Friday, 27 April 2012

Mailbox Permissions - Exchange 2007 / 2010

Today a client requested a method to find out who had access to users mailboxes. I came up with a quick script to resolve this:

get-mailbox –resultsize unlimited | Get-MailboxPermission | select identity, user, @{name="Access Rights";expression={$_.get_accessrights()}},isinherited,deny | ?{@('NT AUTHORITY\SELF','DOMAIN\Domain Admins','DOMAIN\Administrator','DOMAIN\Exchange Servers','DOMAIN\Public Folder Management','NT AUTHORITY\SYSTEM','NT AUTHORITY\NETWORK SERVICE','DOMAIN\Delegated Setup','DOMAIN\Organization Management','DOMAIN\Exchange Trusted Subsystem','DOMAIN\Enterprise Admins'
) -notcontains $_.User}

The main component of the script is which users you wish to exclude from the results, I added all the access entries that were added by default by exchange. For me it was the following Accounts:

NT AUTHORITY\SELF
NT AUTHORITY\SYSTEM
NT AUTHORITY\NETWORK SERVICE
DOMAIN\Public Folder Management
DOMAIN\Organization Management
DOMAIN\Exchange Trusted Subsystem
DOMAIN\Exchange Servers
DOMAIN\Enterprise Admins
DOMAIN\Domain Admins
DOMAIN\Delegated Setup
DOMAIN\Administrator

You could then pipe the results to a CSV file using the Export-Csv Cmdlet

1 comment:

  1. Hello Friends,

    This is very nice blog gives the total information about Permissions on a Mailbox. When a administrator creates your account he/she will also create a mailbox with you as the owner of the mailbox giving you automatically full permissions. This enables you to create an Outlook mail profile so you can start Outlook with your mailbox as the Outlook Today folder and allows you to set permissions for others. Thanks for providing valuable information.....
    Active Directory Compliance

    ReplyDelete