Find out all users who have fullaccess on mailboxes inside your exchange organisation

The estimated reading time 2 minutes

Find out all users who have fullaccess on mailboxes inside your exchange organisation

Lot’s of organisations distribute permissions on mailboxes like “fullaccess”. Most of them can’t remember these permissions when their are not written down. Users do not know why they have access and mostly do not report it, so there are permissions on your exchange organisation that should not exist.

You can figure out these (maybe) unwanted permissions via powershell, display it in console or write them to a text file.

The following powershell command gives you an overview which mailbox assigned fullaccess rights.

$nbdomain = "NetBIOS-DOMAIN"
Get-Mailbox | Get-mailboxPermission | Where-Object { ($_.accessRights -like "*fullaccess*") -and -not ($_.User -like "NT AUTHORITY\SELF") -and -not ($_.User -like "$nbdomain\Domain Admins")-and -not ($_.User -like "$nbdomain\Organisations-Admins") -and -not ($_.User -like "$nbdomain\Organization Management") -and -not ($_.User -like "$nbdomain\Administrator") -and -not ($_.User -like "$nbdomain\Exchange Servers") -and -not ($_.User -like "$nbdomain\Exchange Trusted Subsystem") -and -not ($_.User -like "nt-autorität\system")} | ft -AutoSize

You can read the output quite simple. Identity is the mailbox which holds the fullaccess (to be accessed). The field “User” shows the mailbox who has access to the mailbox (identity)

If you want to see also Administrator permission you can delete the part with the administrator.

there is a nearly similar way to find out all “send as” permission and also “send on behalf” permission

send as permission

Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like '*Send*') -and -not ($_.User -like "NT AUTHORITY\SELF")}  | Format-Table -Auto Identity,User,Deny,ExtendedRights

In my case I tested this command in a 80 User environment and it took some time, so be patient. Keep the powershell working for you.

At least some people want to know where permission “send on behalf” is set.

Get-Mailbox | Where-Object {$_.GrantSendOnBehalfTo -ne $null} | fl DisplayName,Alias,Identity,GrantSendOnBehalfTo

If you want to know one of these three permission you can find them with this “simple” commands in exchange powershell.

Hope this article is helpful for finding the right information on yout exchange server. Feel free for contacting me.

Have fun.

Print Friendly, PDF & Email
  • Was this Helpful ?
  • yes   no
0 0 votes
Article Rating
Subscribe
Notify of
guest
7 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Ferry
Ferry
1 year ago

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn $D = “NT4DOMAINNAME” $ExcludeAccounts = @( “$D\Delegated Setup” “$D\Domain Admins” “$D\Enterprise Admins” “$D\Exchange Domain Servers” “$D\Exchange Servers” “$D\Exchange Services” “$D\Exchange Trusted Subsystem” “$D\Managed Availability Servers” “$D\Organization Management” “$D\Public Folder Management” “NT AUTHORITY\NETWORK SERVICE” “NT AUTHORITY\SELF” “NT AUTHORITY\SYSTEM” ) Get-Mailbox | Get-Mailboxpermission | ? {$_.User -notin $ExcludeAccounts}

trackback
1 year ago

[…] you saw my old blogpost about finding Full Access Permissions on Exchange OnPrem and found it useful? But now we have 2021 […]

Lee
Lee
1 year ago

is there a way to get the output to a readable file? I tried adding the export command to a CSV file, but it didnt work….

Noël
Reply to  A.K.
1 year ago

Your comment is 9 months ago, but your script is the only thing that is giving me what i want. Except for the Export-CSV function.

I got the top script, which is giving me a list with what i want. When i add:
| Export-CSV C:\Mailboxtext.csv

I get an output which is not right

Ferry
Ferry
Reply to  Noël
1 year ago

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn $D = “NT4DOMAIN” $ExcludeAccounts = @( “$D\Delegated Setup” “$D\Domain Admins” “$D\Enterprise Admins” “$D\Exchange Domain Servers” “$D\Exchange Servers” “$D\Exchange Services” “$D\Exchange Trusted Subsystem” “$D\Managed Availability Servers” “$D\Organization Management” “$D\Public Folder Management” “NT AUTHORITY\NETWORK SERVICE” “NT AUTHORITY\SELF” “NT AUTHORITY\SYSTEM” ) Get-Mailbox -ResultSize Unlimited | Get-Mailboxpermission | ? {$_.User -notin $ExcludeAccounts} | Sort-Object -Property Identity | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-CSV -Path “C:\Report.csv” -NoTypeInformation

Ferry
Ferry
Reply to  Noël
1 year ago

Only $50 for you 😉

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

$D = "NT4DOMAIN"            
$ExcludeAccounts = @(
  "$D\Delegated Setup"
  "$D\Domain Admins"
  "$D\Enterprise Admins"
  "$D\Exchange Domain Servers"
  "$D\Exchange Servers"
  "$D\Exchange Services"
  "$D\Exchange Trusted Subsystem"
  "$D\Managed Availability Servers"
  "$D\Organization Management"
  "$D\Public Folder Management"
  "NT AUTHORITY\NETWORK SERVICE"
  "NT AUTHORITY\SELF"
  "NT AUTHORITY\SYSTEM"
)

Get-Mailbox -ResultSize Unlimited | Get-Mailboxpermission | ? {$_.User -notin $ExcludeAccounts} | Sort-Object -Property Identity | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-CSV -Path "C:\Report.csv" -NoTypeInformation