The estimated reading time 3 minutes
In mid-March, I received an email from a reader (Sebastian) asking if it was possible to read out all full access permissions and then enrich this information with additional details. Specifically, it was about the department, meaning that the mailbox, authorized user, and the department of the authorized user should be output to a CSV file.
We exchanged several emails back and forth until we had the final solution. I would now like to share this solution on my blog for everyone.
##exonline:
$csvpath = "C:\temp\2024-05-29-fullaccess-exon.csv"
$mbs = Get-Mailbox -ResultSize 5000 | Where-Object{!($_.name -match "DiscoverySearchMail") } |Sort-Object Name
"Mailbox;Mailboxtype;Department;FullAccessUser;Permissions;DepartmentFullAccessUser;IsInherited"| Out-File -FilePath $csvpath -Encoding utf8 -Append
foreach($mb in $mbs){
$email = ($mb).PrimarySmtpAddress
$type = ($mb).RecipientTypeDetails
$permissions = Get-mailboxPermission -Identity $email| Where-Object { ($_.accessRights -like "*fullaccess*") -and -not ($_.User -like "NT AUTHORITY\SELF")}
if($permissions){
$userinfo = $email| get-user
$dep1 = ($userinfo).Department
Write-Host "User: $email , mailboxtype: $type, Department: $dep1"
foreach($perm in $permissions){
$user = ($perm).User
$fullaccuser = $user | get-user
$dep2 = ($fullaccuser).Department
$accessright = $perm | Select-Object accessRights -ExpandProperty accessrights
$isinherited = ($perm).IsInherited
"$email;$type;$dep1;$user;$accessright;$dep2;$isinherited" | Out-File -FilePath $csvpath -Encoding utf8 -Append
}
}
}
With a few small adjustments, additional information can also be read out and added to the CSV table.
The CSV will then look as follows:
In the usual case, the script also works on an Exchange Server OnPrem, but I haven’t been able to verify this so far. You might want to give it a try.
As mentioned, further information can be added relatively easily.
For this, we can take a closer look at the variable $fullaccuser.
#user who has permissions #line 16 $fullaccuser | fl #mailbox which owns delegation #line 10 $userinfo | fl
These properties of the object can then be additionally written into a variable, for example:
#line 16 $fullaccuser = $user | get-user $dep2 = ($fullaccuser).Department $city = ($fullaccuser).City
To be able to meaningfully assign this information in the CSV, the CSV column must also be extended to include the “City” attribute:
#line 4 "Mailbox;Mailboxtype;Department;FullAccessUser;Permissions;DepartmentFullAccessUser;CityFullAccessUser;IsInherited"| Out-File -FilePath $csvpath -Encoding utf8 -Append #line 22 "$email;$type;$dep1;$user;$accessright;$dep2;$city;$isinherited" | Out-File -FilePath $csvpath -Encoding utf8 -Append
##exonline:
$csvpath = "C:\temp\2024-05-29-fullaccess-exon.csv"
$mbs = Get-Mailbox -ResultSize 5000 | Where-Object{!($_.name -match "DiscoverySearchMail") } |Sort-Object Name
"Mailbox;Mailboxtype;Department;FullAccessUser;Permissions;DepartmentFullAccessUser;CityFullAccessUser;IsInherited"| Out-File -FilePath $csvpath -Encoding utf8 -Append
foreach($mb in $mbs){
$email = ($mb).PrimarySmtpAddress
$type = ($mb).RecipientTypeDetails
$permissions = Get-mailboxPermission -Identity $email| Where-Object { ($_.accessRights -like "*fullaccess*") -and -not ($_.User -like "NT AUTHORITY\SELF")}
if($permissions){
$userinfo = $email| get-user
$dep1 = ($userinfo).Department
Write-Host "User: $email , mailboxtype: $type, Department: $dep1"
foreach($perm in $permissions){
$user = ($perm).User
$fullaccuser = $user | get-user
$dep2 = ($fullaccuser).Department
$city = ($fullaccuser).City
$accessright = $perm | Select-Object accessRights -ExpandProperty accessrights
$isinherited = ($perm).IsInherited
"$email;$type;$dep1;$user;$accessright;$dep2;$city;$isinherited" | Out-File -FilePath $csvpath -Encoding utf8 -Append
}
}
}
Above is the complete script with the city as an additional column in the CSV.
If you have any questions, feel free to leave a comment. If you liked the article, please leave me a “Helpful” or a comment.
Good luck with reading the data.
