Pau Lo
asked on
mailbox permissions mystery exchange.
I am doing some analysis of shared mailboxes and I am getting confused how some mailboxes are being monitored/accessed, if at all, due to who has access to them, or the lack of people who have access to them should I say.
For example, I ran this query to get a list of mailbox permissions:
which works great, and gives me who has full control, sendas etc to all mailboxes. However, on a couple there is literally nobody bar a standard exchange admin account with access. So I cannot see how anyone is monitoring these mailboxes. So my query is - is this command giving me a true picture of who can access the mailbox, or are there alternative ways of granting access to a mailbox that the output of this command does not reveal? The server is exchange 2010.
For example, I ran this query to get a list of mailbox permissions:
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITYSELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csvwhich works great, and gives me who has full control, sendas etc to all mailboxes. However, on a couple there is literally nobody bar a standard exchange admin account with access. So I cannot see how anyone is monitoring these mailboxes. So my query is - is this command giving me a true picture of who can access the mailbox, or are there alternative ways of granting access to a mailbox that the output of this command does not reveal? The server is exchange 2010.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That is the correct command to view who has full access to mailboxes, so if you are not seeing any user there then it's possible that their are no users assigned full access. It's also possible that the mailbox is now orphaned and the users with access have been removed, but the cmdlets you ran are the correct cmdlets.
ASKER
Its one which receives a contact us type form submissions from an intranet page. I did see theres a get mailboxfolderpermission command too and wondered if theyd only be assigned say the inbox rather than full access,or maybe a forward rule. seems bizarre but not unsuprising!
Or is get-mailboxpermission sufficient and no need to dig deeper into get mailboxfolderpermission.
Or is get-mailboxpermission sufficient and no need to dig deeper into get mailboxfolderpermission.
MailboxFolderPermissions will only be assigned to specfic folders in the mailbox and will not provide full access to entire mailbox. Also that will not show when you run your Get-MailboxPermission cmdlets. The MailboxFolderPermissions are normally set in outlook via the delegates even though it can also be set via powershell, but again this will permission folders and not entire mailbox and will not show in the Get-MailboxPermission cmdlets.
ASKER
Ok thanks one avenue to explore then. Out of interest why does a user need full access on a shared mailbox, or phrased another way what limitations or problems could there be in only granting mailboxfolderpermissions to say the inbox.
A user is granted full access to a shared mailbox normally so that they can fully manage the mailbox, create folders, move mail around and so forth. It allows for collaboration between other users that also have full access to that mailbox and so forth, in regards to mailboxfolderpermissions, its more granular and more tedious to manage because you will have to grant permissions not only to the specific folder, but if its a sub folder you will have to grant permissions to the top level folders also, so it becomes a task to manage.
ASKER
Out of interest if you show as full.access in get-mailboxpermission would the same user/group show on get-mailboxfolderpermissio
it will show on the folders.
ASKER
>The MailboxFolderPermissions are normally set in outlook via the delegates
is this the same as in outlook 2010 > folder tab > folder permissions? I couldn't find anything specifically called delegates anywhere obvious.
I was also interested whether the only users who could grant the folder level permissions via folder tab > folder permissions in outlook - are those with fullaccess anyway? presumably that is the case?
is this the same as in outlook 2010 > folder tab > folder permissions? I couldn't find anything specifically called delegates anywhere obvious.
I was also interested whether the only users who could grant the folder level permissions via folder tab > folder permissions in outlook - are those with fullaccess anyway? presumably that is the case?
The delegate option in outlook is set under the following:
File > Account Settings > Delegate Access
Also you mentioned folder permissions tab, yes you can also set folder level permissions there also.
Yes only user's with full access can set folder permissions in outlook.
File > Account Settings > Delegate Access
Also you mentioned folder permissions tab, yes you can also set folder level permissions there also.
Yes only user's with full access can set folder permissions in outlook.
ASKER
Sorry to be a pain but it appears 2 ways of setting folder level permissions in outlook. Can I assume get-mailboxfolderpermissio
that is correct.
ASKER
turned out the mail had autoforward to another address set.