Export All Exchange Mailboxes with Send-As, Full Access & Send-On-Behalf-Of Permissions

There are many times when I need to get a list of all mailboxes that have full control or Send-As permissions assigned to them. In an organization with hundreds or thousands of mailboxes, using the console is not intuitive and sometimes you have to run multiple PowerShell scripts to get the results you need.

I created the script below to help with this. The script will:

  1. Export a list of ALL mailboxes in your Exchange organization
  2. dump all users who have full access to the mailbox
  3. dump all users who have send-as permission to the mailbox
  4. dump all users who have send-on-behalf-of permission to the mailbox

The script will create a TXT file but if you open it in using Excel, you can put the data into columns by using the character caret “^” symbol as the delimiter.

You will still need to do some formatting of the spreadsheet to properly separate the permissions column so that you can read the user list – will continue working on updating the script to better view the results.

Copy the contents below into Notepad and save it as a .PS1 file.

===========================SCRIPT START====================================

$OutFile = “C:\Permissions\Exported_List_of_ALL_Access_Permissions.txt”
“DisplayName” + “^” + “Email Address” + “^” + “Full Access” + “^” + “Send As” + “^” + “Send On Behalf Of” | Out-File $OutFile -Force
 
$Mailboxes = Get-Mailbox -resultsize unlimited | Select Identity, Alias, DisplayName, DistinguishedName, WindowsEmailAddress
ForEach ($Mailbox in $Mailboxes) {
#$SendOnBehalfOf = Get-mailbox $Mailbox.identity | select Alias, @{Name=’GrantSendOnBehalfTo’;Expression={[string]::join(“;”, ($_.GrantSendOnBehalfTo))}}

$SendOnBehalfOf = Get-mailbox $Mailbox.identity | % {$_.GrantSendOnBehalfTo}

$SendAs = Get-ADPermission $Mailbox.identity | where {($_.ExtendedRights -like “*Send-As*”) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.User -like “s-1-5-21*”)} | % {$_.User}

#$FullAccess = Get-MailboxPermission $Mailbox.Identity | ? {$_.AccessRights -eq “FullAccess” -and !$_.IsInherited} | % {$_.User}
 
$FullAccess = Get-MailboxPermission $Mailbox.Identity | ?{($_.IsInherited -eq $False) -and -not ($_.User -match “NT AUTHORITY”)} |Select User,Identity,@{Name=”AccessRights”;Expression={$_.AccessRights}} | % {$_.User}

$Mailbox.DisplayName + “^” + $Mailbox.WindowsEmailAddress + “^” + $FullAccess + “^” + $SendAs + “^” + $SendOnBehalfOf  | Out-File $OutFile -Append    }

===========================SCRIPT END====================================

Advertisements

Sharing Non-Default Outlook Folders in Exchange (Online and On-Premise)

A client came to me one day and asked how he can share his Outlook folder to his executive assistant so that he can have read only access to one folder and its subfolders. Didn’t think it was really that difficult of a task until he showed me his Outlook folder structure. This user literally had over 1,500 folders in Outlook and the hierarchy was intense!

SNAG-0050

The user did not want to share the full mailbox so assigning full mailbox access was out of the question. He only wanted to share the “2011-2015” folder and all the subfolders under it, which itself was a series of at least 50 folders.

One way to do this is to go to each folder, right click and open properties. On the permissions tab, assign the executive assistant Reviewer rights – NOT GOING TO HAPPEN! Too many chances of error and takes too long.

Assigning Permissions to Outlook Folders

After researching online, I came across a blog (https://blogs.technet.microsoft.com/tips_from_the_inside/2011/11/03/set-outlook-folder-permissions-using-powershell/) that had a script doing this same thing. I have attached a copy of this and customized it for this example.

  • The user who wants to share the folder is called BWayne@thebatcave.com
  • His executive assistant is called Alfred@thebatcave.com
  • The folder we want to share is only the 2011-2015 with its subfolders

 

ForEach($f in (Get-MailboxFolderStatistics BWayne@thebatcave.com | where {$_.Folderpath.contains(“/Investments/2011-2015”) -eq $true} ) )
{
 $fname = “BWayne@thebatcave.com:” + $f.FolderPath.Replace(“/”,”\”);
 Add-MailboxFolderPermission $fname -User Alfred@thebatcave.com -AccessRights Reviewer
 Write-Host $fname
 Start-Sleep -Milliseconds 1000
}

Accessing Non-Default Outlook Shared Folders

Now that the permissions have been assigned how can Alfred access these shared folders. In order to do this, Alfred needs to be able to see the folder structure. These next steps must be performed from Outlook – you can either use Bruce Wayne’s machine or being the administrator, give yourself full access to his mailbox and open it in your Outlook

  1. In Outlook, right click the mailbox name and select Data File Properties.
  2. Click the Permissions tab.
  3. Click the Add button to select Alfred from the address list
  4. Select Folder Visible and click OK

    SNAG-0051
    Note: Permission for Alfred is still set to “None”
  5. Go down to the next folder in the hierarchy and open its Properties
  6. Repeat steps 2 to 4. This needs to be done for every folder Alfred needs to traverse through to get to the shared folder. In this example this would be:
    • BWayne@thebatcave.com mailbox \Real Estate\Investments
    • It must be noted that the Folder Visible permission only allows Alfred to view the folder but not its content.

Now that Alfred has been assigned the permission to view the folders (but not their content) he needs to get into the shared folder, he can open them using Outlook.

  1. On Alfred’s Outlook, open the properties of his account settings. Click on the File menu (in Outlook 2013 and 2016), Account Settings\Account Settings    
  2. On the Account Settings window, click Change SNAG-0053
  3. On the Server Settings page, click More Settings   SNAG-0054
  4. Go to the Advanced tab and click the Add button to add BWayne’s mailbox to Alfred’s Outlook. Note that Alfred will not be able to see the entire mailbox – only the folders that have been set to Folder Visible and the ones he has reviewer permissions to.
  5. After adding the mailbox as an additional mailbox, make sure to uncheck the Download Shared Folders  checkbox.              SNAG-0056
  6. Click OK and Next to close the windows.

 

 

Automapping of Mailbox in Outlook does not work if Full Access Permission assigned to a Group

INFORMATION

Many companies may have a number of shared mailboxes that their users or certain departments may require access to. Generally the easiest way to get this done based on Microsoft methodology is to add the individual users to a group and give the group permission to the resource – all nice so far!

One of the new improvements of Exchange 2010 SP1 was the possibility of an Outlook client to automatically map to its profile any mailbox that the logged on user has full access to!

SO HOW DOES IT WORK??

When you assign a user full access permission permissions in Exchange 2010 SP1 to a shared mailbox, Exchange will modify the multi-valued MsExchDelegateListLink attribute on the shared mailbox to include the distinguished name (DN) of the users who have been assigned the access permission.

At the same time, Exchange will not update the MsExchDelegateListBL attribute on each of the users who have been given the permission to include the DN of the shared mailbox. Next time the user opens Outlook, it will use AutoDiscover to locate the values of the MsExchDelegateListBL for the user and use it to automatically map the shared mailbox to the user’s Outlook profile.

This works perfect if you are assigning individual users the permission but many organizations use groups to assign such permissions. When a group is assigned this permission, all the members of the group will inherit the rights assigned HOWEVER Automapping will NOT work! This is because the group’s MsExchDelegateListLink attribute is modified and not the individual users within the group.

WORKAROUNDS

  1. Users will be able to add the shared mailbox manually by adding it to their Outlook profile.
  2. Use the following Exchange Powershell script that will read the membership of the distribution group and add each individual member to have full access permission to the shared mailbox (copy the code below and paste to a notepad file. Save the file with a NAME.PS1 extension):

$DL = Get-distributiongroupmember GROUPNAME | Select-Object -ExpandProperty Name

foreach ($D in $DL ) {

Add-MailboxPermission -Identity SHARED_MAILBOX_NAME -User $D -AccessRights ‘FullAccess’

write-host -FORE yellow “$D is a member of the distribution group GROUPNAME has been given full access permission to SHARED_MAILBOX_NAME mailbox” }

Please name sure to replace GROUPNAME with the name of the distribution group and SHARED_MAILBOX_NAME with the name of the shared mailbox