Export All Exchange Mailboxes with Send-As, Full Access & Send-On-Behalf-Of Permissions

There are many times when I need to get a list of all mailboxes that have full control or Send-As permissions assigned to them. In an organization with hundreds or thousands of mailboxes, using the console is not intuitive and sometimes you have to run multiple PowerShell scripts to get the results you need.

I created the script below to help with this. The script will:

  1. Export a list of ALL mailboxes in your Exchange organization
  2. dump all users who have full access to the mailbox
  3. dump all users who have send-as permission to the mailbox
  4. dump all users who have send-on-behalf-of permission to the mailbox

The script will create a TXT file but if you open it in using Excel, you can put the data into columns by using the character caret “^” symbol as the delimiter.

You will still need to do some formatting of the spreadsheet to properly separate the permissions column so that you can read the user list – will continue working on updating the script to better view the results.

Copy the contents below into Notepad and save it as a .PS1 file.

===========================SCRIPT START====================================

$OutFile = “C:\Permissions\Exported_List_of_ALL_Access_Permissions.txt”
“DisplayName” + “^” + “Email Address” + “^” + “Full Access” + “^” + “Send As” + “^” + “Send On Behalf Of” | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -resultsize unlimited | Select Identity, Alias, DisplayName, DistinguishedName, WindowsEmailAddress
ForEach ($Mailbox in $Mailboxes) {
#$SendOnBehalfOf = Get-mailbox $Mailbox.identity | select Alias, @{Name=’GrantSendOnBehalfTo’;Expression={[string]::join(“;”, ($_.GrantSendOnBehalfTo))}}

$SendOnBehalfOf = Get-mailbox $Mailbox.identity | % {$_.GrantSendOnBehalfTo}

$SendAs = Get-ADPermission $Mailbox.identity | where {($_.ExtendedRights -like “*Send-As*”) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.User -like “s-1-5-21*”)} | % {$_.User}

#$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq “FullAccess” -and !$_.IsInherited} | % {$_.User}
 
$FullAccess = Get-MailboxPermission $Mailbox.Identity | ?{($_.IsInherited -eq $False) -and -not ($_.User -match “NT AUTHORITY”)} |Select User,Identity,@{Name=”AccessRights”;Expression={$_.AccessRights}} | % {$_.User}

$Mailbox.DisplayName + “^” + $Mailbox.WindowsEmailAddress + “^” + $FullAccess + “^” + $SendAs + “^” + $SendOnBehalfOf  | Out-File $OutFile -Append    }

===========================SCRIPT END====================================

Advertisements

Inter-Org Exchange Migration using PST Files

Exchange migrations are relatively straight forward – you install new Exchange servers in the Exchange organization, configure them and them move Exchange recipients to the new server. But this is assuming you are migrating with the same network, Active Directory forest or Exchange organizations.

What about when you want to migrate between Active Directory forests? Well the simplest and most direct way would be to setup a trust relationship between the forests for the two Exchange organizations may communicate with each other.

What if a trust relationship CANNOT be established due to security restrictions, network boundaries or some other reason? Well the only other option would be to use PST files.

Using PST files to do a migration has its limitations – main one being that calendar entries are broken when importing a PST file into another organization. This is because the x.500 address is unique in each organization and this is what is used when a calendar entry is created. Obviously there are other issues you need to worry about as well such as:

  • Replying to imported emails – when replying to an imported email from another member of the same organization, make sure the user exists in the address book before replying otherwise you will receive an NDR
  • Replying to a Distribution Group – Make sure the DL has been recreated in the new organization otherwise an NDR will be generated.

This blog talks about migrating an Exchange organization into another organization using PST files. Before we begin the steps taken, here are the prerequisites to this migration.

Prerequisites

Assuming that we are migrating from an Exchange organization called EXORG to another called EXNEW (wish same forest names). We are also assuming that the users will maintain their original email addresses.

  1. User accounts for all mailboxes to be migrated from EXORG must be created in the EXNEW forest. If possible, place all the users in the same OU.
  2. Create a new accepted domain for their original SMTP domain (exorg.com) and make it as an external relay domain.
  3. Create an Email address policy that assigns the SMTP address format %g.%s@exorg.com to all recipients in the OU where the users were created.
  4. Create mailboxes for these users ahead of time (you can have them hidden from the address book to avoid users sending emails to them. Also you can assign fake email addresses to the mailboxes so that valid emails from users in the EXNEW organization don’t send messages to these mailboxes).

At this point, the MX record still points to the original organization. The plan is to do the export to PST in 2 phases:

  • Phase one would be to export the bulk of the historic data from the mailboxes. The mailbox content will be exported to a certain date (for example June 30th 2015) and depending on the size of the mailboxes and the number of users, this may take some time to complete the export.
  • This will give you enough time to complete the export AND the import of this data into the empty mailboxes.
  • Phase two would be performed just before the cutover to EXNEW and would involve running another export but this time we would export everything from the last export (for example July 1st 2015) to the present. This should not take long to complete as the amount of data would be very little.

So let’s get into this!

Exporting Distribution Groups and their Members

This would be a task you need to perform only once as distribution groups hardly change.

  1. Export Distribution groups and members from EXORG environment
    1. Create a folder on the root of C:\ drive called DLS
    2. Using Notepad, create a script called EXORGDLs.PS1 and save it in the C:\DLs folder. This script will be used to export a list of all distribution groups with their unique identity (Update the script to contain the proper folder and file names for the CSV file export):

$DL = Get-distributiongroup –resultsize unlimited

$Groups = @()

Foreach ($D in $DL) {

$Groups += Get-distributiongroup –identity $D | Select DisplayName, Alias, Name, SamAccountName}

$Groups | export-csv Drive:\folderpath\FILENAME.csv -NoTypeInformation

This script will export all the distribution groups from the EXORG environment with the following attributes and their values – these will be used to create the Distribution groups in the EXNEW environment:

    • DisplayName
    • Alias
    • Name
    • SamAccountName
    1. Using Notepad, create a script called DLMembers.PS1 and save it in the C:\DLS\Members folder (a subfolder named Members must be created). The content of the script will be as follows:
    2. This script will export all the distribution group names with their members (Update the script to contain the proper folder and file names for the CSV file export).

$DL = Get-DistributionGroup –resultsize unlimited

$Output =@()

Foreach ($D in $DL) {

$Members = Get-DistributionGroupMember $D.name -resultsize unlimited

$Total = $Members.Count

$RemoveNull = $Total-1

For($i=0;$i -le $RemoveNull;$i++)

{

$userObj = New-Object PSObject

$userObj | Add-Member NoteProperty -Name “DisplayName” -Value $members[$i].Name

$userObj | Add-Member NoteProperty -Name “Alias” -Value $members[$i].Alias

$userObj | Add-Member NoteProperty -Name “Distribution Group” -Value $D.Name

$userObj | Add-Member NoteProperty -Name “Distribution Group Primary SMTP address” -Value $D.PrimarySmtpAddress

$output += $UserObj

}

$output | Export-csv -Path Drive:\folderpath\FILENAME.csv -NoTypeInformation

}

  1. Copy the C:\DLs folder to the primary exchange server at EXNEW and paste it in the same path.
  2. Create a new script in the C:\DLs folder of EXNEW Exchange called CreateEXORGDLs.PS1 using Notepad with the following content:
  3. This script will create new mail-enabled universal distribution groups in EXNEW in a predetermined OU and add the necessary members to the groups. Before running the script, update it with the proper OU path and folder\file path for the CSV file. This file was obtained in step 5-b earlier.

Write-host ”  “

Write-host “

This script will create all EXORG Distribution groups in an OU named ” Domain.com/OU-Path” in the EXNEW Active Directory”

$OU = “Domain.com/OU-Path”

$content = import-csv Drive:\folderpath\FILENAME.csv | foreach {

$Name = $_.”Name”

New-DistributionGroup -Name $_.”Name” -Alias $_.”Alias” -DisplayName $_.”DisplayName” -SAMAccountName $_.”SAMAccountName” -OrganizationalUnit $OU -Type Distribution

Write-host $Name ” DL has been created successfully”-foregroundcolor green

}

The format of the CSV file will contain columns with the following headings:

DisplayName Alias Name SamAccountName
  1. Once the groups have been created in Active Directory from the previous step, next is to add the members to the group. Previously in Step 5-c, the members of the groups were successfully exported to a CSV file. This file will be used to populate the group membership.
  2. On the EXNEW Exchange production server, create a new script named AddDLMembers.PS1 with the following content. Please update the content of this script before running it:

Write-host ”  “

Write-host “

This script will add the members to the distribution groups”

$content = import-csv Drive:\folderpath\FILENAME.csv | foreach {

$Alias = $_.”Alias”

$DL = $_.”Distribution group”

Add-DistributionGroupMember -Identity $DL -member $Alias

Write-host $Alias ” has been successfully added to the distribution group ” $DL -foregroundcolor blue

}

 

Steps required to export data from EXORG environment

  1. Assign a selected active directory group in EXORG the proper permissions to be able to import/export data from mailboxes to PST from Exchange Management Shell using the following command:
  2. New-ManagementRoleAssignment Role “Mailbox Import Export” –SecurityGroup “GroupName”
  3. Log onto Exchange 2010 as one of the users who is a member of the group
  4. Create a network shared folder.
    1. To export a mailbox or archive, you must first create a network shared folder.
    2. You need to grant read/write permission to the Import/export group  and the Exchange Trusted Subsystem group to the network share where you’ll export or import mailboxes
  5. Create a mailbox export request in Exchange.
    • A mailbox export request is a process of exporting mailbox or archive data to a PST file.
    • You can create more than one mailbox export request per mailbox, and each request must have a unique name. Microsoft Exchange automatically generates up to 10 unique names for a mailbox.
    • To create more than 10 export requests for a mailbox, you must specify a unique name when you create the request.
    • Although you can create multiple export requests per mailbox at one time, you can create only one request at a time per PST file. This is because the PST file is locked as in-use when the request begins to run.
    1. Open the Exchange Management Shell and run the following command to export mailbox content from a user’s primary mailbox to a PST using the following command:
    2. New-MailboxExportRequest -Mailbox UserName -FilePath \\Server\FileShare\FileName.PST

Run the following command to export mailbox content from a user’s archive mailbox to a PST:

New-MailboxExportRequest -Mailbox UserName -IsArchive –FilePath \\Server\FileShare\FileName_Archive.PST

  1. Open Notepad and paste the following script to be used to bulk export mailbox data for ALL mailboxes in the environment.
  2. Please note that the proper server name and shared folder path must be updated.

$Users = get-mailbox

foreach ($u in $users) {

$Batchname = “$u PrimaryExport”

$ArchiveName = “$U ArchiveExport”

new-mailboxexportrequest -batchname $Batchname -mailbox $U -filepath “\\SERVERNAME\SHARED_FOLDER\$U.pst”

write-host “Export of $U primary mailbox has begun”

 get-mailbox $U | where {$_.archivedatabase -ne $Null}

new-mailboxexportrequest -batchname $Archivename -mailbox $U -isarchive -filepath “\\ SERVERNAME\SHARED_FOLDER\$U-Archive.pst”

}

  1. In order to export the delta changes, copy the following script into a Notepad.

$Users = get-mailbox

foreach ($u in $users) {

 $Batchname = “$u PrimaryExport”

$ArchiveName = “$U ArchiveExport”

 new-mailboxexportrequest -batchname $Batchname -mailbox $U -filepath “\\ SERVERNAME\SHARED_FOLDER\$U.pst” -ContentFilter {(Received -ge ’07/01/2015′) -and (sent -ge ’07/01/2015′)}

write-host “Export of $U primary mailbox has begun”

}


 

Steps required to import data into EXNEW Environment

  1. Assign a selected active directory group in EXNEW the proper permissions to be able to import/export data from mailboxes to PST from Exchange Management Shell using the following command:
  2. New-ManagementRoleAssignment Role “Mailbox Import Export” –SecurityGroup “GroupName”
  3. Log onto the exchange server that will be used to import the PST data into the mailboxes as a member of the group
  4. Create a mailbox import request in Exchange
    1. You can create more than one mailbox import request per mailbox and each mailbox import request must have a unique name.
    2. Microsoft Exchange automatically generates up to 10 unique names for a mailbox import request. However, to create more than 10 import requests for a mailbox, you need to specify a unique name when creating the import request
    3. By default, the import checks for duplication of items and doesn’t copy the data from the PST file into the mailbox or archive if a matching item exists in the target mailbox or target archive
  1. Using the Exchange Management Shell, run the following command to import the contents of the PST back into an existing mailbox:

New-MailboxImportRequest MailboxName -FilePath \\server\Fileshare\FileName.pst

Run the following command to import PST content into an archive mailbox:

New-MailboxImportRequest MailboxName -IsArchive –FilePath  \\server\Fileshare\FileName_Archive.pst

Final Cutover Procedure

On the day of the Cutover, the following steps need to be taken in the EXNEW Exchange Environment:

  1. Prepare EXNEW to accept mail for EXORG domains
    1. In the EXNEW Exchange Administrative Center, change the accepted domain for EXORG.com to be authoritative
    2. Manually update each mailbox to have the proper email address of EXORG.COM
    3. Configure EXNEW SMTP gateway to accept mail for EXORG.COM domain forwarded to EXNEW`s exchange environment
    4. Change the MX record for  EXORG.COM to point to the EXNEW exchange environment (SMTP Gateway)
    5. At this point, any new mail generated externally destined to an EXORG recipient will be delivered to their new mailboxes at EXNEW.
  2. Prepare EXORG environment for cutover
    1. Change the  EXORG.COM accepted domains from authoritative to External Relay
    2. Reconfigure all mobile devices (BlackBerry and/or ActiveSync) to use EXNEW’s BES and ActiveSync settings
    3. Reconfigure Outlook profiles to connect to EXNEW’s Exchange environment for mail access
    4. Run a delta export of the mailboxes from EXORG exchange environment to copy data updated since the initial export
  3. Import the PST containing delta changes into the mailbox at EXNEW