Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 56
  • Last Modified:

script to get all Shared mailboxes and who has permisisons

looking for a script via PS to get a list of all shared mailboxes and then also output who has full and/or sendas permissions.

on the output, need user samaccountname, upn and display name
0
ARM2009
Asked:
ARM2009
  • 5
  • 3
2 Solutions
 
Britt ThompsonSr. Systems EngineerCommented:
$boxes = Get-Mailbox | ?{$_.IsShared -eq $true}
$domain = "YOURDOMAIN\"
foreach($b in $boxes)
{
@"

----------------------- $($b.Alias) -----------------------
"@

    $fullperms = $b | Get-MailboxPermission | ?{$_.AccessRights -match "FullAccess" -and $_.IsInherited -eq $false -and $_.User -notlike "*NT AUTHORITY\SELF"} | 
        %{
            $id = (($_.User).ToString()).Replace($domain,"")
            Get-ADUser $id | %{ $_.Name + ", " + $_.SamAccountName + ", " + $_.UserPrincipalName + "; " }
         }
    $sendperms = $b | Get-ADPermission | ?{$_.ExtendedRights -match "Send-As" -and $_.IsInherited -eq $false -and $_.User -notlike "*NT AUTHORITY\SELF"} | 
        %{
            $id = (($_.User).ToString()).Replace($domain,"")
            Get-ADUser $id | %{ $_.Name + ", " + $_.SamAccountName + ", " + $_.UserPrincipalName + "; " }
         }

    Write-Host "Full Permissions: $fullperms"
    Write-Host "Send Permissions: $sendperms"
}

Open in new window

0
 
ARM2009Author Commented:
running from Exchange shell... get the following error. do I need to load AD cmdlets? also can this be dumped in a txt or csv file.

ForEach-Object : The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable pr
ogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\****\2.ps1:11 char:10
+         % <<<< {
    + CategoryInfo          : ObjectNotFound: (Get-ADUser:String) [ForEach-Object], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.ForEachObjectCommand

ForEach-Object : The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable pr
ogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\***\2.ps1:16 char:10
+         % <<<< {
    + CategoryInfo          : ObjectNotFound: (Get-ADUser:String) [ForEach-Object], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.ForEachObjectCommand

Full Permissions:
Send Permissions:
0
 
Britt ThompsonSr. Systems EngineerCommented:
Use Get-Mailbox in place of Get-ADUser


$boxes = Get-Mailbox | ?{$_.IsShared -eq $true}
$domain = "YOURDOMAIN\"
$CSV = "$env:USERPROFILE\Desktop\Permissions.csv"
$Out = @()
$Headers = @("Name","samAccountName","UPN")
foreach($b in $boxes)
{
@"

----------------------- $($b.Alias) -----------------------
"@

    $fullperms = $b | Get-MailboxPermission | ?{$_.AccessRights -match "FullAccess" -and $_.IsInherited -eq $false -and $_.User -notlike "*NT AUTHORITY\SELF"} | 
        %{
            $id = (($_.User).ToString()).Replace($domain,"")
            Get-Mailbox $id | %{ $Out += ,@($_.Name + "," + $_.SamAccountName + "," + $_.UserPrincipalName) }
         }
    $sendperms = $b | Get-ADPermission | ?{$_.ExtendedRights -match "Send-As" -and $_.IsInherited -eq $false -and $_.User -notlike "*NT AUTHORITY\SELF"} | 
        %{
            $id = (($_.User).ToString()).Replace($domain,"")
            Get-Mailbox $id | %{ $Out += ,@($_.Name + "," + $_.SamAccountName + "," + $_.UserPrincipalName) }
         }
}

$Cols = $Headers.Count
$Vals = @()
foreach ($Row in $Out)
{
    $Obj = New-Object PSObject
    for ($i=0;$i -lt $cols; $i++)
    {
        $Obj | Add-Member -MemberType NoteProperty -Name $Headers[$i] -Value $Row[$i]
    }
    $Vals+=$Obj
    $Obj = $null
}
$Vals | Export-CSV $CSV -NoTypeInformation

Open in new window

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
ARM2009Author Commented:
runs with errors... but does output as well..

----------------------- sampleAlias-----------------------
Pipeline not executed because a pipeline is already executing. Pipelines cannot be executed concurrently.
    + CategoryInfo          : OperationStopped: (Microsoft.Power...tHelperRunspace:ExecutionCmdletHelperRunspace) [],
   PSInvalidOperationException
    + FullyQualifiedErrorId : RemotePipelineExecutionFailed

eventually does output result...
0
 
Britt ThompsonSr. Systems EngineerCommented:
See what happens if you put the commands on one line

$fullperms = $b | Get-MailboxPermission | ?{$_.AccessRights -match "FullAccess" -and $_.IsInherited -eq $false -and $_.User -notlike "*NT AUTHORITY\SELF"} | %{$id = (($_.User).ToString()).Replace($domain,""); Get-Mailbox $id | %{ $Out += ,@($_.Name + "," + $_.SamAccountName + "," + $_.UserPrincipalName) }}

Could be some copy/paste translation issue
0
 
ARM2009Author Commented:
errors as below

shared mailbox is Letters
----------------------- Letters -----------------------
Pipeline not executed because a pipeline is already executing. Pipelines cannot be executed concurrently.
    + CategoryInfo          : OperationStopped: (Microsoft.Power...tHelperRunspace:ExecutionCmdletHelperRunspace) [],
   PSInvalidOperationException
    + FullyQualifiedErrorId : RemotePipelineExecutionFailed

Pipeline not executed because a pipeline is already executing. Pipelines cannot be executed concurrently.
    + CategoryInfo          : OperationStopped: (Microsoft.Power...tHelperRunspace:ExecutionCmdletHelperRunspace) [],
   PSInvalidOperationException
    + FullyQualifiedErrorId : RemotePipelineExecutionFailed

Pipeline not executed because a pipeline is already executing. Pipelines cannot be executed concurrently.
    + CategoryInfo          : OperationStopped: (Microsoft.Power...tHelperRunspace:ExecutionCmdletHelperRunspace) [],
   PSInvalidOperationException
    + FullyQualifiedErrorId : RemotePipelineExecutionFailed

Pipeline not executed because a pipeline is already executing. Pipelines cannot be executed concurrently.
    + CategoryInfo          : OperationStopped: (Microsoft.Power...tHelperRunspace:ExecutionCmdletHelperRunspace) [],
   PSInvalidOperationException
    + FullyQualifiedErrorId : RemotePipelineExecutionFailed

The operation couldn't be performed because object 'S-1-5-21-343818398-1202660629-682003330-488641' couldn't be found o
n 'DC.test.com'.
    + CategoryInfo          : NotSpecified: (:) [Get-Mailbox], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : B94CB0B2,Microsoft.Exchange.Management.RecipientTasks.GetMailbox

The operation couldn't be performed because object 'S-1-5-21-343818398-1202660629-682003330-531918' couldn't be found o
n 'DC.test.com'
    + CategoryInfo          : NotSpecified: (:) [Get-Mailbox], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : 89944120,Microsoft.Exchange.Management.RecipientTasks.GetMailbox


as u can tell.. this time around I had not data at all
0
 
ARM2009Author Commented:
this is what worked for me....

$RunUsers = Import-CSV C:\shared.csv

$RunUsers | % { $mID = $_.AcctID; Get-MailboxPermission -identity $mID | 
        Where-Object{($_.AccessRights -match "FullAccess") -and -not 
        ($_.User -like "NT AUTHORITY\SELF") -and -not 
        ($_.User -like "domain\Domain Admins") -and -not 
        ($_.User -like "domain\Enterprise Admins") -and -not 
        ($_.User -like "domain\Organization Management") -and -not 
        ($_.User -like "domain\Exchange Servers") -and -not 
        ($_.User -like "domain\Exchange Trusted Subsystem") -and -not 
        ($_.User -like "S-1-5-21-*") -and -not 
        ($_.User -like "NT AUTHORITY\SYSTEM")} |
       
        select Identity, User |
        export-csv C:\perms.csv -Append -Force }
0
 
ARM2009Author Commented:
the script works as expected for the results.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now