one liners: Finding Users Who Have Send-As or Full Access Permissions to Mailboxes
This comes up pretty often, especially around migrations and upgrades, or after some embarrassing incident. A manager wants to have a report of users who have send-as rights to other mailboxes. Fortunately, we can use PowerShell to do the heavy lifting:
Get-Mailbox -ResultSize Unlimited | Get-ADPermission | Where-Object {($_.ExtendedRights -like "*send-as*") -and -not ($_.User -like "nt authority\self")} | Format-Table Identity, User -auto
This gives us a nice list of those users. As we see, user msweet has send-as permissions to Timothy Gaines’ mailbox:
To find users who have Full Access to the mailbox of others, we can use:
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where-Object {($_.AccessRights -match "FullAccess") -and -not ($_.User -like "NT AUTHORITY\SELF")} | Format-Table Identity, User
And we see that the same msweet has full control to the mailbox of user Oz Fox
In each example, we can replace the Get-Mailbox -ResultSize unlimited with a narrower scope, such as Get-Mailbox to look at specific accounts.
Note that in bigger environments, it can take quite a bit of time for this to run.
this is awesome Thank you! But is there a way to filter out the actual user as having send-as rights to their own mailbox? I have an environment with 1800 mailboxes… don’t need to see that each user has send-as rights to their own mailbox. I thought it was to filter out nt authority\self but that isn’t it.
Looks good Pat. For our environment, we have some users who have access other than ‘FullAccess’, and we also weren’t interested in reporting inherited permissions on each mailbox (as this could be viewed easily for all). The following ‘1 liner’ did the job for us:
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity,User,Accessrights }
To filter out the the send-as to the users own mailbox, change $_.User to $_.Trustee. The code shown is incorrect.
For outputting actually names try this one ( Get-MailboxPermission mailboxname | where { ($_.AccessRights -like “*FullAccess*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } ) | % { (Get-User $_.user.tostring()).name }
also note the following interesting alternatives to .name at the end:
UserPrincipalName (for upn ie. user@domain.local)
DistinguishedName (for standard distringuishedname, ie: CN=User Name,OU=Users,DC=corp,dc=local)
Identity.tostring() (for “folder” format like corp.local/Users/User name
Pick your poison 🙂
Thanks. I actually need to update that post as using PowerShell aliases in public works isn’t recommended. 🙁
Yeah sorry I tend to do that (particulary on one-liners). Thanks for pointing it out.
‘( Get-MailboxPermission mailboxname | where { ($_.AccessRights -like “*FullAccess*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } ) | % { (Get-User $_.user.tostring()).name }’ -replace ‘%’,’Foreach-Object’ -replace ‘Where’, ‘Where-Object’
It should probably also be noted that orginal post is a much better alternative for large-scale searches as the extra Foreach-Object with Get-User on each of the objects would probably take quite a bit of extra resources. (I’m too lazy to do the measuring right now).
My requirement was a report for a particular mailbox, and the report is presented to non technical users that tends to understand actual people names better than user-names/samaccountnames, so for single mailboxes or smaller sets it might be useful for others too I suppose.
Question, I am trying to run a script like this on over a hundred thousand mailboxes in Online O365. Is it possible in todays PS to run something like this for one user? ie. I need to find what shared mailboxes one user has full access to. Nothing I have tried comes close to working.
$sharedMailbox = get-mailbox -ResultSize unlimited -recipienttypedetails sharedmailbox
$sharedMailbox | Get-MailboxPermission -User UserID | select identity,user,accessrights | Export-csv files\UserID.csv
Any ideas?