Get-ADPermission Anomaly

You may have noticed a discrepancy between the output of Get-AdPermission in Exchange 2007 and Exchange 2010. Specifically the differences are in the way extended rights are displayed (or rather not displayed in the case of 2010).

Below is an example of the output from Get-ReceiveConnector WINGTIP-E2K10\anon |Get-ADPermission -User 'NT AUTHORITY\ANONYMOUS LOGON' |fl from Exchange 2010-

Same cmdlet run from Exchange 2007

Note that in the Exchange 2007 output we list the actual extended rights the security principal has been granted (i.e. ms-Exch-SMTP-Accept-Any-Recipient, etc.) whereas in the Exchange 2010 output we just show {ExtendedRight}.

This ‘quirk’ is due to a missing script block in ‘exchange.format.ps1xml’ file in the bin directory.

This file is loaded every time you click the Exchange PS shortcut and is used to show the default output for a specific object type as well as which properties to display.

To see all the extended rights in Exchange 2010 you have to run the same cmdlet but with the “*” wildcard.

Below you can now see all the extended rights that Exchange 2007 showed-

Till next time.

Thanks for reading.