Home > Exchange Server > one liners: Finding Users Who Have Send-As or Full Access Permissions to Mailboxes

one liners: Finding Users Who Have Send-As or Full Access Permissions to Mailboxes

Exchange 2013 logo 128x128This comes up pretty often, especially around migrations and upgrades, or after some embarrassing incident. A manager wants to have a report of users who have send-as rights to other mailboxes. Fortunately, we can use PowerShell to do the heavy lifting:

Get-Mailbox -ResultSize Unlimited | Get-ADPermission | Where-Object {($_.ExtendedRights -like "*send-as*") -and -not ($_.User -like "nt authority\self")} | Format-Table Identity, User -auto

This gives us a nice list of those users. As we see, user msweet has send-as permissions to Timothy Gaines’ mailbox:

To find users who have Full Access to the mailbox of others, we can use:

Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where-Object {($_.AccessRights -match "FullAccess") -and -not ($_.User -like "NT AUTHORITY\SELF")} | Format-Table Identity, User

And we see that the same msweet has full control to the mailbox of user Oz Fox

In each example, we can replace the Get-Mailbox -ResultSize unlimited with a narrower scope, such as Get-Mailbox to look at specific accounts.

Note that in bigger environments, it can take quite a bit of time for this to run.

  1. bobo
    February 10th, 2012 at 10:41 | #1

    this is awesome Thank you! But is there a way to filter out the actual user as having send-as rights to their own mailbox? I have an environment with 1800 mailboxes… don’t need to see that each user has send-as rights to their own mailbox. I thought it was to filter out nt authority\self but that isn’t it.

  2. April 14th, 2014 at 08:39 | #2

    Looks good Pat. For our environment, we have some users who have access other than ‘FullAccess’, and we also weren’t interested in reporting inherited permissions on each mailbox (as this could be viewed easily for all). The following ‘1 liner’ did the job for us:

    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity,User,Accessrights }

  3. Michae M.
    June 16th, 2014 at 12:35 | #3

    To filter out the the send-as to the users own mailbox, change $_.User to $_.Trustee. The code shown is incorrect.

  4. Henning Ervik
    February 20th, 2015 at 16:01 | #4

    For outputting actually names try this one ( Get-MailboxPermission mailboxname | where { ($_.AccessRights -like “*FullAccess*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } ) | % { (Get-User $_.user.tostring()).name }

    also note the following interesting alternatives to .name at the end:
    UserPrincipalName (for upn ie. user@domain.local)
    DistinguishedName (for standard distringuishedname, ie: CN=User Name,OU=Users,DC=corp,dc=local)
    Identity.tostring() (for “folder” format like corp.local/Users/User name

    Pick your poison 🙂

    • Pat Richard
      February 20th, 2015 at 16:33 | #5

      Thanks. I actually need to update that post as using PowerShell aliases in public works isn’t recommended. 🙁

  5. Henning Ervik
    February 20th, 2015 at 17:57 | #6

    Yeah sorry I tend to do that (particulary on one-liners). Thanks for pointing it out.

    ‘( Get-MailboxPermission mailboxname | where { ($_.AccessRights -like “*FullAccess*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } ) | % { (Get-User $_.user.tostring()).name }’ -replace ‘%’,’Foreach-Object’ -replace ‘Where’, ‘Where-Object’

    It should probably also be noted that orginal post is a much better alternative for large-scale searches as the extra Foreach-Object with Get-User on each of the objects would probably take quite a bit of extra resources. (I’m too lazy to do the measuring right now).

    My requirement was a report for a particular mailbox, and the report is presented to non technical users that tends to understand actual people names better than user-names/samaccountnames, so for single mailboxes or smaller sets it might be useful for others too I suppose.

  6. Michael
    July 1st, 2020 at 14:13 | #7

    Question, I am trying to run a script like this on over a hundred thousand mailboxes in Online O365. Is it possible in todays PS to run something like this for one user? ie. I need to find what shared mailboxes one user has full access to. Nothing I have tried comes close to working.
    $sharedMailbox = get-mailbox -ResultSize unlimited -recipienttypedetails sharedmailbox
    $sharedMailbox | Get-MailboxPermission -User UserID | select identity,user,accessrights | Export-csv files\UserID.csv
    Any ideas?

  1. No trackbacks yet.