Solved

Powershell to get shared mailboxes permissions

Posted on 2016-09-07
25
127 Views
Last Modified: 2016-09-20
Looking for the following in powershell...

List of all shared mailboxes with the following detail

1. Name
2. Email address
3. Owner
4. Last logon date
5. Last Logon user
6. List of users who have full access
7. List of users who have sendas
8. If possible, last accesa date

I have a working script but unable to get all the information in one go.
0
Comment
Question by:ARM2009
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 12
25 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41789889
Which version of exchange..

How you going to identify the shared mailbox? is there any naming standard you use or is it created in a specific OU?
0
 

Author Comment

by:ARM2009
ID: 41790065
No specific OU ... Exch 2010

Search for all shared mailboxes
0
 
LVL 16

Expert Comment

by:Todd Nelson
ID: 41790630
Getting a list of shared mailboxes is the easy part...

Get-Mailbox -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq "SharedMailbox" } | fl Name,PrimarySmtpAddress

Open in new window


And getting who has full permissions is simple enough...

Get-Mailbox -ResultSize Unlimited | Where-Object {$_.RecipientTypeDetails -eq "SharedMailbox"} | Get-MailboxPermission | Where-Object { $_.AccessRights -eq "FullAccess" }

Open in new window


For me, the rest is a challenge that I can't test at the moment.

Let us know what you come up with.

P.S.  Shared mailboxes don't have an owner.
0
Learn by Doing. Anytime. Anywhere.

Do you like to learn by doing?
Our labs and exercises give you the chance to do just that: Learn by performing actions on real environments.

Hands-on, scenario-based labs give you experience on real environments provided by us so you don't have to worry about breaking anything.

 
LVL 40

Expert Comment

by:Subsun
ID: 41791039
3. Owner
It depends how your organization is managing the owner details, some add the owner as manager, some add it in exchange custom attributes

For rest of the details you can use following code..
$RMailbox = Get-Mailbox -RecipientTypeDetails Sharedmailbox -ResultSize Unlimited
$(Foreach ($R in $RMailbox){
$St = $R | Get-MailboxStatistics 
	New-Object PSObject -Property @{
		Name = $R.Name
		Email = $R.PrimarySmtpAddress
		LastLoggedOnUserAccount = $St.LastLoggedOnUserAccount
		LastLogonTime  = $St.LastLogonTime
		LastLogoffTime = $St.LastLogoffTime
		FullMBXPerm = ($R | Get-MailboxPermission |?{$_.AccessRights -like "Fullaccess" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
		SendAs = ($R | Get-ADPermission |?{$_.ExtendedRights -like "Send-as" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
	}
}) | Select Name,Email,FullMBXPerm,SendAS,Last*

Open in new window

1
 

Author Comment

by:ARM2009
ID: 41796155
Owner information is being pulled from the "Manager" info in AD.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41796868
I have added manager field..
$RMailbox = Get-Mailbox -RecipientTypeDetails Sharedmailbox -ResultSize Unlimited
$(Foreach ($R in $RMailbox){
$St = $R | Get-MailboxStatistics 
	New-Object PSObject -Property @{
		Name = $R.Name
		Email = $R.PrimarySmtpAddress
		LastLoggedOnUserAccount = $St.LastLoggedOnUserAccount
		LastLogonTime  = $St.LastLogonTime
		LastLogoffTime = $St.LastLogoffTime
		FullMBXPerm = ($R | Get-MailboxPermission |?{$_.AccessRights -like "Fullaccess" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
		SendAs = ($R | Get-ADPermission |?{$_.ExtendedRights -like "Send-as" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
		Owner = ($R | get-recipient).Manager.Name
	}
}) | Select Name,Email,Owner,FullMBXPerm,SendAS,Last*

Open in new window

0
 

Author Comment

by:ARM2009
ID: 41798276
the manager info is not pulled via this script... its all blank. i have checked that that field has information. i can pull that via Quest powershell ...

any ideas what attributes it uses to store that info?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41798288
Can you run following command and post output?
Get-Recipient UserA | Select -exp Manager

Open in new window

0
 

Author Comment

by:ARM2009
ID: 41798308
this gives the manager info on that particular account.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41798312
What about?
(Get-Recipient UserA).Manager.Name

Open in new window

0
 

Author Comment

by:ARM2009
ID: 41798315
blank.... if i use (Get-Recipient UserA).Manager.Name
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 41798325
If this work (Get-Recipient UserA).Manager

The use..
$RMailbox = Get-Mailbox -RecipientTypeDetails Sharedmailbox -ResultSize Unlimited
$(Foreach ($R in $RMailbox){
$St = $R | Get-MailboxStatistics 
	New-Object PSObject -Property @{
		Name = $R.Name
		Email = $R.PrimarySmtpAddress
		LastLoggedOnUserAccount = $St.LastLoggedOnUserAccount
		LastLogonTime  = $St.LastLogonTime
		LastLogoffTime = $St.LastLogoffTime
		FullMBXPerm = ($R | Get-MailboxPermission |?{$_.AccessRights -like "Fullaccess" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
		SendAs = ($R | Get-ADPermission |?{$_.ExtendedRights -like "Send-as" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
		Owner = ($R | get-recipient).Manager
	}
}) | Select Name,Email,Owner,FullMBXPerm,SendAS,Last*

Open in new window

0
 

Author Comment

by:ARM2009
ID: 41798996
that provided the information....  thanks

owner info comes as  - domain.com/People/HOU/MLC  (where MLC is the user name)
permissions come as  - domain\LBV,domain\BBK,domain\EJQ,domain\SFV  

is it possible to convert them to email address or upn in the same go. i can do in a seperate script... but if possible to do the conversion on the fly and display as email address.

let me know or else i will accept solution and close this. appreciate the help.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41799468
Change line
Owner = ($R | get-recipient).Manager

Open in new window

To
Owner = (Get-Mailbox ($R | get-recipient).Manager ).PrimarySmtpAddress

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41799482
This might run little faster..
$RMailbox = Get-Recipient -RecipientTypeDetails Sharedmailbox -ResultSize Unlimited
$(Foreach ($R in $RMailbox){
$St = $R | Get-MailboxStatistics 
	New-Object PSObject -Property @{
		Name = $R.Name
		Email = $R.PrimarySmtpAddress
		LastLoggedOnUserAccount = $St.LastLoggedOnUserAccount
		LastLogonTime  = $St.LastLogonTime
		LastLogoffTime = $St.LastLogoffTime
		FullMBXPerm = ($R | Get-MailboxPermission |?{$_.AccessRights -like "Fullaccess" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
		SendAs = ($R | Get-ADPermission |?{$_.ExtendedRights -like "Send-as" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
		Owner = (Get-Mailbox $R.Manager).PrimarySmtpAddress
	}
}) | Select Name,Email,Owner,FullMBXPerm,SendAS,Last*

Open in new window

0
 

Author Comment

by:ARM2009
ID: 41800058
this one does not work...

i think since the manager info is more like the OU path.... it cant read that identity unless you parse it.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41800340
It does work for me in my lab.
Does this gives result..

(Get-Mailbox $(Get-Recipient UserA).Manager).PrimarySmtpAddress

Open in new window

0
 

Author Comment

by:ARM2009
ID: 41800468
yep that works on an individual acct :)
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41800486
OK.. I cannot think of any reason for why it's failing for bulk user, as I am not able to reproduce the issue..
0
 

Author Comment

by:ARM2009
ID: 41800489
No worries. Thanka
0
 

Author Comment

by:ARM2009
ID: 41800510
this is is how i am testing now...

Owner = (Get-Mailbox $(Get-Recipient $R).Manager).PrimarySmtpAddress
0
 

Author Comment

by:ARM2009
ID: 41800514
error as below

Cannot process argument transformation on parameter 'Identity'. Cannot convert the "AdobeWorkflow" value of type "Deserialized.Microsoft.Exchange.Data.Directory.Management.Mailbox" to type "Microsoft.Exchange.Configuration.Tasks.RecipientIdParameter".
    + CategoryInfo          : InvalidData: (:) [Get-Recipient], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-Recipient
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41800531
Owner = (Get-Mailbox $R.Manager).PrimarySmtpAddress

Owner = ($R.Manager | Get-Mailbox).PrimarySmtpAddress

Owner = (Get-Recipient $R.Manager).PrimarySmtpAddress

Owner = ($R.Manager | Get-Recipient).PrimarySmtpAddress

Owner = (Get-User $R.Manager).WindowsemailAddress

Owner = ($R.Manager | Get-User).WindowsemailAddress

Open in new window

All of these are working for me.. :-)
0
 

Author Comment

by:ARM2009
ID: 41804751
thanks....

this is what i get in the csv column for owner by using

Owner = (Get-Recipient $R.Manager -ResultSize Unlimited ).PrimarySmtpAddress

Owner
System.Object[]
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41804808
Try..
Owner = (Get-Recipient $R.Manager -ResultSize Unlimited ).PrimarySmtpAddress | Out-String

Open in new window

0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question