Find out all users who have fullaccess on mailboxes inside your exchange organisation

by A.K.in hybrid environments office 365, Microsoft Exchange Serveron Posted on

The estimated reading time 2 minutes

Find out all users who have fullaccess on mailboxes inside your exchange organisation

Lot’s of organisations distribute permissions on mailboxes like “fullaccess”. Most of them can’t remember these permissions when their are not written down. Users do not know why they have access and mostly do not report it, so there are permissions on your exchange organisation that should not exist.

You can figure out these (maybe) unwanted permissions via powershell, display it in console or write them to a text file.

The following powershell command gives you an overview which mailbox assigned fullaccess rights.

$nbdomain = "NetBIOS-DOMAIN"
Get-Mailbox | Get-mailboxPermission | Where-Object { ($_.accessRights -like "*fullaccess*") -and -not ($_.User -like "NT AUTHORITY\SELF") -and -not ($_.User -like "$nbdomain\Domain Admins")-and -not ($_.User -like "$nbdomain\Organisations-Admins") -and -not ($_.User -like "$nbdomain\Organization Management") -and -not ($_.User -like "$nbdomain\Administrator") -and -not ($_.User -like "$nbdomain\Exchange Servers") -and -not ($_.User -like "$nbdomain\Exchange Trusted Subsystem") -and -not ($_.User -like "nt-autorität\system")} | ft -AutoSize

You can read the output quite simple. Identity is the mailbox which holds the fullaccess (to be accessed). The field “User” shows the mailbox who has access to the mailbox (identity)

If you want to see also Administrator permission you can delete the part with the administrator.

there is a nearly similar way to find out all “send as” permission and also “send on behalf” permission

send as permission

Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like '*Send*') -and -not ($_.User -like "NT AUTHORITY\SELF")}  | Format-Table -Auto Identity,User,Deny,ExtendedRights

In my case I tested this command in a 80 User environment and it took some time, so be patient. Keep the powershell working for you.

At least some people want to know where permission “send on behalf” is set.

Get-Mailbox | Where-Object {$_.GrantSendOnBehalfTo -ne $null} | fl DisplayName,Alias,Identity,GrantSendOnBehalfTo

If you want to know one of these three permission you can find them with this “simple” commands in exchange powershell.

Hope this article is helpful for finding the right information on yout exchange server. Feel free for contacting me.

Have fun.

Print Friendly, PDF & Email
Was this article helpful?
YesNo
0 0 votes
Article Rating
Subscribe
Notify of
guest
7 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Ferry
Ferry
3 years ago

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn $D = “NT4DOMAINNAME” $ExcludeAccounts = @( “$D\Delegated Setup” “$D\Domain Admins” “$D\Enterprise Admins” “$D\Exchange Domain Servers” “$D\Exchange Servers” “$D\Exchange Services” “$D\Exchange Trusted Subsystem” “$D\Managed Availability Servers” “$D\Organization Management” “$D\Public Folder Management” “NT AUTHORITY\NETWORK SERVICE” “NT AUTHORITY\SELF” “NT AUTHORITY\SYSTEM” ) Get-Mailbox | Get-Mailboxpermission | ? {$_.User -notin $ExcludeAccounts}

0
Reply
trackback
Find all fullaccess and sendas permissions in Exchange Online - it-koehler-blog
3 years ago

[…] you saw my old blogpost about finding Full Access Permissions on Exchange OnPrem and found it useful? But now we have 2021 […]

0
Reply
Lee
Lee
4 years ago

is there a way to get the output to a readable file? I tried adding the export command to a CSV file, but it didnt work….

0
Reply
A.K.
A.K.
Author
Reply to  Lee
4 years ago

Hi Lee,
what kind of export do you want? CSV with delimiter? Can you send an example to me, maybe I can write some lines.

br

Alex

0
Reply
Noël
Noël
Reply to  A.K.
3 years ago

Your comment is 9 months ago, but your script is the only thing that is giving me what i want. Except for the Export-CSV function.

I got the top script, which is giving me a list with what i want. When i add:
| Export-CSV C:\Mailboxtext.csv

I get an output which is not right

0
Reply
Ferry
Ferry
Reply to  Noël
3 years ago

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn $D = “NT4DOMAIN” $ExcludeAccounts = @( “$D\Delegated Setup” “$D\Domain Admins” “$D\Enterprise Admins” “$D\Exchange Domain Servers” “$D\Exchange Servers” “$D\Exchange Services” “$D\Exchange Trusted Subsystem” “$D\Managed Availability Servers” “$D\Organization Management” “$D\Public Folder Management” “NT AUTHORITY\NETWORK SERVICE” “NT AUTHORITY\SELF” “NT AUTHORITY\SYSTEM” ) Get-Mailbox -ResultSize Unlimited | Get-Mailboxpermission | ? {$_.User -notin $ExcludeAccounts} | Sort-Object -Property Identity | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-CSV -Path “C:\Report.csv” -NoTypeInformation

0
Reply
Ferry
Ferry
Reply to  Noël
3 years ago

Only $50 for you 😉

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

$D = "NT4DOMAIN"            
$ExcludeAccounts = @(
  "$D\Delegated Setup"
  "$D\Domain Admins"
  "$D\Enterprise Admins"
  "$D\Exchange Domain Servers"
  "$D\Exchange Servers"
  "$D\Exchange Services"
  "$D\Exchange Trusted Subsystem"
  "$D\Managed Availability Servers"
  "$D\Organization Management"
  "$D\Public Folder Management"
  "NT AUTHORITY\NETWORK SERVICE"
  "NT AUTHORITY\SELF"
  "NT AUTHORITY\SYSTEM"
)

Get-Mailbox -ResultSize Unlimited | Get-Mailboxpermission | ? {$_.User -notin $ExcludeAccounts} | Sort-Object -Property Identity | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-CSV -Path "C:\Report.csv" -NoTypeInformation
0
Reply