Exchange Shell Scripting

We have alot of shared mailboxes, and all these mailboxes sit on the same mailbox database. Some of the mailboxes have multiple users with full manage access given via exchange, but some of the mailboxes only have just one user with full manage access given via exchange. The purpose of the shared mailboxes was so that 2 or more users would be granted access and not just a single user. Is there a script or cmdlet available to assist me in getting all shared mailboxes on the shared mailbox db that has only one user with full manage access instead of 2 or more?
LVL 25
timgreen7077Exchange EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:
You're going to have to help me out here, I know what you need to do, but I don't have Exchange so I can't just build the code for you.

First you need to identify all those shared mailboxes. Are the set-up as that type? If so, this should find them:
Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize Unlimited

Open in new window

The next step is to get the permissions for each of those mailboxes. Start off with one of them, something you already know about, or just the first in the list. This will let us construct the filter which lets you find what you want.
$FirstSharedMailbox = Get-Mailbox -RecipientTypeDetails SharedMailbox |Select-Object -First 1
$FirstSharedMailbox | Get-MailboxPermission | Where-Object { $_.AccessRights -eq 'FullAccess' } | Format-List *

Open in new window

So this is where I need your help. You are likely to find you get more than manually added users there. You may also see something like IsInherited in the result. Do you?

The goal is to get down to a list of permissions that have been explicitly assigned to that mailbox. If we can get that all we need do is count them to figure out whether or not you're interested in that mailbox or not.

Please let me know how you get on.

timgreen7077Exchange EngineerAuthor Commented:
This is the script I attempt to use but it continues to give an error:

Get-Mailbox -ResultSize Unlimited | where {($_.Database -like '*RES*')} | foreach ($mailbox in Get-Mailbox) | {Get-MailboxPermission $mailbox | Where-Object ($_.AccessRights -like "*FullAccess*") -and ($_.User -notlike "NT AUTHORITY\SELF")-and ($_.IsInherited -eq $false)} | Export-csv -path "c:\output\FullMailboxAccessPermissions.csv"

This is the error:
Unexpected token 'in' in expression or statement.
At line:1 char:95
+ Get-Mailbox -ResultSize Unlimited | where {($_.Database -like '*RES*')} | foreach ($mailbox in <<<<  Get-Mailbox) | {Get-MailboxPermission $mailbox
 | Where-Object ($_.AccessRights -like "*FullAccess*") -and ($_.User -notlike "NT AUTHORITY\SELF")-and ($_.IsInherited -eq $false)} | Export-csv -pat
h "c:\output\FullMailboxAccessPermissions.csv"
    + CategoryInfo          : ParserError: (in:String) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

Let me know what you think.
Chris DentPowerShell DeveloperCommented:
foreach isn't used like that. You probably meant this:
$Mailboxes = Get-Mailbox -ResultSize Unlimited | where {($_.Database -like '*RES*')}
foreach ($Mailbox in $Mailboxes) {
  Get-MailboxPermission $mailbox |
    Where-Object { $_.AccessRights -like "*FullAccess*") -and $_.User -notlike "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false } |
    Export-csv -path "c:\output\FullMailboxAccessPermissions.csv" -Append

Open in new window

Note that the Append option on Export-Csv is new and carries a PS version 3 requirement. If you don't do that you'll only get the result for one mailbox.

My plan was to implement the count there. Something like this.
$Mailboxes = Get-Mailbox -ResultSize Unlimited | where {($_.Database -like '*RES*')}
foreach ($Mailbox in $Mailboxes) {
  [Array]$Permissions = Get-MailboxPermission $mailbox |
    Where-Object { $_.AccessRights -like "*FullAccess*") -and $_.User -notlike "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false }

  $Permissions |
    Select-Object `
      @{n='MailboxName';e={ $Mailbox.Name }},
      @{n='AclCount';e={ $Permissions.Count }},
      * |
    Export-csv -path "c:\output\FullMailboxAccessPermissions.csv" -Append

Open in new window


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
timgreen7077Exchange EngineerAuthor Commented:
Yep you are correct since I don't have PS3 it only return 1 result. Can you script this with Exchange Management Shell with PS 2.0?
timgreen7077Exchange EngineerAuthor Commented:
This script got it working thanks for all your help and suggestions:

Get-Mailbox -ResultSize Unlimited | where {($_.Database -like '*RES*')} | Get-
MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -
eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ',
$_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.