Powershell: Enumerating access rights on mailboxes


Don’t you just hate it when auditing times come around and they ask a list of each and every person who has access to each and every mailbox in your environment  –_-. Since this happened to one of my clients I wrote the following powershell command for exchange 2010. Take in to consideration the following:

  • This will not display rights inherited from the top level information store (database wide rights)
  • This will exclude all SELF rights

List what mailboxes a user has access on:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

 
This little gem will try to retrieve all mailboxes in the organization, get there permission, exclude the “NTAUTHORITY\SELF” and all inherited rights. It will then dump the User, what user had rights and the kind of rights in csv file.
 
The same but in alternate order:
   1: Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions2.csv

 

Warning!

Both commands will make your cpu spike and will take some time to process dependant on the size of your environment!

Comments (5)

  1. Anonymous says:

    There should be a pipe in the second command before the word Select

  2. Not sure if it's my browser or what, but the code blocks above show just a horizontal scroll bar, and vertical buttons. 🙁

  3. Strange! Shows fine here… What browser are you using?

  4. will says:

    If I’m not mistaken, the two codes are identical.

  5. Stu says:

    Thanks, really useful code snippet!