• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint Online
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Videos
    • Interview Videos
    • How To Guide Videos
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / How to List all Users Who Have Access to Other Exchange Mailboxes

How to List all Users Who Have Access to Other Exchange Mailboxes

July 2, 2011 by Paul Cunningham 174 Comments

While preparing for an Exchange Server 2007 to 2010 migration I needed to work out which users had been granted access to other mailboxes. This applied both to shared mailboxes (eg a Help Desk) and individual mailbox access (eg a personal assistant with access to the CEO’s mailbox).

Exchange 2007/2010 provide the Get-MailboxPermission cmdlet that can be used to query the permissions on a mailbox. For example:

1
2
3
4
5
6
7
8
Get-MailboxPermission helpdesk
 
Identity             User                 AccessRights        IsInherited Deny
--------             ----                 ------------        ----------- ----
exchangeserverpro... NT AUTHORITY\SELF    {FullAccess, Rea... False       False
exchangeserverpro... ESPNET\Alex.Heyne    {FullAccess}        False       False
exchangeserverpro... ESPNET\Debbie.Lisa   {FullAccess}        False       False
exchangeserverpro... ESPNET\Kevin.Douglas {FullAccess}        False       False


To get the same information about all of the mailboxes in the environment we could run this command.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Get-Mailbox | Get-MailboxPermission
 
Identity             User                 AccessRights        IsInherited Deny
--------             ----                 ------------        ----------- ----
exchangeserverpro... NT AUTHORITY\SELF    {FullAccess, Rea... False       False
exchangeserverpro... ESPNET\BR-EX2007-MB$ {ReadPermission}    True        False
exchangeserverpro... ESPNET\Exchange S... {FullAccess}        True        True
exchangeserverpro... ESPNET\Domain Admins {FullAccess}        True        True
exchangeserverpro... ESPNET\Enterprise... {FullAccess}        True        True
exchangeserverpro... ESPNET\Exchange O... {FullAccess}        True        True
exchangeserverpro... ESPNET\administrator {FullAccess}        True        True
exchangeserverpro... ESPNET\Exchange S... {FullAccess}        True        False
exchangeserverpro... ESPNET\Exchange P... {ReadPermission}    True        False
exchangeserverpro... NT AUTHORITY\NETW... {ReadPermission}    True        False
exchangeserverpro... ESPNET\Exchange S... {ReadPermission}    True        False
exchangeserverpro... ESPNET\Exchange V... {ReadPermission}    True        False
exchangeserverpro... ESPNET\Exchange O... {FullAccess, Del... True        False
exchangeserverpro... ESPNET\administrator {FullAccess, Del... True        False
exchangeserverpro... ESPNET\Enterprise... {FullAccess, Del... True        False
exchangeserverpro... ESPNET\Domain Admins {FullAccess, Del... True        False
.....


The problem with that is it gives us more information than we really need, with a lot of SELF permissions and inherited permissions that aren’t relevant to the task we’re trying to accomplish.

You could export the output to CSV and manipulate it using Excel to get just the permissions information you want, but another method is to filter the PowerShell output.

For example, to filter out all of the SELF permissions and the inherited permissions we can run this command.

1
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}


That gives us a much smaller output that is more useful.

1
2
3
4
5
6
7
Identity             User                 AccessRights        IsInherited Deny
--------             ----                 ------------        ----------- ----
exchangeserverpro... ESPNET\Alannah.Shaw  {FullAccess}        False       False
exchangeserverpro... ESPNET\Payroll Team  {FullAccess}        False       False
exchangeserverpro... ESPNET\Alex.Heyne    {FullAccess}        False       False
exchangeserverpro... ESPNET\Debbie.Lisa   {FullAccess}        False       False
exchangeserverpro... ESPNET\Kevin.Douglas {FullAccess}        False       False


The Identity field contains long strings because it includes the full directory path to the mailbox user, so it may get truncated on your screen. In that case you could export the output to CSV file.

1
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Export-Csv -NoTypeInformation mailboxpermissions.csv


The trouble you may notice with that is that the access rights do not appear correctly in the output CSV file.

1
2
3
4
5
6
AccessRights,Deny,InheritanceType,User,Identity,IsInherited,IsValid,ObjectState
Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Alannah.Shaw,"exchangeserverpro.net/Company/Head Office/Users/Mark.Patel",False,True,Unchanged
Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,"ESPNET\Payroll Team","exchangeserverpro.net/Company/Head Office/Users/Payroll",False,True,Unchanged
Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Alex.Heyne,"exchangeserverpro.net/Users/Help Desk",False,True,Unchanged
Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Debbie.Lisa,"exchangeserverpro.net/Users/Help Desk",False,True,Unchanged
Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Kevin.Douglas,"exchangeserverpro.net/Users/Help Desk",False,True,Unchanged


So to fix that we need to use a slightly different command. This single-line command will export to CSV a list of any mailboxes where other users have permissions to access them, and will also list what level of access those users have.

1
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

Exchange Server Exchange 2007, Exchange 2010, Exchange Management Shell, PowerShell, Scripts

Comments

  1. steve king says

    March 16, 2021 at 1:45 pm

    juuuuuust need a script to import these permissions when forced to do a migration by pst 🙁 don’t ask, it wont be a pretty response.

    If anyone could point me in a rough direction, that would be great. Sadly no budget for 3rd party tools costing around 60k 🙁

    Reply
  2. Andrew says

    September 30, 2020 at 4:50 pm

    Thanks for this. To add Send As and Send on Behalf permissions run this script:
    https://ibenna.wordpress.com/2017/05/15/export-all-exchange-mailboxes-with-send-as-full-access-send-on-behalf-of-permissions/

    Reply
  3. Ron Steurer says

    June 24, 2020 at 5:29 am

    I am beginning a migration for a customer and was looking for something just like this so that I could migrate users to Exchange Online in “batched groups” according to their mailbox permissions to not break the mailbox permissions when/if migrated at different times. This gave me a great and clean readable format after changing to an excel file to boot! Thank you again for your great contributions to the Exchange community Paul!

    If you are ever in Nashville, let me buy you a pint!

    -Ron

    Reply
  4. mirko says

    April 9, 2020 at 6:52 am

    and if I want to get also last logon of these mailbox ?

    for exemple:

    identity – last logon -user – accessrights

    and if an group has full access, If I want to get also user members ?

    Reply
  5. mirko says

    April 9, 2020 at 1:08 am

    How Can I combine these output :

    Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox | Get-MailboxStatistics | Select Displayname, LastLogonTime

    Get-mailboxpermission $Mailbox | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity, User, AccessRights | export-csv -delimiter “;” -path c:\temp\list.csv -notype
    }

    and if I want have also display name and upn of the members of the groups with full access ?

    thank you

    Reply
  6. Amin says

    November 2, 2019 at 4:10 am

    Hi Paul,

    Love reading your Exchange blogs and always find them useful.

    I keep running into the following error when trying to run your PS command (and I run into this quite often when running other complex commands in ExchPS)

    Sending data to a remote command failed with the following error message: The WinRM client sent a request to the remote
    WS-Management service and was notified that the request size exceeded the configured MaxEnvelopeSize quota. For more i
    nformation, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo : OperationStopped: (System.Manageme…pressionSyncJob:PSInvokeExpressionSyncJob) [], PSRe
    motingTransportException
    + FullyQualifiedErrorId : JobFailure

    I can’t, for the life of me, figure out where to increase this MaxEnvelopeSize quota.

    Thanks, in advance.

    Reply
  7. Michael Niccum says

    July 3, 2019 at 10:33 am

    I took Matthew’s script and converted it to read users from a csv and report on which shared mailboxes they have access to:

    $users = get-content “usernames.csv”
    foreach ($user in $users) {
    Get-Mailbox -ResultSize Unlimited –Recipienttypedetails SharedMailbox | %{Get-MailboxPermission $_.Name -user $user | Select User,Identity,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv C:\MailboxAccess.csv -NoTypeInformation -Append; Get-ADPermission $_.Name -user $user | Select User,Identity,@{Name=’Access Rights’;Expression={[String]$_.ExtendedRights}} | Export-Csv c:\MailboxAccess.csv -NoTypeInformation -Append}
    }

    Reply
  8. mahdis khaledi says

    June 20, 2019 at 12:38 am

    Hi Paul. I am one of the fan of your Plural site courses.thanks alot!
    I f we have an special user in O365, how can I as an Admin ,find out which mailboxes he has access to?

    Reply
  9. William says

    April 17, 2019 at 9:47 am

    If you have multiple forests and/or domains, don’t forget this command first:

    Set-ADServerSettings -ViewEntireForest $true

    You will know you need this command if you only get output that is on the email server domain when you are expecting results from other domains.

    Reply
  10. Kiran Gandhi says

    January 21, 2019 at 6:26 pm

    I need to list mailboxes with Extended Rights ‘Send As’ permissions.
    I tried following but it did not succeed. Any help will be highly appreciated !

    Get-Mailbox -ResultSize Unlimited | Get-ADPermission | Where-Object {($_.ExtendedRights -like “*send-as*”) -and -not ($_.User -like “nt authority\self”)} | Format-Table Identity,User,ExtendedRights -wrap -AutoSize | Out-File -Encoding utf8 -FilePath c:\temp\SP.csv

    Thanks

    Reply
  11. Mubasheruddin says

    December 12, 2018 at 10:40 pm

    Dear, can you pls. give me command to get the list of mailbox users reaching limit exported in csv file

    Reply
  12. Sven says

    October 3, 2018 at 8:59 pm

    Hi Paul
    I found the same aproach again and again and finally found out: it works, but for me only in a EMS on an Exchangeserver. When I use the same script on another server using powershell remote connection over https I get only “System.Collections.Arraylist”. Do you know why?
    Thanks and best regards, Sven

    Reply
  13. Charlie Lochbaum says

    June 9, 2018 at 6:00 am

    Ok, one more. I am trying to find all “shared” mailboxes in an OU. I find all of the accounts, but am having trouble with my code to find the shared ones only.

    Has anyone else done this one?

    Thank you all!!!!!

    Reply
    • Jim Blunt says

      June 9, 2018 at 6:22 am

      Get-Mailbox -OrganizationalUnit “Subdomain.domain.com/ThisOU/SubOU” -RecipientTypeDetails SharedMailbox -ResultSize Unlimited

      This will get all Shared Mailboxes in the OU specified, then recurse through any sub-OUs and select them as well.

      Reply
  14. Charlie Lochbaum says

    May 31, 2018 at 7:25 am

    I am looking to see how to modify the PowerShell script to look only within an Active Directory OU in order to see permissions on only those user’s mailboxes. This is my first PowerShell project.

    Reply
    • Jim Blunt says

      May 31, 2018 at 7:42 am

      Charlie…very simple.

      “Get-Mailbox -OrganizationalUnit “OU=THIS,OU=THAT,OU=THeOtherThing,DC=YourDomain,DC=com” | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false}”

      If that doesn’t work, then add the -Recurse switch behind the OU information, before you pipe it to the Get-MailboxPermission command.

      Reply
      • Jim Blunt says

        May 31, 2018 at 7:45 am

        You might have to change it a little, depending on how many mailboxes are in the OU.

        I would probably do this, just to be safe:

        Get-Mailbox -OrganizationalUnit “OU=THIS,OU=THAT,OU=THeOtherThing,DC=YourDomain,DC=com” -ResultSize Unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false}

        Reply
      • Charlie Lochbaum says

        June 6, 2018 at 2:51 am

        Hey, this is great! Making progress. I only get two of the 5 accounts in the OU. I am now looking to show the mailboxes that are shared within that OU.

        -Recurse did not work.

        Thank you all! This is a great site!

        Reply
  15. Giannis says

    May 11, 2018 at 9:48 pm

    You are amazing!!!
    You saved me so much time!!!

    Thank you!

    Reply
  16. Mike says

    May 2, 2018 at 7:37 am

    Thanks!

    I appreciate your work, very useful.

    Reply
  17. Santosh says

    December 20, 2017 at 6:36 am

    How can we get the user data without the domain. Ex- Just “Alex.Hyne” and not “ESPNET\Alex.Hyne”

    Reply
  18. DESJP says

    December 15, 2017 at 7:20 pm

    I execute :
    Get-Mailbox -ResultSize Unlimited -OrganizationalUnit “OU” | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

    but I am a erreur :
    L’envoi de données à une commande distante a échoué avec le message d’erreur suivant : La totalité des données reçues d
    e la part du client distant a dépassé le maximum autorisé. Le maximum autorisé est de 524288000. Pour plus d’informatio
    ns, voir la rubrique d’aide about_Remote_Troubleshooting.
    + CategoryInfo : OperationStopped: (System.Manageme…pressionSyncJob:PSInvokeExpressionSyncJob) [], PSRe
    motingTransportException
    + FullyQualifiedErrorId : JobFailure

    Reply
  19. Wilson Rodriguez says

    December 8, 2017 at 8:44 am

    Hello Paul,

    Please, I need your help as soon as possible. I need a script or any help that helps me to find out or get a lists of USERS without NT AUTHORITY \SELF, all the scripts that I found haven´t help me at all. Please I need you help, I need to present to my supervisor and I couldn´t find out how to do it.
    I´ll be waiting for your kindness comments.
    Thank you

    Wilson, Ecuador

    Reply
    • Paul Cunningham says

      December 8, 2017 at 12:37 pm

      I’m pretty sure this very blog post you’re commenting on answers that question.

      Reply
  20. jeremy says

    October 16, 2017 at 11:30 pm

    HELLO

    i am in a similar boat as Rob above and would liket o find out what mailbox have no other access..

    thank you

    Reply
  21. Adrien says

    September 22, 2017 at 6:59 pm

    Thanks a lot man.

    I appreciate your work, it is really useful :).

    Reply
  22. Rob says

    September 21, 2017 at 12:19 am

    Hi Paul!

    Love the site, keep up the good work!

    I was just wondering if you happen to have something that does the exact opposite of this. I would like to find all of my users that do NOT have access to other mailboxes.

    A little background…we are hybrid and there is a big push for going to EXO. However this place uses so many shared mailboxes it’s insane and borderline obscene. Due to all the limitations with cross premises permissions, what we call “single instance mailbox users” are our prime candidates to move to EXO.

    Thanks!

    Reply
  23. Jonathan Margulies says

    July 26, 2017 at 1:13 am

    Question: Is there a way to flip this around and find out all the other user’s folders (e.g., Calendar, Contacts, etc. but not full mailbox access.) a given user has access to? To keep it simple, assume that none of the default folder names have been changed.

    Thanks.

    Reply
  24. Jim Blunt says

    July 22, 2017 at 6:17 am

    Paul,

    In your first example to filter out the SELF permissions, you need to correct the script a little. Instead of:
    “Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false}”

    It should be:
    “Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false}”

    LOVE your site Paul!! Keep up the great work!

    Reply
    • Paul Cunningham says

      July 24, 2017 at 4:05 pm

      Thank you Jim. Lost a bunch of \ from code samples during a backend DB migration for the site :-/

      Reply
  25. Greg says

    June 13, 2017 at 1:37 am

    Thank you soooo much you saved me a ton of time

    Reply
  26. Abheek says

    April 10, 2017 at 8:53 am

    Hi Paul, Thanks for the script. It works great. However I have a requirement to sort Identities by Country/Usage Location.
    When I run the below command UsageLocation comes as blank in the csv. Am I doing something wrong?
    Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,UsageLocation,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

    Reply
    • Paul Cunningham says

      April 10, 2017 at 9:12 am

      Is UsageLocation an attribute that Get-MailboxPermission returns?

      Reply
      • akshay says

        December 11, 2020 at 10:37 pm

        Hello Paul,

        i need PowerShell script, where we can get only active user mailbox with there license assigned.

        Reply
  27. Tyler says

    April 4, 2017 at 3:08 pm

    Glad to see this post is still getting questions! Is there a way to return only groups and not users? I was thinking there might be a where command that filters out if the user type was “group” rather than a user. Any help would be appreciated!

    Thanks

    Reply
    • Paul Cunningham says

      April 5, 2017 at 9:10 am

      Not in the results that are returned by Get-MailboxPermission. You’ll just need to add some extra script logic that checks whether the “user” is in fact a user or group.

      Reply
      • Tyler says

        April 6, 2017 at 10:59 pm

        Thanks! Can you point me in the right direction to do that?

        Reply
        • Tyler says

          April 6, 2017 at 11:02 pm

          When I search tools to determine if the user is a group, most if not all of the results pertain to checking whether a user is in a group, not if a user is a group

          Reply
          • Paul Cunningham says

            April 7, 2017 at 2:40 pm

            Test it with Get-User and Get-Group. Consider this example.

            [PS] C:\> $a = “ESPNET\Level 1 Admins”

            [PS] C:\>if (Get-User $a) {Write-Host “It’s a user”}

            [PS] C:\>if (Get-Group $a) {Write-Host “It’s a group”}
            It’s a group

  28. Liam Evans says

    March 28, 2017 at 11:46 am

    Hi Paul, I need to filter another user in my organisation (NT AUTHORITY\SELF and domain\administrator) how do I apply this to the filter “where {$_.user.tostring() -ne “NT AUTHORITY\SELF””?

    Reply
    • Paul Cunningham says

      March 28, 2017 at 1:03 pm

      Try

      where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.user.tostring() -ne “domain\administrator”}

      But the idea that your administrator account has access to all mailboxes is a worry.

      Reply
  29. victor bassey says

    March 17, 2017 at 12:22 am

    In addition, the script script does show distribution groups that have full access to another mailbox. Can I get the script to also list members of the DGs. The script is not picking up users that have access to a mailbox if they are part of a DG.

    before I forget, thanks always for your wonderful insight and help Paul.

    Reply
  30. victor bassey says

    March 17, 2017 at 12:19 am

    We are preparing for office 365 migration. We have a lot of user dependencies on shared mailbox. I was hoping there was a way to list all users that do not have access to any other mailboxes but their own. This way we can migrate those users first without needing to worry about access to shared mailboxes. Any tips would be much appreciated

    Reply
  31. Dan says

    February 21, 2017 at 3:27 am

    Hi Paul

    Do you have a similar one-liner or script that pulls out Send-As permissions and Send on Behalf? This one works a treat for getting AccessRights, so just wondered 🙂

    Cheers!
    Dan

    Reply
    • Paul Cunningham says

      February 21, 2017 at 8:03 am

      I don’t have anything handy, but as with many things PowerShell you’ve got a close example so it’s usually only a small amount of effort to adjust it to your needs.

      Reply
      • sam says

        October 25, 2018 at 12:09 am

        Hi Paul
        how can i find out list of all user that have access to other mailbox in the organization

        Reply
  32. Anderson says

    December 17, 2016 at 6:43 am

    We are preparing for a domain migration and was hoping there was a way to list all users that do not have access to any other mailboxes but their own. This way we can migrate those users first without needing to worry about access to shared mailboxes. Any tips would be much appreciated!

    Reply
  33. peter says

    December 13, 2016 at 2:39 am

    Hi Paul
    Really need som help 🙂
    I have these two commands (source imported from a CSV-file):

    $UserFull = Get-MailboxPermission -Identity $_.EmailAddress | where {($_.IsInherited -eq $false) -and ($_.user.tostring() -notlike “S-1-*”) -and -not ($_.User -like “NT AUTHORITYSELF”)} | Select User

    #Find email addressen på de brugere med full Access Rights
    $UserFull | ForEach-Object { Get-User -Identity $_.User.tostring() | where {$_.SamAccountName -notlike “mailexport*”} | select WindowsEmailAddress}

    Result is this:
    WindowsEmailAddress

    testbruger1@n00bs.dk
    testbruger4@n00b.dk
    testbruger3@n00b.dk

    (The result shows that several users have Full Mailbox Rights on the same (Source) User mailbox)

    BUT, I really need it to give me the output in one single line (row), like this:
    WindowsEmailAddress
    testbruger1@n00bs.dk, testbruger4@n00b.dk, testbruger3@n00b.dk

    Separated by “Commas” instead and then exported to a CSV-File to import in Office365
    How on earth do I do that ?

    Please help/advise

    Best regards
    Peter

    Reply
    • Paul Cunningham says

      December 13, 2016 at 10:01 am

      Sounds like you want to turn an array into a string, which is demonstrated in this blog post:

      https://blogs.technet.microsoft.com/heyscriptingguy/2014/07/16/join-me-in-a-few-string-methods-using-powershell/

      Reply
  34. Jim says

    November 17, 2016 at 2:19 am

    Thanks Paul this is a great thread with a ton of useful info. Funny how this is still active after all these years.

    If you are in a large org or have performance issues this is a good post.

    http://www.msexchange.org/kbase/ExchangeServerTips/ExchangeServer2010/Powershell/CheckFullAccesspermissionstoothermailboxes.html

    Of course here is Tony’s post on a bug in the hold process in older versions of Exchange 2013 prior to CU7 and reporting on delegate access.

    https://thoughtsofanidlemind.com/2014/09/05/reporting-delegate-access-to-exchange-mailboxes/

    Which dovetails nicely into the post Tony cites

    http://en.get-mailbox.org/using-powershell-background-jobs-can-help-you-speed-up-exchange-tasks-part-1/

    Dmitry, there are a number of examples of that earlier on in this post. You could limit by database or server. These are both good ways to constrain this. Also RecipientType is another fine way to constrain the search if you are looking only for shared mailboxes etc.

    Thanks again Paul

    Reply
  35. Dmitry says

    November 9, 2016 at 9:53 pm

    Hi All,

    Great article! Just wanted to know what it the right way to limit getting information by specific object unit and not to look for all mailboxes?

    Reply
  36. Peter says

    October 7, 2016 at 6:57 am

    Great Tip, exactly what I needed for THE overview of all SendAs en FullAcces rights on our +/- 60
    mailboxen 😀 So a big thanks for all the effort putting this here 🙂

    Reply
  37. Arron says

    September 21, 2016 at 5:10 am

    Great Tip, exactly what I needed today for our upcoming mail migration!

    Reply
  38. Craig says

    September 16, 2016 at 4:05 am

    Thank you, this was very useful.

    Reply
  39. jan blaha says

    September 8, 2016 at 5:18 pm

    Hi, what is wrong in my script? I need view all mailboxes and export where has full access another other without AUTHORITYSELF and XXXADMINISTRATOR. And how to export to HTML file? CSV is hard to read. Thank you.

    Get-Module -ListAvailable | Where-Object {$_.Path -like “$PSHOME*”} | Import-Module
    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and -ne “XXXADMINISTRATOR” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation J:ExchangeScriptsMailbox.csv

    Reply
    • Jim Blunt says

      December 9, 2017 at 5:22 am

      There is no backslash, between AUTHORITY and SELF.

      Reply
  40. Hisham Mezher says

    August 17, 2016 at 5:47 pm

    Dear Paul,

    Thank you for the article, this is of great value to us as all your scripts, articles and books.

    I kindly ask you help for the below:
    I have a shared mailbox that I need to give access to 5 users. my question is that how can I configure outlook 2010 allowing those 5 users to see all inbox and sub folders and allow them to send and receive emails?

    And another question is how to make just one user of those to prevent him from creating new folders under inbox, this user has a weird folder naming thinking, he always creates sub folders with unethical names.

    waiting for your reply
    Regards;

    Reply
  41. putra says

    June 27, 2016 at 2:47 pm

    Hi Paul,

    l have some question could you give me way how to check share calendar user mailbox ? example l want to know user1 is sharing calendar to who ?

    Reply
  42. David Alford says

    June 20, 2016 at 8:11 pm

    Just what I needed in one well written blog post.

    You Sir are Awesome,

    Reply
  43. Prem says

    June 10, 2016 at 7:08 am

    Get-Mailbox alias | Get-MailboxPermission | ft @{n=”User”;e={(get-user $_.
    user).Displayname}},AccessRights,IsInherited -AutoSize

    Reply
  44. Steve Rackham says

    June 1, 2016 at 10:47 am

    Changed the join section and it worked 😉
    See below. Thanks for the great oneliner.

    Get-Mailbox -ResultSize unlimited
    | Get-MailboxPermission

    | Where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false}
    | Select Identity,User,@{Name='Access Rights';Expression={($_.AccessRights -join ',')}}

    | Export-Csv -NoTypeInformation c:svcmailboxpermissions.csv

    Reply
  45. Steve Rackham says

    June 1, 2016 at 10:00 am

    Hi Guys,
    When running the script I get System.Collections.ArrayList for the Access Rights column.
    What have I missed? Exchange 2010 backend with Exchange 2013 Hybrid server.

    Reply
  46. Massimo says

    April 19, 2016 at 8:02 pm

    Hi ,
    for those who wanted to list one user access to other mailbox (Full Access Permission) i found this one :
    http://www.msexchange.org/kbase/ExchangeServerTips/ExchangeServer2010/Powershell/CheckFullAccesspermissionstoothermailboxes.html

    ForEach ($mbx in (Get-Mailbox -Resultsize Unlimited | Select Identity)) {Get-MailboxPermission $mbx.Identity -User yourusername | ? {$_.AccessRights -match “FullAccess” -and $_.IsInherited -eq $False} | Select Identity}

    Reply
    • Massimo says

      April 27, 2016 at 8:30 pm

      i think this one is simpler :
      get-mailbox | get-mailboxpermission -User $Username | select identity

      Reply
  47. Abhineet Thakur says

    March 11, 2016 at 7:59 pm

    Powershell Command to find out username who had accessed my mailbox earlier.

    Thanks in advance

    Reply
  48. jonbar says

    February 26, 2016 at 11:31 pm

    Thanks for the article and there is some good information on getting mailbox permissions for a site. I was looking for a way to hone this in slightly. We are a multi-site organization with many shared mailboxes. Over time the access to these mailboxes have expanded beyond their original intent. I am trying to reel that in now for our own office. There are maybe 100 or so group shared mailboxes. There is one distinction leading all the shared mailboxes that would differentiate them from the other offices and general mailboxes. Each of them have three letters at the beginning that notates our office. How can I adjust this to be able to get the permission for each mailbox within exchange that have these three letters at the start of the alias?

    Reply
    • Paul Cunningham says

      March 2, 2016 at 8:29 pm

      Get-Mailbox ABC* | etc etc

      Basically you’re just modifying the Get-Mailbox portion of the command to return only those mailboxes that you’re interested in, before piping to the next command.

      Reply
  49. Dale says

    January 27, 2016 at 1:21 pm

    Great script worked perfectly, Thanks so much for sharing.

    Reply
  50. Navneet says

    November 24, 2015 at 9:39 pm

    what would be the command if i want to look for speciffic mailbox server.. like
    Chlte306

    And also suggest what white space i need to remove..and how ?

    Reply
  51. Navneet says

    November 24, 2015 at 7:14 pm

    thanks paul,
    just want to let you know. i am getting below error when running the command that you suggested

    Get-Mailbox -resultsize unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions1.csv

    Error
    WARNING: The object domain/Services/CAM/Retired/xxxjnsb has been corrupted, and it’s in
    an inconsistent state. The following validation errors happened:
    WARNING: The property value is invalid. The value can’t contain leading or trailing whitespace.

    Please suggest

    when i run the command without resultsize unlimited.. i am getting report perfectly but till 100 users

    Reply
    • Paul Cunningham says

      November 24, 2015 at 9:12 pm

      A property of that object “domain/Services/CAM/Retired/xxxjnsb” has a leading or trailing whitespace on it, which is invalid. Check that property on that object and remove the leading or trailing whitespace.

      Reply
      • Navneet says

        November 24, 2015 at 11:18 pm

        Hello Paul.

        i run the below one and it succeed as required.. thank you so much..

        Get-Mailbox -server chlte306 -resultsize unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

        Reply
  52. Mathew says

    November 2, 2015 at 11:00 am

    Hi Paul,
    I was hoping you can assist with modifying the script to obtain the following data in the output file.

    * Username (for both users)
    * Level of Access
    * Display Name (for both users)
    * AD Description (for both users)

    Your assistance would be greatly appreciated.
    Many thanks again for all of your helpful posts.

    Reply
    • Mathew says

      November 3, 2015 at 9:47 am

      Sorry Paul, probably should have provided more info than that. Using Exchange 2010 I think EMS v2.0 I have been asked to export both Full and Send As permissions for al users in the domain and export to a single CSV to list:
      * Username (for both users)
      * Level of Access
      * Display Name (for both users)
      * AD Description (for both users)

      So far I have got the following script but it is failing miserably. Also having issues combining the Full and Send As due to the append parameter not working in earlier versions of shell. I’m not a pro at shell hence the mess below.

      Get-Mailbox -ResultSize Unlimited –Recipienttypedetails UserMailbox | %{Get-MailboxPermission $_.Name | Where {$_.user -notlike “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv D:tempMailboxAccess.csv -NoTypeInformation -Append; Get-ADPermission $_.Name | Where {$_.user -notlike “NT AUTHORITYSELF” -and $_.IsInherited -eq $false -and $_.ExtendedRights -like “Send-As”} | Select Identity,User,@{Name=’Access Rights’;Expression={[String]$_.ExtendedRights}} | Export-Csv D:tempMailboxAccess.csv -NoTypeInformation -Append}

      Reply
      • Paul Cunningham says

        November 3, 2015 at 10:53 am

        That’s not a script, that’s a one-liner that is impossible to read and understand. I really recommend you tackle this with more of a “clean code” approach and try to write a nice, tidy script that is easier for you to read and debug.

        Think about yourself 6 months from now trying to understand what that code does. Think about the next person who needs to run your script and tries to understand what it does. Make it clean and readable.

        And here’s a tip for combining information from multiple cmdlets:
        https://www.practical365.com/using-powershell-custom-objects-exchange-server-reporting-scripts/

        Reply
        • Mathew says

          November 4, 2015 at 7:25 am

          Thanks Paul, I appreciate your response. I’m a bit of a novice so I will read up on it, learn how to do it properly and get it cleaned up 🙂

          Reply
          • MAthew says

            December 22, 2015 at 8:08 am

            Hello Paul, took me a while but…FINISHED !!! Thought I would post in case someone else finds it useful. It could probably do with a clean-up but it does the job for now (had to be completed before end of year). Please share your thoughts….

            This pulls out
            For Mailbox User:
            Displayname ; Alias ; AD Description

            For user who has the access:
            Displayname ; Alias ; AD Description ; Access Rights (Send As / Full Access)

            Code removed: please don’t post scripts or large code samples into the comments, it breaks the layout of the page. Host your scripts on Github or another repository.

  53. Ned Bellavance says

    October 24, 2015 at 12:59 am

    I was trying to run this from a remote PowerShell session, and the last portion @{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} is not resolving correctly. Instead of dumping out the Access Rights list, it instead has the value System.Collections.ArrayList. I think the problem is that the remote PowerShell session does not have access to all the Exchange dlls and system types, so Exchange is rendering the data remotely. I changed the line to @{Name=’Access Rights’;Expression={$_.AccessRights[0]}} and it produces the correct output.

    Reply
    • Dontribi says

      December 17, 2015 at 10:23 am

      It is usually problematic based on the version of powershell you are using. If you adjust the join command to: {[string]::join(‘, ‘,@($_.AccessRights))}} it should work.

      Reply
  54. Dennis says

    October 3, 2015 at 2:31 am

    Paul,

    as usual – excellent tip! This fixed it for me. I granted an executive assistant full access permissions to the CEOs mailbox and days later added the mailbox to her Outlook profile. This must have messed up the rights under the hood of Exchange. I ran the Get-MailboxDatabase | Remove-ADPermission -User -AccessRights GenericAll on all mailboxes and all’s clean again.

    Again, thank you!

    Reply
  55. Dennis says

    October 2, 2015 at 6:11 am

    Paul,

    out of the blue, our CEO’s user account has full access permissions to every single mailbox in the enterprise. We’re trying to find out how this could have happened. Any hints you could give us?

    Thanks so much!

    Reply
    • Paul Cunningham says

      October 2, 2015 at 9:19 am

      Maybe this.

      https://www.practical365.com/unexpected-permissions-appearing-exchange-server-mailboxes/

      Reply
  56. Kyle says

    September 5, 2015 at 2:36 am

    Hey paul,

    I was wondering if there was a way I could use the output from this to change all users who have access from ReadOnly to fullaccess. Running into a bit of trouble parsing it out correctly.

    Any ideas?

    Reply
  57. Kannan says

    May 6, 2015 at 6:19 am

    Do you have a powershell to check who has send as permisssions for users and DLs?

    Reply
  58. Allan Sinfield says

    March 30, 2015 at 5:20 pm

    I posted the below comment in January 2014 and don’t think I get a reply

    I’m revisiting this now, any help would be greatly appreciated.

    “I have been running the script (have.
    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv) for 6 months or so on our Exchange Server without any issues. We updated our Exchange Servers recently with Windows Updates and now when I export the information I get “Microsoft.Exchange.Management.RecipientTasks.MailboxRights[]”

    Thanks

    Allan

    Reply
    • shilpa says

      May 8, 2018 at 8:22 pm

      Hi,

      A particular user having access on multiple shared mailboxes , how to export that data from powershell command

      Reply
  59. Nil says

    March 30, 2015 at 4:51 pm

    Hi Paul,

    I have Run Command in power shell, command execute successfully but i didn’t get output.
    what is by default location where output file store

    Reply
  60. Marc Hints says

    February 13, 2015 at 9:09 pm

    Hi There.

    we have just installed Exchange 2013. I would like make myself have full access to other users mailboxes. I have tried this with the following command:

    add-adpermission -identity “mailbox database 0577814824” -user “mhints@gbliners.com” -extendedrights recieve-as

    I can see in the EAC that my name has been added to the users mailbox delegation as full access.

    When i go onto the owa and login as me then open another mailbox for the user i get the following error:

    You don’t have permission to open this mailbox 🙁 something went wrong

    Any help would be appreciated.

    Reply
    • Paul Cunningham says

      February 13, 2015 at 11:25 pm

      I recommend you don’t do it.

      Then I recommend that you read this:
      https://www.practical365.com/unexpected-permissions-appearing-exchange-server-mailboxes/

      Reply
      • Marc Hints says

        February 14, 2015 at 2:05 am

        Many Thanks

        Marc

        Reply
        • Marc Hints says

          February 14, 2015 at 2:20 am

          Can you tell me thr right way to do this?

          Reply
        • Paul Cunningham says

          February 14, 2015 at 8:18 am

          Right way to do what?

          Reply
  61. Steven Collins says

    February 9, 2015 at 3:39 pm

    Thank you, this is exactly what I was looking for!

    Reply
  62. George says

    December 4, 2014 at 3:51 pm

    Dear Paul ,

    How Can I sent this output as email

    Reply
  63. harvinder says

    November 28, 2014 at 6:36 pm

    Hi Paul,
    I have been reading your blogs and comment. it is really great.
    I need some assistants on the Virtual Lab inwhich I have install AD, Exchange 2010 and notes Domino. Now, I am trying to send/receive emails via smart host. I have enabled Send connector & Receive Connector & enabled the Smart Host Service and gave IP Address of Exchange Server.

    My Question I still need a SMTP Server separatly in order to route the emails or Quest Coexistance tool will help in that case ??? If yes then why we need the smart Host if we have SMTP server or Quest ????

    Thank you in advance,
    Harvinder SINGH

    Reply
    • Paul Cunningham says

      November 29, 2014 at 10:34 pm

      Notes co-existence is not something I am familiar with sorry.

      Reply
  64. Jeff says

    October 28, 2014 at 11:17 pm

    Can you tell me why if there are multiple users with full access, some list other permission levels as well:

    domain.com/Users/P Curtis DOMAINrtaylor FullAccess, DeleteItem, ReadPermission, ChangePermission

    domain.com/Users/P Curtis DOMAINcperson FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner

    domain.com/Users/P Curtis DOMAINmdaley FullAccess

    Reply
    • Paul Cunningham says

      October 29, 2014 at 7:18 pm

      Maybe someone previous applied those permissions by running different commands.

      Reply
  65. John says

    October 28, 2014 at 11:03 pm

    This is great, it is really useful. Does exchange hold anywhere when the permissions where granted? Can I add that to be a column? I am running 2007.

    Reply
    • Paul Cunningham says

      October 29, 2014 at 7:17 pm

      No. You could probably work it out from the administrator audit log in Exchange 2010 or 2013 though.

      Reply
      • John says

        October 29, 2014 at 11:12 pm

        Thanks for the response Paul, regards John

        Reply
  66. Sam Patel says

    October 15, 2014 at 8:56 am

    Hi Paul,

    When I run the script, I get a “cannot write input as there are no more running pipelines” – Can you help?

    Thanks

    Reply
  67. Huw says

    August 23, 2014 at 12:56 am

    I am totally new to all of this, so please forgive my lack of knowledge.
    I used one of your little scripts to get a list of user mailboxes with all users who also had full access to these same mailboxes. Great. Worked a treat.
    I noticed however that the results from the script did not correlate with the “Manage Full Access Permissions” option from within Exchange Management Console. Why is this?
    Also, where can I get a list of all the various access rights and their meaning, e.g. I have quite a lot of mailboxes with access rights of DeleteItem.

    Your help would be much appreciated.

    Reply
  68. Mohammed says

    August 19, 2014 at 4:31 pm

    Paul, Can you tell me how to query mailbox permission for list of users from notepad.

    I used get-content “filepath” | get-mailboxpermisison and it wont work. Any help

    Thanks in advance

    Reply
    • Paul Cunningham says

      August 19, 2014 at 7:33 pm

      Get-Content .file.txt | Get-Mailbox | Get-MailboxPermission

      Reply
      • Mohammed says

        August 19, 2014 at 7:58 pm

        Thanks 🙂

        Reply
  69. Kristian says

    July 25, 2014 at 10:06 am

    Thanks for the slick scripting Paul

    Cheers

    Reply
  70. GNR says

    June 18, 2014 at 7:25 am

    can someone let me know in powershell how find out if a specifi user has delegate permission on all users calendar. so far all i read is how to add a user, delegate permission on all mailboxes and export it to a file. is there a way to reverse it to only list users that doesn’t have the specific account/mailbox id?

    Reply
  71. Daryl du Plessis says

    April 9, 2014 at 12:37 pm

    Just wanted to say thanks for the script Paul. Worked a charm and was a quick way for me to audit access permissions on our mailboxes.

    Reply
  72. Michael McDowell says

    April 2, 2014 at 11:41 pm

    Paul, can you tell me how to add ‘Last Accessed Time’ for this? thanks much

    Reply
    • Paul Cunningham says

      April 5, 2014 at 2:08 pm

      That is retrieved using Get-MailboxStatistics.

      To combine the output from multiple cmdlets into a single report see this tutorial on PS custom objects:

      https://www.practical365.com/using-powershell-custom-objects-exchange-server-reporting-scripts/

      Reply
  73. jim says

    March 5, 2014 at 12:25 pm

    Hello, Thanks a lot for your EMS command
    We have 2 mailbox servers + 3 CAS and HUB transport servers

    We need to find a specific user (eg:Mark James , alias(username): mjames ) has what permission levels across all the mailboxes in the environment (around 2500 mailboxes)?

    How can we modify this command provided by you
    We don’t need to find all user have permissions on other mailboxes, instated of this , a specific user has permissions on which mailboxes and type of permissions

    Please help me
    Thanks heaps in advance

    Reply
  74. MK says

    February 24, 2014 at 6:39 am

    Hi Paul,

    Thank you very much for the scripts, definitely very useful,

    I’m a new bie in scripting, I’ve few questions,

    Q1 : In the last script instead of Identity, I tried to use Displayname it didn’t work, any idea why ?

    Q2 : NoTypeInformation what does that mean ?

    Q3 : Could you please let me know each and every word and sign’s meaning in the below command
    @{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}}

    Regards,
    MK

    Reply
  75. Allan says

    January 29, 2014 at 10:00 pm

    Hi Paul

    I have been running the above script (have.
    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv) for 6 months or so on our Exchange Server without any issues. We updated our Exchange Servers recently with Windows Updates and now when I export the information I get “Microsoft.Exchange.Management.RecipientTasks.MailboxRights[]” as the end of each line. In addition I also run a script to retrieve out of office information and the updates seem to have had an affect also, the list it retrieves seems to stop a third of the way through.

    We are running MS exchange 2010 SP2

    any help with this matter would be greatly appreciated.

    Many thanks

    Allan

    Reply
  76. Manuel Cruz says

    January 21, 2014 at 1:35 am

    The final script works great except for the exporting to a CSV. Can anyone tell me what I’m doing wrong? When I enter the command it just does nothing for about 30 seconds then hits the next line for me to enter a new command like nothing happened.

    Reply
    • Paul Cunningham says

      January 21, 2014 at 1:14 pm

      What is the exact command you are running?

      Reply
    • Daryl du Plessis says

      April 9, 2014 at 12:35 pm

      You will probably need to specify the file path for the output csv file, otherwise it will just dump it into the current directory. So i just pointed it to my v: drive:

      Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation v:mailboxpermissions.csv

      Reply
  77. Tony E. says

    December 19, 2013 at 6:28 am

    Can I use the above command but filter it to get me all calendar permissions. I need to find calendars that people are sharing.

    Reply
  78. sinam says

    November 30, 2013 at 3:45 am

    How to List all Users Who Had Access to Other Exchange Mailboxes?
    Previously accessed other mail boxes?

    Reply
  79. geezbill says

    November 22, 2013 at 3:25 am

    Nice script Paul. I would like this output to only reflect users that have the effective permissions to the mailbox.
    For example, if a user has permission and i run a command to add a -Deny FullAccess instead of -Remove permissions, then the permissions will show twice in the output of the script, one for the deny and one for the FullAccess. Sometimes i run the Add-MailboxPermission with the -Deny and -Automapping:$false as we have experienced an automapping after using the GUI to remove FullAccess Permissions. I would like the output of the script to omit Users that have two entries, one for FullAccess and one for -Deny FullAccess because their effective Permission is they don’t have rights. Can the script be modified to omit entries that have a duplicate entry with a -Deny?

    Reply
  80. Aasmir says

    September 26, 2013 at 9:15 pm

    Hi Paul,

    This command worked like a charm for everyone. Many Thanks for this great TIP.

    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

    is there’s a way to run similar command for MailboxFolderPermissions (Calender and Inbox) as well.

    or is there a way to run this command against whole mailbox including all MailBoxFolders

    Thanks in Advance.

    Reply
  81. Doug says

    August 21, 2013 at 12:53 am

    Paul, thank you for command. It was very helpful. My question is, how can I do the reverse; use the resultant mailboxpermissions.csv file as an Import file to assign specific users, specific permissions to specific mailboxes?

    Thanks,

    Doug

    Reply
  82. Becky says

    July 15, 2013 at 7:58 pm

    Hi There,

    I am running the following script to export a list of mailboxes with permissions set:

    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation Z:mailboxpermissions.csv

    For some reason, although I am connected to the server where these mailbox lie, the script is not pulling the information on one set of mailboxes which is what i’m after. Is there a switch I can use to make it point at a particular domain?

    (I am pretty much a novice at powershell and have learnt bits and bobs by researching so I hope i’m making sense)

    Thanks

    Reply
  83. GB @ CFS says

    May 17, 2013 at 10:17 am

    How much more complicated would it be to add a recursive lookup for the groups that have permission to each mailbox too?

    Reply
  84. Larry Mease says

    May 9, 2013 at 12:54 am

    Thanks, Paul. Very useful information. I have used this as a starting point for some reporting/auditing scripts.

    Reply
  85. Jan says

    April 25, 2013 at 5:12 pm

    Hi Paul,

    I just wanted to thank you for this good tip, exectly what I was looking for.
    I like the way you explain each step of the Command.
    Great Work!

    Thanks a lot!
    Jan

    Reply
  86. Matt says

    March 6, 2013 at 10:04 am

    Just a quick question. I used the following modification of your script.

    get-content c:admingeneric.txt | Get-Mailbox | Get-MailboxPermission | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation c:adminpermissions.csv

    And it worked fine however it is not displaying groups that have access to the mailbox.. how would i include this in the script?

    Reply
  87. Ravi Prakash Gupta says

    February 27, 2013 at 6:24 pm

    Hi Paul,

    I have received a list in which I have notefied that I have access on 600 mailboxes (Exchange 2007&2010), and its very difficult to remove all mailboxes access one by one. Is there any single command to remove all mailboxes access using a single command?

    Rav Prakash Gupta
    Enterprise Messaging & Collaboration.

    Reply
  88. Naga says

    February 22, 2013 at 11:52 pm

    Paul,

    You have provided the below script to pull what level of access for other users/shared mailboxes.

    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

    Is it possible to pull the list of users accessing shared mailboxes in specific storage group. If so please update me the exact script.

    Thanks in Advance !!

    Reply
    • Paul Cunningham says

      February 23, 2013 at 5:23 am

      Sure. Where “Get-Mailbox” is piping into the next cmdlet just modify how you want Get-Mailbox to run, eg “Get-Mailbox -Database YourDatabaseName”.

      Reply
  89. mohamamd says

    February 15, 2013 at 4:07 pm

    sorry
    i have not my answer yet
    is it possible to make some one have full access to all mailboxes in a database now and the future ?
    or even on all organization

    i know we can use powershell command to do this (get mailboxdatabase users and set-permission ,,,)
    but what about the future users

    should it be run on a schedule to do this or is there any better way ?

    Reply
  90. Nonis says

    February 15, 2013 at 12:38 am

    Hello Paul,

    This script is awesome and has helped me. I would like to thank you.

    I would like to ask you if it’s possible to generate a list, the other way around that this command does.
    This command displays the mailboxes one by one, and the users that have access to it.
    something like:
    mailbox1 user1,user2,user2
    mailbox2 user2,user3,user4 etc

    Is it possible to make it generate a list like this:
    user1 mailbox1, mailbox2, mailbox3
    user2 mailbox1,mailbox3, mailbox4

    Thank you,
    Nonis

    Reply
    • Paul Cunningham says

      February 15, 2013 at 1:31 pm

      Possible? Sure, PowerShell is very flexible. You’re basically collecting the same data just outputting it in different ways, so you just need to write the PowerShell code to do that 🙂

      Reply
      • Nonis says

        February 15, 2013 at 5:42 pm

        Well, that’s my problem at the moment, I’ve been trying to do this for the past couple of days, but to no avail.
        I understand it’s the same data, but I didn’t find a way to output it the way I needed it.

        Could you please help in this regard?

        Reply
  91. Mohammad says

    February 6, 2013 at 3:59 pm

    Dear Paul
    Hi and Thanks

    but i have a problem
    the script shows an account having full permission on lot and lots of mailboxes but when i go to some of those and right click – manage full permission .. his user is not there !!
    he is the previous exchange admin here ! could he have made something hidden (to have permission but not to show in the GUI)

    Reply
    • Paul Cunningham says

      February 7, 2013 at 9:51 pm

      It depends which command you mean when you say “this script”, but its possible what you’re seeing is an inherited permission from a higher level object (eg the database, server, or organization level).

      Reply
      • Mohammad says

        February 8, 2013 at 2:27 am

        Dear Paul, Thanks so much
        I did a get-mailbox and then remove his permission but i have two more questions

        1- when i get-mailboxpermission i still see him in an entry (although it says full access is denied) – how can i remove him completely

        2- how can we do it ? i mean his permission is on newly created mailboxes too. can a full permission be set on a DB, server or organizational level ?? can u teach me how to do that and how to remove it ?

        Thanks again

        Reply
  92. Tim Bolton says

    February 6, 2013 at 4:34 am

    THANK YOU!! Was stuck on -ExpandProperty and could not recall how to get the “readable” Access Rights. Thanks!

    Reply
  93. Carol Ostos says

    November 29, 2012 at 12:30 pm

    How about MailboxFolderPermission, I know how to get a list of user that have access to a specific folder within a mailbox

    Get-MailboxFolderPermission – Identity “PrimarySMTPAdd:InboxAutomatedEmail” | Select User, FolderName, AccessRights | fl User, FolderName, AccessRights.

    But what should I do if I want to know which folders a user has access to (any kind of access rights aka reviewer, owner, etc)

    I need to include all folders within the mailbox and the user in question would be an unresolved SID so would be something like “NT User:S-1-5-21-etc”

    Any help would be appreciated!

    Thanks

    Reply
  94. Dominic says

    November 7, 2012 at 10:26 pm

    Hi
    Would this work in an Exch 2K3 / Exch 2K10 co-existance scenario, and would it give the info for the users that have yet to be migrated to 2K10?
    Thanks

    Reply
    • Paul Cunningham says

      November 12, 2012 at 8:24 pm

      I’m not sure, and I don’t have a 2003 environment to check. You could always just give it a try and see if you get the expected result for a user you know has other users wil access to their mailbox.

      Reply
  95. Samovar78 says

    November 2, 2012 at 3:04 am

    Would this powershell command also display groups (security and distribution) with acces to mailboxes?

    Reply
    • Paul Cunningham says

      November 2, 2012 at 8:14 am

      It should, yes.

      Reply
  96. Nigel says

    October 30, 2012 at 12:22 am

    Hello,

    I would really appreciate some help with this. I’m not versed in PowerShell to this level. Before SP1 on exchange 2010, the AD attribute was not set to automatically open mailboxes in outlook. I’ve recently moved this exchange server to new fully serviced packed virtualised server. Any new users I grant full access to other mailboxes load automatically.

    Is there a way to export the current full access permissions for all users (about 500) and then clear them and then import again to set the AD attribute?

    This would be a massive time saver.

    Many thanks.

    Reply
    • Paul Cunningham says

      November 2, 2012 at 7:52 pm

      I think this is what you’re looking for:

      http://technet.microsoft.com/en-us/library/hh529943.aspx

      Reply
  97. Leslie Horton says

    September 20, 2012 at 5:23 am

    Hi Paul,
    Do you have a cmdlet for a specific user … for instance I need to know what permissions a particular user has for any mailbox/public folder.

    Scenario: user A needs to have the same access and permissions to all mailboxes, public folders and mailgroups as user B. What command could I run that would give me a list of all permissions for user B?

    Reply
    • Michelle Arnone says

      September 20, 2012 at 5:42 am

      The user may have permissions by dint of membership in some group, but if the individual user is granted permission, the following might help.

      Replace ” | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} ” with “-user USERB” to get the mailboxes’ permissions.

      get-distributiongroup | get-adpermission -user USERB should get the permissions for distribution groups

      Public folders are the harder one. I think you’d have to do get-mailpublicfolder -recurse | get-publicfolderclientpermission -user USERB, but I’m not 100% sure because I don’t have public folders anymore.

      Reply
      • Leslie Horton says

        September 21, 2012 at 5:17 am

        Thanks for your response! Would the script be the same on PS version 1 as oppose to version 2.0? We are currenlty using version 1.0 on Exchange Server 2010

        Reply
  98. Jomon Jose says

    August 26, 2012 at 6:51 pm

    Hi Paul.

    I have 3 domain with 5k above users. I get the below error and each time i get different result. Can you advice

    WARNING: By default, only the first 1000 items are returned. Use the ResultSize parameter to specify the number of
    items returned. To return all items, specify “-ResultSize Unlimited”. Be aware that, depending on the actual number of
    items, returning all items can take a long time and consume a large amount of memory. Also, we don’t recommend storing
    the results in a variable. Instead, pipe the results to another task or script to perform batch changes.

    Reply
    • Michelle Arnone says

      September 12, 2012 at 6:12 am

      So, after “get-mailbox” but before the ” | get-mailboxpermission” you put “-ResultSize Unlimited”. That lets you get back more than 1000 results at a time.

      For example,

      get-mailbox -resultsize unlimited | get-mailboxpermission | where {… etc.

      Reply
  99. Daniel Crawford Jr says

    August 22, 2012 at 6:44 am

    I’m wondering if the FullAccess permission will allow users to delete emails within the shared mailbox. Inherited permissions show FullAccess, DeleteItem, ReadPermission, ChangePermission, etc. I added some users to a shared mailbox and gave them full permissions, but some need not delete emails. Will the full access give them delete rights and what is the mininum permission(s) that a user needs to view and read emails in a shared mailbox? Thanks.

    Reply
    • Paul Cunningham says

      August 22, 2012 at 10:08 pm

      Just ReadPermission should do it.

      Reply
      • Lukasz says

        September 3, 2012 at 9:44 pm

        Hi Paul,

        I had similar issue as Daniel Crawford Jr – I needed for some users to be able to see Shared Mailbox, without a right to delete any emails.

        I have applied following cmd:

        Add-MailboxPermission “shared box name” -User domainusername -AccessRights ReadPermission -InheritanceType all

        Right is applied correctly, but then when I add mailbox to some users outlook I cannot expand the added shared box (folder cannot be expanded). It seems it only works with FullAccess right.

        Would you have any tips?

        Reply
  100. Carol Ostos says

    July 11, 2012 at 8:40 am

    Hey Paul, Great article as always, just a tiny question, Deny equals True in the output means the user listed has been deny access to the mailbox by explicitly removing them from Manage Full mailbox access?

    Basically, I have previously removed the user that appears listed when running this command and when going to Manage Full mailbox access I don’t see them anymore. So i just wanted to confirm if even after revoking access this script will show return results with Deny True?

    Hope this makes sense

    Thanks!!!!

    Reply
    • Carol Ostos says

      July 11, 2012 at 9:02 am

      I just tested this, removed full mailbox access from a shared mailbox, run the command again and there you go now you see it listed with Deny equals True, even if you cant see this on EMC you can see who has been denied access when using EMS. Interesting stuff 😉

      Reply
  101. Joao Ferreira says

    May 31, 2012 at 3:22 am

    Hi Paul,

    Is possible to disabled a default folder from an exchange account ?

    I use osx and i configure mail app with exchange. By default i have a lot of directorys that i can’t delete … say you can’t delete distinguished folders … ! I already search the whole internet to know if i can disable this default folders. You have any idea ? Thanks in advance.

    Reply
  102. James says

    February 25, 2012 at 4:56 pm

    how would you export the permissions for only a specific set of users in a text file?

    forEach ($user in $list)

    Get-Mailbox -Identity $user…

    Reply
    • Lars Panzerbjørn says

      August 2, 2013 at 7:30 pm

      Dang, I need this now, and was hoping someone else had asked and found out how…

      Reply
      • John says

        February 28, 2018 at 8:21 am

        This is a bit old post but thought i’d answer because i had the same question and figured it out.

        $users = Import-csv “C:\source\DisabledUsers.csv”

        foreach ($user in $users){Get-MailboxPermission -Identity $User.samaccountname | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity,User| Export-Csv -NoTypeInformation “c:\source\mailboxpermissions.csv” -append}

        Reply
  103. Bodo says

    September 15, 2011 at 4:58 pm

    With your powershell command, the result is a csv file with the following colums:
    “Identity,”User”,”Access Rights”

    i need to add also the samaccountname of the identity. So i will have the following colums:
    “Identity”,SAMAccountname”,”User”,”Access Rights

    i hope it’s clear…

    thanks !

    Reply
    • Paul Cunningham says

      September 20, 2011 at 9:46 pm

      Now I see what you mean. Yes you can do it, you’d just need to do a bit of scripting to fetch and join two different bits of data together. I’ll see if I can come up with the exact code and post an article with it.

      Reply
      • Sahin Boluk says

        February 27, 2013 at 7:12 am

        Any update on this one?

        Reply
    • Rich says

      May 19, 2017 at 5:09 am

      Hi Bodo,
      Curious if you ever got that script to work?
      Thanks,
      Rich

      Reply
  104. Bodo says

    September 15, 2011 at 1:29 am

    Hello,

    i need to add in every line of the file also the alias. How i can do this ?
    thanks

    Reply
    • Paul Cunningham says

      September 15, 2011 at 9:08 am

      I don’t understand your question Bodo.

      Reply
  105. Edward Walton says

    July 12, 2011 at 7:33 am

    paul,

    great tip

    how can do this on Exchange 2003 SP2 without introdcuing Exchange 2007 or 2010

    is it possible?

    thanks

    edward

    Reply
    • Paul Cunningham says

      July 12, 2011 at 4:06 pm

      Hi Edward, it isn’t possible with the same powershell technique I demonstrated here. There might be a way to do it with some AD scripting but I’ve never really looked into it.

      Reply
      • Shanif says

        April 12, 2013 at 11:54 pm

        HI

        you can use ADModify.NET to export the mailbox right for exchange 2000 and 2003.

        http://www.msexchange.org/articles-tutorials/exchange-server-2003/tools/ADModify-Change-Exchange-Specific-AD-User-Attributes.html

        there is an option to export mailbox right.

        Reply
    • T.Lacko says

      April 1, 2014 at 11:38 pm

      Handy tip, for sure! We often have staff that move from one group to another and when they do they take access to the group email accounts with them. For security and privacy reasons they shouldn’t carry those permissions with them when they move.

      What command would I run to find a list of all the email accounts Jane Doe has FullAccess permissions to?

      Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • Three Steps to Securing Microsoft Teams
  • Turn On MFA: Real-World Example of Fraud, Domain Stealing, and the Nearly Lost House Deposit
  • Changes in Microsoft 365 Apps Channels and Why You Should Care
  • A New Tool to Manage Exchange-related Attributes Without Exchange Server
  • Microsoft Launches Group Ownership Governance Policy

Copyright © 2022 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland