Help with Active Directory Saved Queries

Posted on 2009-02-09
Last Modified: 2012-06-22
I have some standard 'Saved Queries' that I use:

Locked out Accounts

Mailboxes Overriding Exchange Size Limits

I need help in creating a new Saved Queries to to place a userid within the Query and see if that account has access to other mailboxes within the org.  
Or if there could be a Saved Queries to display those AD Accounts with a manual access to one's mailbox.

Question by:Admin_Stooge
    LVL 57

    Expert Comment

    by:Mike Kline
    I'll try to test later but try
     See if either of those do what you want.
    LVL 15

    Expert Comment

    You may have better luck using the command line dsget and piping it to dsquery.
    LVL 70

    Expert Comment

    by:Chris Dent

    You won't be able to enumerate the access control for a mailbox using an LDAP query. The Send On Behalf permission granted by publicDelegates is as near as you'd get with LDAP only.

    I have a script here that can search the security descriptor of a mailbox for Exchange 2000 / 2003 to look for a specific value:

    We can do more than that, or look for something more specific, but you'd have to let us know the version of Exchange and more specifically what you're wanting to see.


    Author Comment

    Thanks Chris,

    Exchange 2003 & Exchange 2007

    I guess I'm looking for mainly 2 things.
    1. I want to be able to see if myself or other teammates still have manual access to one's mailbox if we were trouble shooting an issue and forgot to remove our access.

    2. I would like the ability to run a report to display who user(s) have manual access to another user's mailbox.
    For example, something that can be dumped into xls to display:
    Joe Smith
    Manual Mailbox Access:
    (list of mailboxes)

    This way we can do clean ups and confirm that certain users should or should not have access to another employee's mailbox.

    Hope this helps clear things up.

    LVL 70

    Accepted Solution


    For the Exchange 2003 side we can play with the script in my blog to get the results you want.

    For Exchange 2007 we're blessed with the Exchange Management Shell which can make this all nice and easy. For example, we could find out about every mailbox where someone has been granted explicit access rights as follows:

    Get-Mailbox | Get-MailboxPermission | ?{ ($_.IsInherited -eq $False) -And !(($_.User.ToString()).Contains("SELF")) } | Select-Object Identity, User, AccessRights

    LVL 70

    Expert Comment

    by:Chris Dent

    Provided the output from the command is something like what you're looking for we can make the VbScript version do something like the same for Exchange 2003.

    LVL 70

    Expert Comment

    by:Chris Dent

    Missed a little bit.

    The output from that can be dumped to a CSV file by adding "| Export-CSV -Path FileName.csv". However, we'll have to do a bit of work with some of the more complex attributes (AccessRights) to have them display in a meaningful way within the CSV file.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    I came across this issue when setting up a two way forest level trust. so here's the scenario: A company wildcards acquired another company, bizworks ( both Fictitious). Wild cards: windows 2003 Domain & forest functional levels - Ad domain na…
    At least once a month I see a Question in one of the Windows Server related Zones asking about Best Practices for GPO Security.  I have been in IT for 20 years, and a Sys Ad for over 15.  I know this will sound cliché, but this is mostly a preferenc…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now