..
thank you
Thanks a lot man.
I appreciate your work, it is really useful :).
Hi Paul!
Love the site, keep up the good work!
I was just wondering if you happen to have something that does the exact opposite of this. I would like to find all of my users that do NOT have access to other mailboxes.
A little background…we are hybrid and there is a big push for going to EXO. However this place uses so many shared mailboxes it’s insane and borderline obscene. Due to all the limitations with cross premises permissions, what we call “single instance mailbox users” are our prime candidates to move to EXO.
Thanks!
Question: Is there a way to flip this around and find out all the other user’s folders (e.g., Calendar, Contacts, etc. but not full mailbox access.) a given user has access to? To keep it simple, assume that none of the default folder names have been changed.
Thanks.
Paul,
In your first example to filter out the SELF permissions, you need to correct the script a little. Instead of:
“Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false}”
It should be:
“Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false}”
LOVE your site Paul!! Keep up the great work!
Thank you Jim. Lost a bunch of \ from code samples during a backend DB migration for the site :-/
Thank you soooo much you saved me a ton of time
Hi Paul, Thanks for the script. It works great. However I have a requirement to sort Identities by Country/Usage Location.
When I run the below command UsageLocation comes as blank in the csv. Am I doing something wrong?
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,UsageLocation,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv
Is UsageLocation an attribute that Get-MailboxPermission returns?
Hello Paul,
i need PowerShell script, where we can get only active user mailbox with there license assigned.
Glad to see this post is still getting questions! Is there a way to return only groups and not users? I was thinking there might be a where command that filters out if the user type was “group” rather than a user. Any help would be appreciated!
Thanks
Not in the results that are returned by Get-MailboxPermission. You’ll just need to add some extra script logic that checks whether the “user” is in fact a user or group.
Thanks! Can you point me in the right direction to do that?
When I search tools to determine if the user is a group, most if not all of the results pertain to checking whether a user is in a group, not if a user is a group
Test it with Get-User and Get-Group. Consider this example.
[PS] C:\> $a = “ESPNET\Level 1 Admins”
[PS] C:\>if (Get-User $a) {Write-Host “It’s a user”}
[PS] C:\>if (Get-Group $a) {Write-Host “It’s a group”}
It’s a group
Hi Paul, I need to filter another user in my organisation (NT AUTHORITY\SELF and domain\administrator) how do I apply this to the filter “where {$_.user.tostring() -ne “NT AUTHORITY\SELF””?
Try
where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.user.tostring() -ne “domain\administrator”}
But the idea that your administrator account has access to all mailboxes is a worry.
In addition, the script script does show distribution groups that have full access to another mailbox. Can I get the script to also list members of the DGs. The script is not picking up users that have access to a mailbox if they are part of a DG.
before I forget, thanks always for your wonderful insight and help Paul.
We are preparing for office 365 migration. We have a lot of user dependencies on shared mailbox. I was hoping there was a way to list all users that do not have access to any other mailboxes but their own. This way we can migrate those users first without needing to worry about access to shared mailboxes. Any tips would be much appreciated
Hi Paul
Do you have a similar one-liner or script that pulls out Send-As permissions and Send on Behalf? This one works a treat for getting AccessRights, so just wondered 🙂
Cheers!
Dan
I don’t have anything handy, but as with many things PowerShell you’ve got a close example so it’s usually only a small amount of effort to adjust it to your needs.
Hi Paul
how can i find out list of all user that have access to other mailbox in the organization
We are preparing for a domain migration and was hoping there was a way to list all users that do not have access to any other mailboxes but their own. This way we can migrate those users first without needing to worry about access to shared mailboxes. Any tips would be much appreciated!
Hi Paul
Really need som help 🙂
I have these two commands (source imported from a CSV-file):
$UserFull = Get-MailboxPermission -Identity $_.EmailAddress | where {($_.IsInherited -eq $false) -and ($_.user.tostring() -notlike “S-1-*”) -and -not ($_.User -like “NT AUTHORITYSELF”)} | Select User
#Find email addressen på de brugere med full Access Rights
$UserFull | ForEach-Object { Get-User -Identity $_.User.tostring() | where {$_.SamAccountName -notlike “mailexport*”} | select WindowsEmailAddress}
Result is this:
WindowsEmailAddress
testbruger1@n00bs.dk
testbruger4@n00b.dk
testbruger3@n00b.dk
(The result shows that several users have Full Mailbox Rights on the same (Source) User mailbox)
BUT, I really need it to give me the output in one single line (row), like this:
WindowsEmailAddress
testbruger1@n00bs.dk, testbruger4@n00b.dk, testbruger3@n00b.dk
Separated by “Commas” instead and then exported to a CSV-File to import in Office365
How on earth do I do that ?
Please help/advise
Best regards
Peter
Sounds like you want to turn an array into a string, which is demonstrated in this blog post:
https://blogs.technet.microsoft.com/heyscriptingguy/2014/07/16/join-me-in-a-few-string-methods-using-powershell/
Thanks Paul this is a great thread with a ton of useful info. Funny how this is still active after all these years.
If you are in a large org or have performance issues this is a good post.
http://www.msexchange.org/kbase/ExchangeServerTips/ExchangeServer2010/Powershell/CheckFullAccesspermissionstoothermailboxes.html
Of course here is Tony’s post on a bug in the hold process in older versions of Exchange 2013 prior to CU7 and reporting on delegate access.
https://thoughtsofanidlemind.com/2014/09/05/reporting-delegate-access-to-exchange-mailboxes/
Which dovetails nicely into the post Tony cites
http://en.get-mailbox.org/using-powershell-background-jobs-can-help-you-speed-up-exchange-tasks-part-1/
Dmitry, there are a number of examples of that earlier on in this post. You could limit by database or server. These are both good ways to constrain this. Also RecipientType is another fine way to constrain the search if you are looking only for shared mailboxes etc.
Thanks again Paul
Hi All,
Great article! Just wanted to know what it the right way to limit getting information by specific object unit and not to look for all mailboxes?
Great Tip, exactly what I needed for THE overview of all SendAs en FullAcces rights on our +/- 60
mailboxen 😀 So a big thanks for all the effort putting this here 🙂
Great Tip, exactly what I needed today for our upcoming mail migration!
Thank you, this was very useful.
Hi, what is wrong in my script? I need view all mailboxes and export where has full access another other without AUTHORITYSELF and XXXADMINISTRATOR. And how to export to HTML file? CSV is hard to read. Thank you.
Get-Module -ListAvailable | Where-Object {$_.Path -like “$PSHOME*”} | Import-Module
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and -ne “XXXADMINISTRATOR” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation J:ExchangeScriptsMailbox.csv
There is no backslash, between AUTHORITY and SELF.
Dear Paul,
Thank you for the article, this is of great value to us as all your scripts, articles and books.
I kindly ask you help for the below:
I have a shared mailbox that I need to give access to 5 users. my question is that how can I configure outlook 2010 allowing those 5 users to see all inbox and sub folders and allow them to send and receive emails?
And another question is how to make just one user of those to prevent him from creating new folders under inbox, this user has a weird folder naming thinking, he always creates sub folders with unethical names.
waiting for your reply
Regards;
Hi Paul,
l have some question could you give me way how to check share calendar user mailbox ? example l want to know user1 is sharing calendar to who ?
Just what I needed in one well written blog post.
You Sir are Awesome,
Get-Mailbox alias | Get-MailboxPermission | ft @{n=”User”;e={(get-user $_.
user).Displayname}},AccessRights,IsInherited -AutoSize
Changed the join section and it worked 😉
See below. Thanks for the great oneliner.
Get-Mailbox -ResultSize unlimited
| Get-MailboxPermission
| Where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false}
| Select Identity,User,@{Name='Access Rights';Expression={($_.AccessRights -join ',')}}
| Export-Csv -NoTypeInformation c:svcmailboxpermissions.csv
Hi Guys,
When running the script I get System.Collections.ArrayList for the Access Rights column.
What have I missed? Exchange 2010 backend with Exchange 2013 Hybrid server.
Hi ,
for those who wanted to list one user access to other mailbox (Full Access Permission) i found this one :
http://www.msexchange.org/kbase/ExchangeServerTips/ExchangeServer2010/Powershell/CheckFullAccesspermissionstoothermailboxes.html
ForEach ($mbx in (Get-Mailbox -Resultsize Unlimited | Select Identity)) {Get-MailboxPermission $mbx.Identity -User yourusername | ? {$_.AccessRights -match “FullAccess” -and $_.IsInherited -eq $False} | Select Identity}
i think this one is simpler :
get-mailbox | get-mailboxpermission -User $Username | select identity
Powershell Command to find out username who had accessed my mailbox earlier.
Thanks in advance
Thanks for the article and there is some good information on getting mailbox permissions for a site. I was looking for a way to hone this in slightly. We are a multi-site organization with many shared mailboxes. Over time the access to these mailboxes have expanded beyond their original intent. I am trying to reel that in now for our own office. There are maybe 100 or so group shared mailboxes. There is one distinction leading all the shared mailboxes that would differentiate them from the other offices and general mailboxes. Each of them have three letters at the beginning that notates our office. How can I adjust this to be able to get the permission for each mailbox within exchange that have these three letters at the start of the alias?
Get-Mailbox ABC* | etc etc
Basically you’re just modifying the Get-Mailbox portion of the command to return only those mailboxes that you’re interested in, before piping to the next command.
Great script worked perfectly, Thanks so much for sharing.
what would be the command if i want to look for speciffic mailbox server.. like
Chlte306
And also suggest what white space i need to remove..and how ?
thanks paul,
just want to let you know. i am getting below error when running the command that you suggested
Get-Mailbox -resultsize unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions1.csv
Error
WARNING: The object domain/Services/CAM/Retired/xxxjnsb has been corrupted, and it’s in
an inconsistent state. The following validation errors happened:
WARNING: The property value is invalid. The value can’t contain leading or trailing whitespace.
Please suggest
when i run the command without resultsize unlimited.. i am getting report perfectly but till 100 users
A property of that object “domain/Services/CAM/Retired/xxxjnsb” has a leading or trailing whitespace on it, which is invalid. Check that property on that object and remove the leading or trailing whitespace.
Hello Paul.
i run the below one and it succeed as required.. thank you so much..
Get-Mailbox -server chlte306 -resultsize unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv
Hi Paul,
I was hoping you can assist with modifying the script to obtain the following data in the output file.
* Username (for both users)
* Level of Access
* Display Name (for both users)
* AD Description (for both users)
Your assistance would be greatly appreciated.
Many thanks again for all of your helpful posts.
Sorry Paul, probably should have provided more info than that. Using Exchange 2010 I think EMS v2.0 I have been asked to export both Full and Send As permissions for al users in the domain and export to a single CSV to list:
* Username (for both users)
* Level of Access
* Display Name (for both users)
* AD Description (for both users)
So far I have got the following script but it is failing miserably. Also having issues combining the Full and Send As due to the append parameter not working in earlier versions of shell. I’m not a pro at shell hence the mess below.
Get-Mailbox -ResultSize Unlimited –Recipienttypedetails UserMailbox | %{Get-MailboxPermission $_.Name | Where {$_.user -notlike “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv D:tempMailboxAccess.csv -NoTypeInformation -Append; Get-ADPermission $_.Name | Where {$_.user -notlike “NT AUTHORITYSELF” -and $_.IsInherited -eq $false -and $_.ExtendedRights -like “Send-As”} | Select Identity,User,@{Name=’Access Rights’;Expression={[String]$_.ExtendedRights}} | Export-Csv D:tempMailboxAccess.csv -NoTypeInformation -Append}
That’s not a script, that’s a one-liner that is impossible to read and understand. I really recommend you tackle this with more of a “clean code” approach and try to write a nice, tidy script that is easier for you to read and debug.
Think about yourself 6 months from now trying to understand what that code does. Think about the next person who needs to run your script and tries to understand what it does. Make it clean and readable.
And here’s a tip for combining information from multiple cmdlets:
https://www.practical365.com/using-powershell-custom-objects-exchange-server-reporting-scripts/
Thanks Paul, I appreciate your response. I’m a bit of a novice so I will read up on it, learn how to do it properly and get it cleaned up 🙂
Hello Paul, took me a while but…FINISHED !!! Thought I would post in case someone else finds it useful. It could probably do with a clean-up but it does the job for now (had to be completed before end of year). Please share your thoughts….
This pulls out
For Mailbox User:
Displayname ; Alias ; AD Description
For user who has the access:
Displayname ; Alias ; AD Description ; Access Rights (Send As / Full Access)
Code removed: please don’t post scripts or large code samples into the comments, it breaks the layout of the page. Host your scripts on Github or another repository.
I was trying to run this from a remote PowerShell session, and the last portion @{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} is not resolving correctly. Instead of dumping out the Access Rights list, it instead has the value System.Collections.ArrayList. I think the problem is that the remote PowerShell session does not have access to all the Exchange dlls and system types, so Exchange is rendering the data remotely. I changed the line to @{Name=’Access Rights’;Expression={$_.AccessRights[0]}} and it produces the correct output.
It is usually problematic based on the version of powershell you are using. If you adjust the join command to: {[string]::join(‘, ‘,@($_.AccessRights))}} it should work.
Paul,
as usual – excellent tip! This fixed it for me. I granted an executive assistant full access permissions to the CEOs mailbox and days later added the mailbox to her Outlook profile. This must have messed up the rights under the hood of Exchange. I ran the Get-MailboxDatabase | Remove-ADPermission -User -AccessRights GenericAll on all mailboxes and all’s clean again.
Again, thank you!
Paul,
out of the blue, our CEO’s user account has full access permissions to every single mailbox in the enterprise. We’re trying to find out how this could have happened. Any hints you could give us?
Thanks so much!
Maybe this.
https://www.practical365.com/unexpected-permissions-appearing-exchange-server-mailboxes/
Hey paul,
I was wondering if there was a way I could use the output from this to change all users who have access from ReadOnly to fullaccess. Running into a bit of trouble parsing it out correctly.
Any ideas?
Do you have a powershell to check who has send as permisssions for users and DLs?
I posted the below comment in January 2014 and don’t think I get a reply
I’m revisiting this now, any help would be greatly appreciated.
“I have been running the script (have.
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv) for 6 months or so on our Exchange Server without any issues. We updated our Exchange Servers recently with Windows Updates and now when I export the information I get “Microsoft.Exchange.Management.RecipientTasks.MailboxRights[]”
Thanks
Allan
Hi,
A particular user having access on multiple shared mailboxes , how to export that data from powershell command
Hi Paul,
I have Run Command in power shell, command execute successfully but i didn’t get output.
what is by default location where output file store
Hi There.
we have just installed Exchange 2013. I would like make myself have full access to other users mailboxes. I have tried this with the following command:
add-adpermission -identity “mailbox database 0577814824” -user “mhints@gbliners.com” -extendedrights recieve-as
I can see in the EAC that my name has been added to the users mailbox delegation as full access.
When i go onto the owa and login as me then open another mailbox for the user i get the following error:
You don’t have permission to open this mailbox 🙁 something went wrong
Any help would be appreciated.
I recommend you don’t do it.
Then I recommend that you read this:
https://www.practical365.com/unexpected-permissions-appearing-exchange-server-mailboxes/
Many Thanks
Marc
Can you tell me thr right way to do this?
Right way to do what?
Thank you, this is exactly what I was looking for!
Dear Paul ,
How Can I sent this output as email
Hi Paul,
I have been reading your blogs and comment. it is really great.
I need some assistants on the Virtual Lab inwhich I have install AD, Exchange 2010 and notes Domino. Now, I am trying to send/receive emails via smart host. I have enabled Send connector & Receive Connector & enabled the Smart Host Service and gave IP Address of Exchange Server.
My Question I still need a SMTP Server separatly in order to route the emails or Quest Coexistance tool will help in that case ??? If yes then why we need the smart Host if we have SMTP server or Quest ????
Thank you in advance,
Harvinder SINGH
Notes co-existence is not something I am familiar with sorry.
Can you tell me why if there are multiple users with full access, some list other permission levels as well:
domain.com/Users/P Curtis DOMAINrtaylor FullAccess, DeleteItem, ReadPermission, ChangePermission
domain.com/Users/P Curtis DOMAINcperson FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner
domain.com/Users/P Curtis DOMAINmdaley FullAccess
Maybe someone previous applied those permissions by running different commands.
This is great, it is really useful. Does exchange hold anywhere when the permissions where granted? Can I add that to be a column? I am running 2007.
No. You could probably work it out from the administrator audit log in Exchange 2010 or 2013 though.
Thanks for the response Paul, regards John
Hi Paul,
When I run the script, I get a “cannot write input as there are no more running pipelines” – Can you help?
Thanks
I am totally new to all of this, so please forgive my lack of knowledge.
I used one of your little scripts to get a list of user mailboxes with all users who also had full access to these same mailboxes. Great. Worked a treat.
I noticed however that the results from the script did not correlate with the “Manage Full Access Permissions” option from within Exchange Management Console. Why is this?
Also, where can I get a list of all the various access rights and their meaning, e.g. I have quite a lot of mailboxes with access rights of DeleteItem.
Your help would be much appreciated.
Paul, Can you tell me how to query mailbox permission for list of users from notepad.
I used get-content “filepath” | get-mailboxpermisison and it wont work. Any help
Thanks in advance
Get-Content .file.txt | Get-Mailbox | Get-MailboxPermission
Thanks 🙂
Thanks for the slick scripting Paul
Cheers
can someone let me know in powershell how find out if a specifi user has delegate permission on all users calendar. so far all i read is how to add a user, delegate permission on all mailboxes and export it to a file. is there a way to reverse it to only list users that doesn’t have the specific account/mailbox id?
Just wanted to say thanks for the script Paul. Worked a charm and was a quick way for me to audit access permissions on our mailboxes.
Paul, can you tell me how to add ‘Last Accessed Time’ for this? thanks much
That is retrieved using Get-MailboxStatistics.
To combine the output from multiple cmdlets into a single report see this tutorial on PS custom objects:
https://www.practical365.com/using-powershell-custom-objects-exchange-server-reporting-scripts/
Hello, Thanks a lot for your EMS command
We have 2 mailbox servers + 3 CAS and HUB transport servers
We need to find a specific user (eg:Mark James , alias(username): mjames ) has what permission levels across all the mailboxes in the environment (around 2500 mailboxes)?
How can we modify this command provided by you
We don’t need to find all user have permissions on other mailboxes, instated of this , a specific user has permissions on which mailboxes and type of permissions
Please help me
Thanks heaps in advance
Hi Paul,
Thank you very much for the scripts, definitely very useful,
I’m a new bie in scripting, I’ve few questions,
Q1 : In the last script instead of Identity, I tried to use Displayname it didn’t work, any idea why ?
Q2 : NoTypeInformation what does that mean ?
Q3 : Could you please let me know each and every word and sign’s meaning in the below command
@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}}
Regards,
MK
Hi Paul
I have been running the above script (have.
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv) for 6 months or so on our Exchange Server without any issues. We updated our Exchange Servers recently with Windows Updates and now when I export the information I get “Microsoft.Exchange.Management.RecipientTasks.MailboxRights[]” as the end of each line. In addition I also run a script to retrieve out of office information and the updates seem to have had an affect also, the list it retrieves seems to stop a third of the way through.
We are running MS exchange 2010 SP2
any help with this matter would be greatly appreciated.
Many thanks
Allan
The final script works great except for the exporting to a CSV. Can anyone tell me what I’m doing wrong? When I enter the command it just does nothing for about 30 seconds then hits the next line for me to enter a new command like nothing happened.
What is the exact command you are running?
You will probably need to specify the file path for the output csv file, otherwise it will just dump it into the current directory. So i just pointed it to my v: drive:
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation v:mailboxpermissions.csv
Can I use the above command but filter it to get me all calendar permissions. I need to find calendars that people are sharing.
How to List all Users Who Had Access to Other Exchange Mailboxes?
Previously accessed other mail boxes?
Nice script Paul. I would like this output to only reflect users that have the effective permissions to the mailbox.
For example, if a user has permission and i run a command to add a -Deny FullAccess instead of -Remove permissions, then the permissions will show twice in the output of the script, one for the deny and one for the FullAccess. Sometimes i run the Add-MailboxPermission with the -Deny and -Automapping:$false as we have experienced an automapping after using the GUI to remove FullAccess Permissions. I would like the output of the script to omit Users that have two entries, one for FullAccess and one for -Deny FullAccess because their effective Permission is they don’t have rights. Can the script be modified to omit entries that have a duplicate entry with a -Deny?
Hi Paul,
This command worked like a charm for everyone. Many Thanks for this great TIP.
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv
is there’s a way to run similar command for MailboxFolderPermissions (Calender and Inbox) as well.
or is there a way to run this command against whole mailbox including all MailBoxFolders
Thanks in Advance.
Paul, thank you for command. It was very helpful. My question is, how can I do the reverse; use the resultant mailboxpermissions.csv file as an Import file to assign specific users, specific permissions to specific mailboxes?
Thanks,
Doug
Hi There,
I am running the following script to export a list of mailboxes with permissions set:
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation Z:mailboxpermissions.csv
For some reason, although I am connected to the server where these mailbox lie, the script is not pulling the information on one set of mailboxes which is what i’m after. Is there a switch I can use to make it point at a particular domain?
(I am pretty much a novice at powershell and have learnt bits and bobs by researching so I hope i’m making sense)
Thanks
How much more complicated would it be to add a recursive lookup for the groups that have permission to each mailbox too?
Thanks, Paul. Very useful information. I have used this as a starting point for some reporting/auditing scripts.
Hi Paul,
I just wanted to thank you for this good tip, exectly what I was looking for.
I like the way you explain each step of the Command.
Great Work!
Thanks a lot!
Jan
Just a quick question. I used the following modification of your script.
get-content c:admingeneric.txt | Get-Mailbox | Get-MailboxPermission | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation c:adminpermissions.csv
And it worked fine however it is not displaying groups that have access to the mailbox.. how would i include this in the script?
Hi Paul,
I have received a list in which I have notefied that I have access on 600 mailboxes (Exchange 2007&2010), and its very difficult to remove all mailboxes access one by one. Is there any single command to remove all mailboxes access using a single command?
Rav Prakash Gupta
Enterprise Messaging & Collaboration.
Paul,
You have provided the below script to pull what level of access for other users/shared mailboxes.
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv
Is it possible to pull the list of users accessing shared mailboxes in specific storage group. If so please update me the exact script.
Thanks in Advance !!
Sure. Where “Get-Mailbox” is piping into the next cmdlet just modify how you want Get-Mailbox to run, eg “Get-Mailbox -Database YourDatabaseName”.
sorry
i have not my answer yet
is it possible to make some one have full access to all mailboxes in a database now and the future ?
or even on all organization
i know we can use powershell command to do this (get mailboxdatabase users and set-permission ,,,)
but what about the future users
should it be run on a schedule to do this or is there any better way ?
Hello Paul,
This script is awesome and has helped me. I would like to thank you.
I would like to ask you if it’s possible to generate a list, the other way around that this command does.
This command displays the mailboxes one by one, and the users that have access to it.
something like:
mailbox1 user1,user2,user2
mailbox2 user2,user3,user4 etc
Is it possible to make it generate a list like this:
user1 mailbox1, mailbox2, mailbox3
user2 mailbox1,mailbox3, mailbox4
Thank you,
Nonis
Possible? Sure, PowerShell is very flexible. You’re basically collecting the same data just outputting it in different ways, so you just need to write the PowerShell code to do that 🙂
Well, that’s my problem at the moment, I’ve been trying to do this for the past couple of days, but to no avail.
I understand it’s the same data, but I didn’t find a way to output it the way I needed it.
Could you please help in this regard?
Dear Paul
Hi and Thanks
but i have a problem
the script shows an account having full permission on lot and lots of mailboxes but when i go to some of those and right click – manage full permission .. his user is not there !!
he is the previous exchange admin here ! could he have made something hidden (to have permission but not to show in the GUI)
It depends which command you mean when you say “this script”, but its possible what you’re seeing is an inherited permission from a higher level object (eg the database, server, or organization level).
Dear Paul, Thanks so much
I did a get-mailbox and then remove his permission but i have two more questions
1- when i get-mailboxpermission i still see him in an entry (although it says full access is denied) – how can i remove him completely
2- how can we do it ? i mean his permission is on newly created mailboxes too. can a full permission be set on a DB, server or organizational level ?? can u teach me how to do that and how to remove it ?
Thanks again
THANK YOU!! Was stuck on -ExpandProperty and could not recall how to get the “readable” Access Rights. Thanks!
How about MailboxFolderPermission, I know how to get a list of user that have access to a specific folder within a mailbox
Get-MailboxFolderPermission – Identity “PrimarySMTPAdd:InboxAutomatedEmail” | Select User, FolderName, AccessRights | fl User, FolderName, AccessRights.
But what should I do if I want to know which folders a user has access to (any kind of access rights aka reviewer, owner, etc)
I need to include all folders within the mailbox and the user in question would be an unresolved SID so would be something like “NT User:S-1-5-21-etc”
Any help would be appreciated!
Thanks
Hi
Would this work in an Exch 2K3 / Exch 2K10 co-existance scenario, and would it give the info for the users that have yet to be migrated to 2K10?
Thanks
I’m not sure, and I don’t have a 2003 environment to check. You could always just give it a try and see if you get the expected result for a user you know has other users wil access to their mailbox.
Would this powershell command also display groups (security and distribution) with acces to mailboxes?
It should, yes.
Hello,
I would really appreciate some help with this. I’m not versed in PowerShell to this level. Before SP1 on exchange 2010, the AD attribute was not set to automatically open mailboxes in outlook. I’ve recently moved this exchange server to new fully serviced packed virtualised server. Any new users I grant full access to other mailboxes load automatically.
Is there a way to export the current full access permissions for all users (about 500) and then clear them and then import again to set the AD attribute?
This would be a massive time saver.
Many thanks.
I think this is what you’re looking for:
http://technet.microsoft.com/en-us/library/hh529943.aspx
Hi Paul,
Do you have a cmdlet for a specific user … for instance I need to know what permissions a particular user has for any mailbox/public folder.
Scenario: user A needs to have the same access and permissions to all mailboxes, public folders and mailgroups as user B. What command could I run that would give me a list of all permissions for user B?
The user may have permissions by dint of membership in some group, but if the individual user is granted permission, the following might help.
Replace ” | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} ” with “-user USERB” to get the mailboxes’ permissions.
get-distributiongroup | get-adpermission -user USERB should get the permissions for distribution groups
Public folders are the harder one. I think you’d have to do get-mailpublicfolder -recurse | get-publicfolderclientpermission -user USERB, but I’m not 100% sure because I don’t have public folders anymore.
Thanks for your response! Would the script be the same on PS version 1 as oppose to version 2.0? We are currenlty using version 1.0 on Exchange Server 2010
Hi Paul.
I have 3 domain with 5k above users. I get the below error and each time i get different result. Can you advice
WARNING: By default, only the first 1000 items are returned. Use the ResultSize parameter to specify the number of
items returned. To return all items, specify “-ResultSize Unlimited”. Be aware that, depending on the actual number of
items, returning all items can take a long time and consume a large amount of memory. Also, we don’t recommend storing
the results in a variable. Instead, pipe the results to another task or script to perform batch changes.
So, after “get-mailbox” but before the ” | get-mailboxpermission” you put “-ResultSize Unlimited”. That lets you get back more than 1000 results at a time.
For example,
get-mailbox -resultsize unlimited | get-mailboxpermission | where {… etc.
I’m wondering if the FullAccess permission will allow users to delete emails within the shared mailbox. Inherited permissions show FullAccess, DeleteItem, ReadPermission, ChangePermission, etc. I added some users to a shared mailbox and gave them full permissions, but some need not delete emails. Will the full access give them delete rights and what is the mininum permission(s) that a user needs to view and read emails in a shared mailbox? Thanks.
Just ReadPermission should do it.
Hi Paul,
I had similar issue as Daniel Crawford Jr – I needed for some users to be able to see Shared Mailbox, without a right to delete any emails.
I have applied following cmd:
Add-MailboxPermission “shared box name” -User domainusername -AccessRights ReadPermission -InheritanceType all
Right is applied correctly, but then when I add mailbox to some users outlook I cannot expand the added shared box (folder cannot be expanded). It seems it only works with FullAccess right.
Would you have any tips?
Hey Paul, Great article as always, just a tiny question, Deny equals True in the output means the user listed has been deny access to the mailbox by explicitly removing them from Manage Full mailbox access?
Basically, I have previously removed the user that appears listed when running this command and when going to Manage Full mailbox access I don’t see them anymore. So i just wanted to confirm if even after revoking access this script will show return results with Deny True?
Hope this makes sense
Thanks!!!!
I just tested this, removed full mailbox access from a shared mailbox, run the command again and there you go now you see it listed with Deny equals True, even if you cant see this on EMC you can see who has been denied access when using EMS. Interesting stuff 😉
Hi Paul,
Is possible to disabled a default folder from an exchange account ?
I use osx and i configure mail app with exchange. By default i have a lot of directorys that i can’t delete … say you can’t delete distinguished folders … ! I already search the whole internet to know if i can disable this default folders. You have any idea ? Thanks in advance.
how would you export the permissions for only a specific set of users in a text file?
forEach ($user in $list)
Get-Mailbox -Identity $user…
Dang, I need this now, and was hoping someone else had asked and found out how…
This is a bit old post but thought i’d answer because i had the same question and figured it out.
$users = Import-csv “C:\source\DisabledUsers.csv”
foreach ($user in $users){Get-MailboxPermission -Identity $User.samaccountname | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity,User| Export-Csv -NoTypeInformation “c:\source\mailboxpermissions.csv” -append}
With your powershell command, the result is a csv file with the following colums:
“Identity,”User”,”Access Rights”
i need to add also the samaccountname of the identity. So i will have the following colums:
“Identity”,SAMAccountname”,”User”,”Access Rights
i hope it’s clear…
thanks !
Now I see what you mean. Yes you can do it, you’d just need to do a bit of scripting to fetch and join two different bits of data together. I’ll see if I can come up with the exact code and post an article with it.
Any update on this one?
Hi Bodo,
Curious if you ever got that script to work?
Thanks,
Rich
Hello,
i need to add in every line of the file also the alias. How i can do this ?
thanks
I don’t understand your question Bodo.
paul,
great tip
how can do this on Exchange 2003 SP2 without introdcuing Exchange 2007 or 2010
is it possible?
thanks
edward
Hi Edward, it isn’t possible with the same powershell technique I demonstrated here. There might be a way to do it with some AD scripting but I’ve never really looked into it.
HI
you can use ADModify.NET to export the mailbox right for exchange 2000 and 2003.
http://www.msexchange.org/articles-tutorials/exchange-server-2003/tools/ADModify-Change-Exchange-Specific-AD-User-Attributes.html
there is an option to export mailbox right.
Handy tip, for sure! We often have staff that move from one group to another and when they do they take access to the group email accounts with them. For security and privacy reasons they shouldn’t carry those permissions with them when they move.
What command would I run to find a list of all the email accounts Jane Doe has FullAccess permissions to?