Auditing Exchange 2007 Mailbox Full Access Permissions with Powershell

I on occasion I get asked to produce a list of users who have Full Access rights to a par开发者_如何学运维ticular Exchange 2007 Mailbox. At the moment I am doing this manually, and I'd ideally like to do it with Powershell.

Is there anyway to produce a list of Full Access Permissions (and Send On Behalf rights would also be useful).

Thanks, Jonny

Send-As permissions are stored in active directory, so it's a bit tricky to get at them. You could use Add-Member if you like to combine the properties you care about from the two results.

Full Access:

get-mailbox | %{$foo = $_; Get-MailboxPermission $foo | ?{$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}} | ft {$foo},User,AccessRights

Send-As:

get-mailbox | %{$mailbox = $_; Get-ADPermission $mailbox.DistinguishedName | ?{$_.ExtendedRights -like "Send-As" -and $_.User -notlike "NT AUTHORITY\SELF"}} | ft {$mailbox},user,{"Send-As"}

In addition to Slipsecs answer there is an alternative to the Send-As permissions audit.

$(Get-Mailbox -Identity mailboxName).GrantSendOnBehalfTo | ft Name

This returns only manually added users and no auto generated ones.

Thanks again Slipsec with your help on this!

get-mailbox -identity MailBoxName | %{$foo = $_; Get-MailboxPermission $foo | ?{$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}} | ft {$foo},User,AccessRights

If you're looking for permissions for users on a specific mailbox. Replace the MailBoxName with the exact name of the mailbox you're attempting to run the report on. It is KeySensitive with regards to the name of the mailbox and alias.

get-mailbox | %{$foo = $_; Get-MailboxPermission $foo | ?{$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}} | ft {$foo},User,AccessRights

in the above command, do i replace foo with the mailbox or the username ? I tried the command and it says cannot bind as object is null - will be grateful for your assistance.

I know this is old, but just in case anyone else comes across this thread looking for help, to answer the OPs last question, $foo represents a variable that you have to define before running the command, so as n example:

$foo = 'Example User'

get-mailbox | %{$foo = $_; Get-MailboxPermission $foo | ?{$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}} | ft {$foo},User,AccessRights