Powershell: Enumerating access rights on mailboxes

Don’t you just hate it when auditing times come around and they ask a list of each and every person who has access to each and every mailbox in your environment  –_-. Since this happened to one of my clients I wrote the following powershell command for exchange 2010. Take in to consideration the following:

• This will not display rights inherited from the top level information store (database wide rights)
• This will exclude all SELF rights

List what mailboxes a user has access on:

 Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

This little gem will try to retrieve all mailboxes in the organization, get there permission, exclude the “NTAUTHORITY\SELF” and all inherited rights. It will then dump the User, what user had rights and the kind of rights in csv file.

The same but in alternate order:

    1: Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}  Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions2.csv

Warning!

Both commands will make your cpu spike and will take some time to process dependant on the size of your environment!