Exchange Server 2007, 2010: How to query user mailboxes, its permissions using Exchange PowerShell?


                    Le Café Central de
Deva              

                                 
                                 ..... Deva blogs!!




 

 

Exchange Server 2007, 2010: How to query user mailboxes, its permissions using Exchange PowerShell?

  • Comments 2

In Exchange Server 2007/2010, you can use Exchange PowerShell cmdlets (especially using Get-Mailbox, Get-MailboxPermission, Get-ADPermission, Get-MailboxFolderPermission) to get a verity of info. I played with couple of the below in different scenarios and want to share the same with you – so that you can give a shot and make use of.

Scenario # 1: How to query permissions on a mailbox (testuser1)?
> Get-MailboxPermission test1

image

Scenario #2: How to query permissions of all the mailboxes on a particular server?
> Get-Mailbox –Server “ServerName” | Get-MailboxPermission

image

Scenario #3: How to query permissions of all the mailboxes?
> Get-Mailbox | Get-MailboxPermission
Note: This will get the list of all permissions (including SELF permissions and inherited permissions)

image

Scenario # 4: How to query permissions of all the mailboxes (filter out SELF and inherited permissions)?
> Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}

Scenario #5: How to query mailbox permissions and Security permissions (only enumerate permissions that are not Inherited)?
> Get-Mailbox | Get-MailboxPermission | where {$_.IsInherited -eq $False}
Note: The above query will get you the “explicitly assigned permissions”

Scenario #6: How to query the explicitly assigned permissions (filter out SELF permissions)?
> Get-Mailbox | Get-MailboxPermission | where { ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) }

Scenario #7: How to query list of all mailboxes with Send-As permission assigned on them?
> Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”)} | FT –Wrap
Note: This will get the list of mailboxes with Send-As permission assigned. Also you can notice that it shows Send-As permissions assigned to SELF on all mailboxes also.

Scenario #8: How to query list of all mailboxes with Send-As permission assigned on them (filter out SELF and inherited permissions as similar to Scenario #4)?
> Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT –Wrap

Scenario #9: How to query the permissions of shared calendar in Exchange 2010?
> Get-MailboxFolderPermission –identity “mailboxaccount*:\Calendar”
Note: If you just try Get-MailboxFolderPermission with identity with mailboxaccount won’t get you the above.

Scenario #10: How to query the users rights to a specific users mailbox?
> Get-MailboxPermission –identity “username” | fl user, accessrights

image

Scenario #11: How to query the permissions for every users mailbox?
> Get-MailboxPermission –identity * | fl user, identity, accessrights

image

Note:

+ Exporting the data:
At anypoint of time, if you want to export the above results to a CSV file, then you can use “Export-csv”. Say, let we try with one of the above scenario – try with scenario # 2:
> Get-Mailbox | Get-MailboxPermission | Export-csv C:\permissions.csv

image

+ Automation using .Net Framework:
If you want to like to add Exchange management capabilities to your Microsoft .NET Framework–based applications then you can try the above by referring the following: http://msdn.microsoft.com/en-us/library/bb332449(v=exchg.80).aspx and http://msdn.microsoft.com/en-us/library/ff326159(v=exchg.140).aspx.

Happy PowerShelling and automation…!!

  • Hi,

    Please update your post, as Get-MailboxFolderPermision cmdlet is not supported on Exchange 2007 servers.

    When we try to execute this cmdlet, Exchange 2007 shell throws this error:

    The term 'Get-MailboxFolderpermission' is not recognized as the name of a cmdlet, function, script file, or operable program.

    Also, always use -NoTypeInfo with Export-CSV to skip exporting object type as first row.

    This command

    Get-Mailbox | Get-MailboxPermission | Export-csv C:\permissions.csv

    doesn't export permission correctly. You can see the output file, as AccessRights is an array of permission. you may need a [string]::join.

    Regards,

    Laeeq

  • Laeeq, Thanks for the update. In case of Exchange Server 2007, you can try the following: Get-Mailbox | Get-MailboxPermissions - it will work for you.

Page 1 of 1 (2 items)
Blog - Post Feedback Form(CAPTCHA)
Leave a Comment
  • Post