The estimated reading time 2 minutes

Find out all users who have fullaccess on mailboxes inside your exchange organisation

Lot’s of organisations distribute permissions on mailboxes like “fullaccess”. Most of them can’t remember these permissions when their are not written down. Users do not know why they have access and mostly do not report it, so there are permissions on your exchange organisation that should not exist.

You can figure out these (maybe) unwanted permissions via powershell, display it in console or write them to a text file.

The following powershell command gives you an overview which mailbox assigned fullaccess rights.

$nbdomain = "NetBIOS-DOMAIN"
Get-Mailbox | Get-mailboxPermission | Where-Object { ($_.accessRights -like "*fullaccess*") -and -not ($_.User -like "NT AUTHORITY\SELF") -and -not ($_.User -like "$nbdomain\Domain Admins")-and -not ($_.User -like "$nbdomain\Organisations-Admins") -and -not ($_.User -like "$nbdomain\Organization Management") -and -not ($_.User -like "$nbdomain\Administrator") -and -not ($_.User -like "$nbdomain\Exchange Servers") -and -not ($_.User -like "$nbdomain\Exchange Trusted Subsystem") -and -not ($_.User -like "nt-autorität\system")} | ft -AutoSize

You can read the output quite simple. Identity is the mailbox which holds the fullaccess (to be accessed). The field “User” shows the mailbox who has access to the mailbox (identity)

If you want to see also Administrator permission you can delete the part with the administrator.

there is a nearly similar way to find out all “send as” permission and also “send on behalf” permission

send as permission

Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like '*Send*') -and -not ($_.User -like "NT AUTHORITY\SELF")}  | Format-Table -Auto Identity,User,Deny,ExtendedRights

In my case I tested this command in a 80 User environment and it took some time, so be patient. Keep the powershell working for you.

At least some people want to know where permission “send on behalf” is set.

Get-Mailbox | Where-Object {$_.GrantSendOnBehalfTo -ne $null} | fl DisplayName,Alias,Identity,GrantSendOnBehalfTo

If you want to know one of these three permission you can find them with this “simple” commands in exchange powershell.

Hope this article is helpful for finding the right information on yout exchange server. Feel free for contacting me.

Have fun.

Print Friendly, PDF & Email
  • Was this Helpful ?
  • yes   no