Mailbox access rights in Exchange are easy to assign, however managing them can be a bit of a pain, especially if they are assigned on a per-user basis, or assigned when troubleshooting issues for a user. What would be really useful is the ability to quickly generate a report against a subset of users to check that their access rights fall in line with organisational policies or just to check for any permissions that need revoking.
To help with visibility in this area, I’ve written a little script that let’s you discover this information so you can act on it. Basically, it takes a group of users, then checks all the mailboxes to find out if any of those users have full access rights to mailboxes other than their own, and outputs the results to the console.
So, why did I write this script? Quite simply, to meet a business need – a management requirement to provide a report on what mailboxes the people in the IT department have full access to. However it’s not just useful for that – users move around between departments often and while group memberships are routinely updated in most organisations, there’s always the off-chance a user’s been granted full access to a certain mailbox and that permission hasn’t been revoked.
Usage is fairly straightforward. You need to know the group name; after that simply specify it when executing the script:
1 | .\Get-MailboxPermissionForGroupMembers.ps1 "Example Group" |
After execution, the script will expand all the group members (including any in sub-groups), then get all mailboxes. It will compare each mailbox’s full access permissions list against those group members and output a result similar to this:
Currently, this is a version 1.1 script. It’s aimed at both Exchange 2007 and 2010 at the moment, but I envisage a future version would not only check for other types of permissions set at the mailbox level, but also check for mailbox folder permissions in an Exchange 2010 environment. And, as always your comments and ideas for improvements would be very much appreciated 🙂
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 | param($Group) # Get mailboxes that one or more members of the specified access have full access permission to # Helper function to get group members recursively function Get-GroupMembersRecursive { param($Group) [array]$Members = @() $Group = Get-Group $Group -ErrorAction SilentlyContinue if (!$Group) { throw "Group not found" } foreach ($Member in $Group.Members) { if (Get-Group $Member -ErrorAction SilentlyContinue) { $Members += Get-GroupMembersRecursive -Group $Member } else { $Members += ((get-user $Member.Name).SamAccountName) } } $Members = $Members | Select -Unique return $Members } [array]$Members = @(); $Group = Get-Group $Group -ErrorAction SilentlyContinue; if (!$Group) { throw "Group not found" } [array]$Members = Get-GroupMembersRecursive -Group $Group $Mailboxes = Get-Mailbox -ResultSize Unlimited foreach ($Mailbox in $Mailboxes) { $Result = Get-MailboxPermission $Mailbox | where { ($_.AccessRights -like "*FullAccess*") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") }| Select User [array]$AccessUsers=@() foreach ($DomUser in $Result) { $Found = $false $DomUser = [String] $DomUser.User $UserArray = $DomUser.Split("") $User = $UserArray[1] $Domain = $UserArray[0] foreach ($Member in $Members) { if ($Member -eq $User) { $AccessUsers += $User $Found = $true } } if ($Found -eq $false) { # Check if the user exists, if not look for a group. if ($DomUser -ne "") { if (!(Get-User $DomUser -ErrorAction SilentlyContinue)) { $subGroup = Get-Group $DomUser -ErrorAction SilentlyContinue if ($subGroup) { $subMembers = Get-GroupMembersRecursive -Group $subGroup foreach ($subMember in $subMembers) { foreach ($Member in $Members) { if ($Member -eq $subMember) { $AccessUsers += $Member } } } } } } } } $AccessUsers = $AccessUsers | Select -uniq if ($AccessUsers.Count) { $Output = "These members of ""$($Group.Name)"" have Full Access permissions to Mailbox ""$($Mailbox)""" Write-Output $Output $Dashes=$null; for ($i=0;$i -lt $Output.Length;$i++) { $Dashes = $Dashes + "-" } Write-Output $Dashes $AccessUsers } } |
Hi, I’m no powershell dude but this script seems to do what i want but i really dont know which values i have to set to reflect my security group name and Domain, what are the wildcards that i have to change? Sounds dumb i know.
Great script! It worked with no tinkering required
Great script! I would like to capture the output in a file for further analysis. I have not been able to do that with the Write-Output command.
Hi,
love your script, used it in the past and it worked great.
I’m trying to use it again using the “Domain Users” group – I don’t get an error, and the results come out blank. Any ideas?
TIA,
Jerry
I’m not sure – I wonder if it could be because of Primary Group membership – IIRC this means the users aren’t listed in the group object itself. You can test if this is the case by changing the primary group of a couple of users and retrying (after AD replication).
Steve
Pingback: Dave Stork's IMHO : Granting Mailbox Full Access via Groups and keeping the Automapping feature in Exchange 2010
Hi
Need your help to by using powershell script to get the exchange user mailbox audit report ( like who are accessed other user maibox and send on behalf email )
Great Script man, saved me a lot of time! Worked flawless with Exchange 2010 SP1.
Hi
Need your help to by using powershell script to get the exchange user mailbox audit report ( like who are accessed other user maibox and send on behalf email )
could the group be the domain users group or is this a group in exchange? I am trying to find all the shared mailboxes on a 2007 Exchange server and on an Exchange 2003 server any ideas.
Hiya,
Domain users should work, it doesn’t need to be a mail enabled group IIRC.
Steve
Pingback: How to report which Exchange mailboxes group members have full access to | Steve Goodman’s Exchange Blog « JC’s Blog-O-Gibberish
Why do I get the error below. And after that error scripts end running so I wonder if it did all the job or was interrupted.
I am sure all the members of the group is UserMailbox.
Get-MailboxPermission : Database is mandatory on UserMailbox.
At D:\Mesajlasma\Evren\Get-MailboxPermissionsForGroupMembers.ps1:40 char:36
+ $Result = Get-MailboxPermission <<<< $Mailbox | where { ($_.AccessRights -like "*FullAccess*") -and ($
_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") }| Select User
Get-MailboxPermission : Database is mandatory on UserMailbox.
At D:\Mesajlasma\Evren\Get-MailboxPermissionsForGroupMembers.ps1:40 char:36
+ $Result = Get-MailboxPermission <<<< $Mailbox | where { ($_.AccessRights -like "*FullAccess*") -and ($
_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") }| Select User
Get-MailboxPermission : Database is mandatory on UserMailbox.
At D:\Mesajlasma\Evren\Get-MailboxPermissionsForGroupMembers.ps1:40 char:36
+ $Result = Get-MailboxPermission <<<< $Mailbox | where { ($_.AccessRights -like "*FullAccess*") -and ($
_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") }| Select User
Pingback: Script – Quais mailbox tem acesso Full Access no Exchange 2010 « Rodrigo Rodrigues .:. www.andersonpatricio.org
Pingback: Tweets that mention How to report which Exchange mailboxes group members have full access to | Steve Goodman's Tech Blog -- Topsy.com