While preparing for an Exchange Server 2007 to 2010 migration I needed to work out which users had been granted access to other mailboxes. This applied both to shared mailboxes (eg a Help Desk) and individual mailbox access (eg a personal assistant with access to the CEO’s mailbox).

Exchange 2007/2010 provide the Get-MailboxPermission cmdlet that can be used to query the permissions on a mailbox. For example:

Get-MailboxPermission helpdesk

Identity             User                 AccessRights        IsInherited Deny
--------             ----                 ------------        ----------- ----
exchangeserverpro... NT AUTHORITY\SELF    {FullAccess, Rea... False       False
exchangeserverpro... ESPNET\Alex.Heyne    {FullAccess}        False       False
exchangeserverpro... ESPNET\Debbie.Lisa   {FullAccess}        False       False
exchangeserverpro... ESPNET\Kevin.Douglas {FullAccess}        False       False

To get the same information about all of the mailboxes in the environment we could run this command.

Get-Mailbox | Get-MailboxPermission

Identity             User                 AccessRights        IsInherited Deny
--------             ----                 ------------        ----------- ----
exchangeserverpro... NT AUTHORITY\SELF    {FullAccess, Rea... False       False
exchangeserverpro... ESPNET\BR-EX2007-MB$ {ReadPermission}    True        False
exchangeserverpro... ESPNET\Exchange S... {FullAccess}        True        True
exchangeserverpro... ESPNET\Domain Admins {FullAccess}        True        True
exchangeserverpro... ESPNET\Enterprise... {FullAccess}        True        True
exchangeserverpro... ESPNET\Exchange O... {FullAccess}        True        True
exchangeserverpro... ESPNET\administrator {FullAccess}        True        True
exchangeserverpro... ESPNET\Exchange S... {FullAccess}        True        False
exchangeserverpro... ESPNET\Exchange P... {ReadPermission}    True        False
exchangeserverpro... NT AUTHORITY\NETW... {ReadPermission}    True        False
exchangeserverpro... ESPNET\Exchange S... {ReadPermission}    True        False
exchangeserverpro... ESPNET\Exchange V... {ReadPermission}    True        False
exchangeserverpro... ESPNET\Exchange O... {FullAccess, Del... True        False
exchangeserverpro... ESPNET\administrator {FullAccess, Del... True        False
exchangeserverpro... ESPNET\Enterprise... {FullAccess, Del... True        False
exchangeserverpro... ESPNET\Domain Admins {FullAccess, Del... True        False
.....

The problem with that is it gives us more information than we really need, with a lot of SELF permissions and inherited permissions that aren’t relevant to the task we’re trying to accomplish.

You could export the output to CSV and manipulate it using Excel to get just the permissions information you want, but another method is to filter the PowerShell output.

For example, to filter out all of the SELF permissions and the inherited permissions we can run this command.

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}

That gives us a much smaller output that is more useful.

Identity             User                 AccessRights        IsInherited Deny
--------             ----                 ------------        ----------- ----
exchangeserverpro... ESPNET\Alannah.Shaw  {FullAccess}        False       False
exchangeserverpro... ESPNET\Payroll Team  {FullAccess}        False       False
exchangeserverpro... ESPNET\Alex.Heyne    {FullAccess}        False       False
exchangeserverpro... ESPNET\Debbie.Lisa   {FullAccess}        False       False
exchangeserverpro... ESPNET\Kevin.Douglas {FullAccess}        False       False

The Identity field contains long strings because it includes the full directory path to the mailbox user, so it may get truncated on your screen. In that case you could export the output to CSV file.

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Export-Csv -NoTypeInformation mailboxpermissions.csv

The trouble you may notice with that is that the access rights do not appear correctly in the output CSV file.

AccessRights,Deny,InheritanceType,User,Identity,IsInherited,IsValid,ObjectState
Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Alannah.Shaw,"exchangeserverpro.net/Company/Head Office/Users/Mark.Patel",False,True,Unchanged
Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,"ESPNET\Payroll Team","exchangeserverpro.net/Company/Head Office/Users/Payroll",False,True,Unchanged
Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Alex.Heyne,"exchangeserverpro.net/Users/Help Desk",False,True,Unchanged
Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Debbie.Lisa,"exchangeserverpro.net/Users/Help Desk",False,True,Unchanged
Microsoft.Exchange.Management.RecipientTasks.MailboxRights[],False,All,ESPNET\Kevin.Douglas,"exchangeserverpro.net/Users/Help Desk",False,True,Unchanged

So to fix that we need to use a slightly different command. This single-line command will export to CSV a list of any mailboxes where other users have permissions to access them, and will also list what level of access those users have.

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Justin

    Hi Team and Paul,

    Sorry to be late to the party but can i please ask if there is a way to export all mailboxes that multiple users have access to?

    We have exchange 2013 and i try to run some script but it’s not giving me the specific mailbox and number of users who have access to it. These are not shared mailbox hence the question before migration.

    Thanks in advance

  2. steve king

    juuuuuust need a script to import these permissions when forced to do a migration by pst 🙁 don’t ask, it wont be a pretty response.

    If anyone could point me in a rough direction, that would be great. Sadly no budget for 3rd party tools costing around 60k 🙁

  3. Ron Steurer

    I am beginning a migration for a customer and was looking for something just like this so that I could migrate users to Exchange Online in “batched groups” according to their mailbox permissions to not break the mailbox permissions when/if migrated at different times. This gave me a great and clean readable format after changing to an excel file to boot! Thank you again for your great contributions to the Exchange community Paul!

    If you are ever in Nashville, let me buy you a pint!

    -Ron

  4. mirko

    and if I want to get also last logon of these mailbox ?

    for exemple:

    identity – last logon -user – accessrights

    and if an group has full access, If I want to get also user members ?

  5. mirko

    How Can I combine these output :

    Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox | Get-MailboxStatistics | Select Displayname, LastLogonTime

    Get-mailboxpermission $Mailbox | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity, User, AccessRights | export-csv -delimiter “;” -path c:\temp\list.csv -notype
    }

    and if I want have also display name and upn of the members of the groups with full access ?

    thank you

  6. Amin

    Hi Paul,

    Love reading your Exchange blogs and always find them useful.

    I keep running into the following error when trying to run your PS command (and I run into this quite often when running other complex commands in ExchPS)

    Sending data to a remote command failed with the following error message: The WinRM client sent a request to the remote
    WS-Management service and was notified that the request size exceeded the configured MaxEnvelopeSize quota. For more i
    nformation, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo : OperationStopped: (System.Manageme…pressionSyncJob:PSInvokeExpressionSyncJob) [], PSRe
    motingTransportException
    + FullyQualifiedErrorId : JobFailure

    I can’t, for the life of me, figure out where to increase this MaxEnvelopeSize quota.

    Thanks, in advance.

  7. Michael Niccum

    I took Matthew’s script and converted it to read users from a csv and report on which shared mailboxes they have access to:

    $users = get-content “usernames.csv”
    foreach ($user in $users) {
    Get-Mailbox -ResultSize Unlimited –Recipienttypedetails SharedMailbox | %{Get-MailboxPermission $_.Name -user $user | Select User,Identity,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv C:\MailboxAccess.csv -NoTypeInformation -Append; Get-ADPermission $_.Name -user $user | Select User,Identity,@{Name=’Access Rights’;Expression={[String]$_.ExtendedRights}} | Export-Csv c:\MailboxAccess.csv -NoTypeInformation -Append}
    }

  8. mahdis khaledi

    Hi Paul. I am one of the fan of your Plural site courses.thanks alot!
    I f we have an special user in O365, how can I as an Admin ,find out which mailboxes he has access to?

  9. William

    If you have multiple forests and/or domains, don’t forget this command first:

    Set-ADServerSettings -ViewEntireForest $true

    You will know you need this command if you only get output that is on the email server domain when you are expecting results from other domains.

  10. Kiran Gandhi

    I need to list mailboxes with Extended Rights ‘Send As’ permissions.
    I tried following but it did not succeed. Any help will be highly appreciated !

    Get-Mailbox -ResultSize Unlimited | Get-ADPermission | Where-Object {($_.ExtendedRights -like “*send-as*”) -and -not ($_.User -like “nt authority\self”)} | Format-Table Identity,User,ExtendedRights -wrap -AutoSize | Out-File -Encoding utf8 -FilePath c:\temp\SP.csv

    Thanks

  11. Mubasheruddin

    Dear, can you pls. give me command to get the list of mailbox users reaching limit exported in csv file

  12. Sven

    Hi Paul
    I found the same aproach again and again and finally found out: it works, but for me only in a EMS on an Exchangeserver. When I use the same script on another server using powershell remote connection over https I get only “System.Collections.Arraylist”. Do you know why?
    Thanks and best regards, Sven

  13. Charlie Lochbaum

    Ok, one more. I am trying to find all “shared” mailboxes in an OU. I find all of the accounts, but am having trouble with my code to find the shared ones only.

    Has anyone else done this one?

    Thank you all!!!!!

    1. Jim Blunt

      Get-Mailbox -OrganizationalUnit “Subdomain.domain.com/ThisOU/SubOU” -RecipientTypeDetails SharedMailbox -ResultSize Unlimited

      This will get all Shared Mailboxes in the OU specified, then recurse through any sub-OUs and select them as well.

  14. Charlie Lochbaum

    I am looking to see how to modify the PowerShell script to look only within an Active Directory OU in order to see permissions on only those user’s mailboxes. This is my first PowerShell project.

    1. Jim Blunt

      Charlie…very simple.

      “Get-Mailbox -OrganizationalUnit “OU=THIS,OU=THAT,OU=THeOtherThing,DC=YourDomain,DC=com” | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false}”

      If that doesn’t work, then add the -Recurse switch behind the OU information, before you pipe it to the Get-MailboxPermission command.

      1. Jim Blunt

        You might have to change it a little, depending on how many mailboxes are in the OU.

        I would probably do this, just to be safe:

        Get-Mailbox -OrganizationalUnit “OU=THIS,OU=THAT,OU=THeOtherThing,DC=YourDomain,DC=com” -ResultSize Unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false}

      2. Charlie Lochbaum

        Hey, this is great! Making progress. I only get two of the 5 accounts in the OU. I am now looking to show the mailboxes that are shared within that OU.

        -Recurse did not work.

        Thank you all! This is a great site!

  15. Giannis

    You are amazing!!!
    You saved me so much time!!!

    Thank you!

  16. Mike

    Thanks!

    I appreciate your work, very useful.

  17. Santosh

    How can we get the user data without the domain. Ex- Just “Alex.Hyne” and not “ESPNET\Alex.Hyne”

  18. DESJP

    I execute :
    Get-Mailbox -ResultSize Unlimited -OrganizationalUnit “OU” | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

    but I am a erreur :
    L’envoi de données à une commande distante a échoué avec le message d’erreur suivant : La totalité des données reçues d
    e la part du client distant a dépassé le maximum autorisé. Le maximum autorisé est de 524288000. Pour plus d’informatio
    ns, voir la rubrique d’aide about_Remote_Troubleshooting.
    + CategoryInfo : OperationStopped: (System.Manageme…pressionSyncJob:PSInvokeExpressionSyncJob) [], PSRe
    motingTransportException
    + FullyQualifiedErrorId : JobFailure

  19. Wilson Rodriguez

    Hello Paul,

    Please, I need your help as soon as possible. I need a script or any help that helps me to find out or get a lists of USERS without NT AUTHORITY \SELF, all the scripts that I found haven´t help me at all. Please I need you help, I need to present to my supervisor and I couldn´t find out how to do it.
    I´ll be waiting for your kindness comments.
    Thank you

    Wilson, Ecuador

  20. jeremy

    HELLO

    i am in a similar boat as Rob above and would liket o find out what mailbox have no other access..

    thank you

  21. Adrien

    Thanks a lot man.

    I appreciate your work, it is really useful :).

  22. Rob

    Hi Paul!

    Love the site, keep up the good work!

    I was just wondering if you happen to have something that does the exact opposite of this. I would like to find all of my users that do NOT have access to other mailboxes.

    A little background…we are hybrid and there is a big push for going to EXO. However this place uses so many shared mailboxes it’s insane and borderline obscene. Due to all the limitations with cross premises permissions, what we call “single instance mailbox users” are our prime candidates to move to EXO.

    Thanks!

  23. Jonathan Margulies

    Question: Is there a way to flip this around and find out all the other user’s folders (e.g., Calendar, Contacts, etc. but not full mailbox access.) a given user has access to? To keep it simple, assume that none of the default folder names have been changed.

    Thanks.

  24. Jim Blunt

    Paul,

    In your first example to filter out the SELF permissions, you need to correct the script a little. Instead of:
    “Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false}”

    It should be:
    “Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false}”

    LOVE your site Paul!! Keep up the great work!

  25. Greg

    Thank you soooo much you saved me a ton of time

  26. Abheek

    Hi Paul, Thanks for the script. It works great. However I have a requirement to sort Identities by Country/Usage Location.
    When I run the below command UsageLocation comes as blank in the csv. Am I doing something wrong?
    Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,UsageLocation,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

      1. akshay

        Hello Paul,

        i need PowerShell script, where we can get only active user mailbox with there license assigned.

  27. Tyler

    Glad to see this post is still getting questions! Is there a way to return only groups and not users? I was thinking there might be a where command that filters out if the user type was “group” rather than a user. Any help would be appreciated!

    Thanks

      1. Tyler

        Thanks! Can you point me in the right direction to do that?

        1. Tyler

          When I search tools to determine if the user is a group, most if not all of the results pertain to checking whether a user is in a group, not if a user is a group

  28. Liam Evans

    Hi Paul, I need to filter another user in my organisation (NT AUTHORITY\SELF and domain\administrator) how do I apply this to the filter “where {$_.user.tostring() -ne “NT AUTHORITY\SELF””?

  29. victor bassey

    In addition, the script script does show distribution groups that have full access to another mailbox. Can I get the script to also list members of the DGs. The script is not picking up users that have access to a mailbox if they are part of a DG.

    before I forget, thanks always for your wonderful insight and help Paul.

  30. victor bassey

    We are preparing for office 365 migration. We have a lot of user dependencies on shared mailbox. I was hoping there was a way to list all users that do not have access to any other mailboxes but their own. This way we can migrate those users first without needing to worry about access to shared mailboxes. Any tips would be much appreciated

  31. Dan

    Hi Paul

    Do you have a similar one-liner or script that pulls out Send-As permissions and Send on Behalf? This one works a treat for getting AccessRights, so just wondered 🙂

    Cheers!
    Dan

      1. sam

        Hi Paul
        how can i find out list of all user that have access to other mailbox in the organization

  32. Anderson

    We are preparing for a domain migration and was hoping there was a way to list all users that do not have access to any other mailboxes but their own. This way we can migrate those users first without needing to worry about access to shared mailboxes. Any tips would be much appreciated!

  33. peter

    Hi Paul
    Really need som help 🙂
    I have these two commands (source imported from a CSV-file):

    $UserFull = Get-MailboxPermission -Identity $_.EmailAddress | where {($_.IsInherited -eq $false) -and ($_.user.tostring() -notlike “S-1-*”) -and -not ($_.User -like “NT AUTHORITYSELF”)} | Select User

    #Find email addressen på de brugere med full Access Rights
    $UserFull | ForEach-Object { Get-User -Identity $_.User.tostring() | where {$_.SamAccountName -notlike “mailexport*”} | select WindowsEmailAddress}

    Result is this:
    WindowsEmailAddress

    testbruger1@n00bs.dk
    testbruger4@n00b.dk
    testbruger3@n00b.dk

    (The result shows that several users have Full Mailbox Rights on the same (Source) User mailbox)

    BUT, I really need it to give me the output in one single line (row), like this:
    WindowsEmailAddress
    testbruger1@n00bs.dk, testbruger4@n00b.dk, testbruger3@n00b.dk

    Separated by “Commas” instead and then exported to a CSV-File to import in Office365
    How on earth do I do that ?

    Please help/advise

    Best regards
    Peter

  34. Jim

    Thanks Paul this is a great thread with a ton of useful info. Funny how this is still active after all these years.

    If you are in a large org or have performance issues this is a good post.

    http://www.msexchange.org/kbase/ExchangeServerTips/ExchangeServer2010/Powershell/CheckFullAccesspermissionstoothermailboxes.html

    Of course here is Tony’s post on a bug in the hold process in older versions of Exchange 2013 prior to CU7 and reporting on delegate access.

    https://thoughtsofanidlemind.com/2014/09/05/reporting-delegate-access-to-exchange-mailboxes/

    Which dovetails nicely into the post Tony cites

    http://en.get-mailbox.org/using-powershell-background-jobs-can-help-you-speed-up-exchange-tasks-part-1/

    Dmitry, there are a number of examples of that earlier on in this post. You could limit by database or server. These are both good ways to constrain this. Also RecipientType is another fine way to constrain the search if you are looking only for shared mailboxes etc.

    Thanks again Paul

  35. Dmitry

    Hi All,

    Great article! Just wanted to know what it the right way to limit getting information by specific object unit and not to look for all mailboxes?

  36. Peter

    Great Tip, exactly what I needed for THE overview of all SendAs en FullAcces rights on our +/- 60
    mailboxen 😀 So a big thanks for all the effort putting this here 🙂

  37. Arron

    Great Tip, exactly what I needed today for our upcoming mail migration!

  38. Craig

    Thank you, this was very useful.

  39. jan blaha

    Hi, what is wrong in my script? I need view all mailboxes and export where has full access another other without AUTHORITYSELF and XXXADMINISTRATOR. And how to export to HTML file? CSV is hard to read. Thank you.

    Get-Module -ListAvailable | Where-Object {$_.Path -like “$PSHOME*”} | Import-Module
    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and -ne “XXXADMINISTRATOR” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation J:ExchangeScriptsMailbox.csv

    1. Jim Blunt

      There is no backslash, between AUTHORITY and SELF.

  40. Hisham Mezher

    Dear Paul,

    Thank you for the article, this is of great value to us as all your scripts, articles and books.

    I kindly ask you help for the below:
    I have a shared mailbox that I need to give access to 5 users. my question is that how can I configure outlook 2010 allowing those 5 users to see all inbox and sub folders and allow them to send and receive emails?

    And another question is how to make just one user of those to prevent him from creating new folders under inbox, this user has a weird folder naming thinking, he always creates sub folders with unethical names.

    waiting for your reply
    Regards;

  41. putra

    Hi Paul,

    l have some question could you give me way how to check share calendar user mailbox ? example l want to know user1 is sharing calendar to who ?

  42. David Alford

    Just what I needed in one well written blog post.

    You Sir are Awesome,

  43. Prem

    Get-Mailbox alias | Get-MailboxPermission | ft @{n=”User”;e={(get-user $_.
    user).Displayname}},AccessRights,IsInherited -AutoSize

  44. Steve Rackham

    Changed the join section and it worked 😉
    See below. Thanks for the great oneliner.

    Get-Mailbox -ResultSize unlimited `
    | Get-MailboxPermission `
    | Where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} `
    | Select Identity,User,@{Name=’Access Rights’;Expression={($_.AccessRights -join ‘,’)}} `
    | Export-Csv -NoTypeInformation c:svcmailboxpermissions.csv

  45. Steve Rackham

    Hi Guys,
    When running the script I get System.Collections.ArrayList for the Access Rights column.
    What have I missed? Exchange 2010 backend with Exchange 2013 Hybrid server.

    1. Massimo

      i think this one is simpler :
      get-mailbox | get-mailboxpermission -User $Username | select identity

  46. Abhineet Thakur

    Powershell Command to find out username who had accessed my mailbox earlier.

    Thanks in advance

  47. jonbar

    Thanks for the article and there is some good information on getting mailbox permissions for a site. I was looking for a way to hone this in slightly. We are a multi-site organization with many shared mailboxes. Over time the access to these mailboxes have expanded beyond their original intent. I am trying to reel that in now for our own office. There are maybe 100 or so group shared mailboxes. There is one distinction leading all the shared mailboxes that would differentiate them from the other offices and general mailboxes. Each of them have three letters at the beginning that notates our office. How can I adjust this to be able to get the permission for each mailbox within exchange that have these three letters at the start of the alias?

  48. Dale

    Great script worked perfectly, Thanks so much for sharing.

  49. Navneet

    what would be the command if i want to look for speciffic mailbox server.. like
    Chlte306

    And also suggest what white space i need to remove..and how ?

  50. Navneet

    thanks paul,
    just want to let you know. i am getting below error when running the command that you suggested

    Get-Mailbox -resultsize unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions1.csv

    Error
    WARNING: The object domain/Services/CAM/Retired/xxxjnsb has been corrupted, and it’s in
    an inconsistent state. The following validation errors happened:
    WARNING: The property value is invalid. The value can’t contain leading or trailing whitespace.

    Please suggest

    when i run the command without resultsize unlimited.. i am getting report perfectly but till 100 users

      1. Navneet

        Hello Paul.

        i run the below one and it succeed as required.. thank you so much..

        Get-Mailbox -server chlte306 -resultsize unlimited | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

  51. Mathew

    Hi Paul,
    I was hoping you can assist with modifying the script to obtain the following data in the output file.

    * Username (for both users)
    * Level of Access
    * Display Name (for both users)
    * AD Description (for both users)

    Your assistance would be greatly appreciated.
    Many thanks again for all of your helpful posts.

    1. Mathew

      Sorry Paul, probably should have provided more info than that. Using Exchange 2010 I think EMS v2.0 I have been asked to export both Full and Send As permissions for al users in the domain and export to a single CSV to list:
      * Username (for both users)
      * Level of Access
      * Display Name (for both users)
      * AD Description (for both users)

      So far I have got the following script but it is failing miserably. Also having issues combining the Full and Send As due to the append parameter not working in earlier versions of shell. I’m not a pro at shell hence the mess below.

      Get-Mailbox -ResultSize Unlimited –Recipienttypedetails UserMailbox | %{Get-MailboxPermission $_.Name | Where {$_.user -notlike “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv D:tempMailboxAccess.csv -NoTypeInformation -Append; Get-ADPermission $_.Name | Where {$_.user -notlike “NT AUTHORITYSELF” -and $_.IsInherited -eq $false -and $_.ExtendedRights -like “Send-As”} | Select Identity,User,@{Name=’Access Rights’;Expression={[String]$_.ExtendedRights}} | Export-Csv D:tempMailboxAccess.csv -NoTypeInformation -Append}

      1. Avatar photo

        That’s not a script, that’s a one-liner that is impossible to read and understand. I really recommend you tackle this with more of a “clean code” approach and try to write a nice, tidy script that is easier for you to read and debug.

        Think about yourself 6 months from now trying to understand what that code does. Think about the next person who needs to run your script and tries to understand what it does. Make it clean and readable.

        And here’s a tip for combining information from multiple cmdlets:
        https://www.practical365.com/using-powershell-custom-objects-exchange-server-reporting-scripts/

        1. Mathew

          Thanks Paul, I appreciate your response. I’m a bit of a novice so I will read up on it, learn how to do it properly and get it cleaned up 🙂

          1. MAthew

            Hello Paul, took me a while but…FINISHED !!! Thought I would post in case someone else finds it useful. It could probably do with a clean-up but it does the job for now (had to be completed before end of year). Please share your thoughts….

            This pulls out
            For Mailbox User:
            Displayname ; Alias ; AD Description

            For user who has the access:
            Displayname ; Alias ; AD Description ; Access Rights (Send As / Full Access)

            Code removed: please don’t post scripts or large code samples into the comments, it breaks the layout of the page. Host your scripts on Github or another repository.

  52. Ned Bellavance

    I was trying to run this from a remote PowerShell session, and the last portion @{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} is not resolving correctly. Instead of dumping out the Access Rights list, it instead has the value System.Collections.ArrayList. I think the problem is that the remote PowerShell session does not have access to all the Exchange dlls and system types, so Exchange is rendering the data remotely. I changed the line to @{Name=’Access Rights’;Expression={$_.AccessRights[0]}} and it produces the correct output.

    1. Dontribi

      It is usually problematic based on the version of powershell you are using. If you adjust the join command to: {[string]::join(‘, ‘,@($_.AccessRights))}} it should work.

      1. DanC

        That was it! THANK YOU!

  53. Dennis

    Paul,

    as usual – excellent tip! This fixed it for me. I granted an executive assistant full access permissions to the CEOs mailbox and days later added the mailbox to her Outlook profile. This must have messed up the rights under the hood of Exchange. I ran the Get-MailboxDatabase | Remove-ADPermission -User -AccessRights GenericAll on all mailboxes and all’s clean again.

    Again, thank you!

  54. Dennis

    Paul,

    out of the blue, our CEO’s user account has full access permissions to every single mailbox in the enterprise. We’re trying to find out how this could have happened. Any hints you could give us?

    Thanks so much!

  55. Kyle

    Hey paul,

    I was wondering if there was a way I could use the output from this to change all users who have access from ReadOnly to fullaccess. Running into a bit of trouble parsing it out correctly.

    Any ideas?

  56. Kannan

    Do you have a powershell to check who has send as permisssions for users and DLs?

  57. Allan Sinfield

    I posted the below comment in January 2014 and don’t think I get a reply

    I’m revisiting this now, any help would be greatly appreciated.

    “I have been running the script (have.
    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv) for 6 months or so on our Exchange Server without any issues. We updated our Exchange Servers recently with Windows Updates and now when I export the information I get “Microsoft.Exchange.Management.RecipientTasks.MailboxRights[]”

    Thanks

    Allan

    1. shilpa

      Hi,

      A particular user having access on multiple shared mailboxes , how to export that data from powershell command

  58. Nil

    Hi Paul,

    I have Run Command in power shell, command execute successfully but i didn’t get output.
    what is by default location where output file store

  59. Marc Hints

    Hi There.

    we have just installed Exchange 2013. I would like make myself have full access to other users mailboxes. I have tried this with the following command:

    add-adpermission -identity “mailbox database 0577814824” -user “mhints@gbliners.com” -extendedrights recieve-as

    I can see in the EAC that my name has been added to the users mailbox delegation as full access.

    When i go onto the owa and login as me then open another mailbox for the user i get the following error:

    You don’t have permission to open this mailbox 🙁 something went wrong

    Any help would be appreciated.

      1. Marc Hints

        Many Thanks

        Marc

        1. Marc Hints

          Can you tell me thr right way to do this?

  60. Steven Collins

    Thank you, this is exactly what I was looking for!

  61. George

    Dear Paul ,

    How Can I sent this output as email

  62. harvinder

    Hi Paul,
    I have been reading your blogs and comment. it is really great.
    I need some assistants on the Virtual Lab inwhich I have install AD, Exchange 2010 and notes Domino. Now, I am trying to send/receive emails via smart host. I have enabled Send connector & Receive Connector & enabled the Smart Host Service and gave IP Address of Exchange Server.

    My Question I still need a SMTP Server separatly in order to route the emails or Quest Coexistance tool will help in that case ??? If yes then why we need the smart Host if we have SMTP server or Quest ????

    Thank you in advance,
    Harvinder SINGH

  63. Jeff

    Can you tell me why if there are multiple users with full access, some list other permission levels as well:

    domain.com/Users/P Curtis DOMAINrtaylor FullAccess, DeleteItem, ReadPermission, ChangePermission

    domain.com/Users/P Curtis DOMAINcperson FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner

    domain.com/Users/P Curtis DOMAINmdaley FullAccess

  64. John

    This is great, it is really useful. Does exchange hold anywhere when the permissions where granted? Can I add that to be a column? I am running 2007.

      1. John

        Thanks for the response Paul, regards John

  65. Sam Patel

    Hi Paul,

    When I run the script, I get a “cannot write input as there are no more running pipelines” – Can you help?

    Thanks

  66. Pingback: arn the facts here now}|http

  67. Huw

    I am totally new to all of this, so please forgive my lack of knowledge.
    I used one of your little scripts to get a list of user mailboxes with all users who also had full access to these same mailboxes. Great. Worked a treat.
    I noticed however that the results from the script did not correlate with the “Manage Full Access Permissions” option from within Exchange Management Console. Why is this?
    Also, where can I get a list of all the various access rights and their meaning, e.g. I have quite a lot of mailboxes with access rights of DeleteItem.

    Your help would be much appreciated.

  68. Mohammed

    Paul, Can you tell me how to query mailbox permission for list of users from notepad.

    I used get-content “filepath” | get-mailboxpermisison and it wont work. Any help

    Thanks in advance

      1. Mohammed

        Thanks 🙂

  69. Kristian

    Thanks for the slick scripting Paul

    Cheers

  70. GNR

    can someone let me know in powershell how find out if a specifi user has delegate permission on all users calendar. so far all i read is how to add a user, delegate permission on all mailboxes and export it to a file. is there a way to reverse it to only list users that doesn’t have the specific account/mailbox id?

  71. Daryl du Plessis

    Just wanted to say thanks for the script Paul. Worked a charm and was a quick way for me to audit access permissions on our mailboxes.

  72. Michael McDowell

    Paul, can you tell me how to add ‘Last Accessed Time’ for this? thanks much

  73. jim

    Hello, Thanks a lot for your EMS command
    We have 2 mailbox servers + 3 CAS and HUB transport servers

    We need to find a specific user (eg:Mark James , alias(username): mjames ) has what permission levels across all the mailboxes in the environment (around 2500 mailboxes)?

    How can we modify this command provided by you
    We don’t need to find all user have permissions on other mailboxes, instated of this , a specific user has permissions on which mailboxes and type of permissions

    Please help me
    Thanks heaps in advance

  74. MK

    Hi Paul,

    Thank you very much for the scripts, definitely very useful,

    I’m a new bie in scripting, I’ve few questions,

    Q1 : In the last script instead of Identity, I tried to use Displayname it didn’t work, any idea why ?

    Q2 : NoTypeInformation what does that mean ?

    Q3 : Could you please let me know each and every word and sign’s meaning in the below command
    @{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}}

    Regards,
    MK

  75. Allan

    Hi Paul

    I have been running the above script (have.
    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv) for 6 months or so on our Exchange Server without any issues. We updated our Exchange Servers recently with Windows Updates and now when I export the information I get “Microsoft.Exchange.Management.RecipientTasks.MailboxRights[]” as the end of each line. In addition I also run a script to retrieve out of office information and the updates seem to have had an affect also, the list it retrieves seems to stop a third of the way through.

    We are running MS exchange 2010 SP2

    any help with this matter would be greatly appreciated.

    Many thanks

    Allan

  76. Manuel Cruz

    The final script works great except for the exporting to a CSV. Can anyone tell me what I’m doing wrong? When I enter the command it just does nothing for about 30 seconds then hits the next line for me to enter a new command like nothing happened.

    1. Daryl du Plessis

      You will probably need to specify the file path for the output csv file, otherwise it will just dump it into the current directory. So i just pointed it to my v: drive:

      Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation v:mailboxpermissions.csv

  77. Tony E.

    Can I use the above command but filter it to get me all calendar permissions. I need to find calendars that people are sharing.

  78. sinam

    How to List all Users Who Had Access to Other Exchange Mailboxes?
    Previously accessed other mail boxes?

  79. geezbill

    Nice script Paul. I would like this output to only reflect users that have the effective permissions to the mailbox.
    For example, if a user has permission and i run a command to add a -Deny FullAccess instead of -Remove permissions, then the permissions will show twice in the output of the script, one for the deny and one for the FullAccess. Sometimes i run the Add-MailboxPermission with the -Deny and -Automapping:$false as we have experienced an automapping after using the GUI to remove FullAccess Permissions. I would like the output of the script to omit Users that have two entries, one for FullAccess and one for -Deny FullAccess because their effective Permission is they don’t have rights. Can the script be modified to omit entries that have a duplicate entry with a -Deny?

  80. Aasmir

    Hi Paul,

    This command worked like a charm for everyone. Many Thanks for this great TIP.

    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

    is there’s a way to run similar command for MailboxFolderPermissions (Calender and Inbox) as well.

    or is there a way to run this command against whole mailbox including all MailBoxFolders

    Thanks in Advance.

  81. Doug

    Paul, thank you for command. It was very helpful. My question is, how can I do the reverse; use the resultant mailboxpermissions.csv file as an Import file to assign specific users, specific permissions to specific mailboxes?

    Thanks,

    Doug

  82. Becky

    Hi There,

    I am running the following script to export a list of mailboxes with permissions set:

    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation Z:mailboxpermissions.csv

    For some reason, although I am connected to the server where these mailbox lie, the script is not pulling the information on one set of mailboxes which is what i’m after. Is there a switch I can use to make it point at a particular domain?

    (I am pretty much a novice at powershell and have learnt bits and bobs by researching so I hope i’m making sense)

    Thanks

  83. GB @ CFS

    How much more complicated would it be to add a recursive lookup for the groups that have permission to each mailbox too?

  84. Larry Mease

    Thanks, Paul. Very useful information. I have used this as a starting point for some reporting/auditing scripts.

  85. Jan

    Hi Paul,

    I just wanted to thank you for this good tip, exectly what I was looking for.
    I like the way you explain each step of the Command.
    Great Work!

    Thanks a lot!
    Jan

  86. Matt

    Just a quick question. I used the following modification of your script.

    get-content c:admingeneric.txt | Get-Mailbox | Get-MailboxPermission | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation c:adminpermissions.csv

    And it worked fine however it is not displaying groups that have access to the mailbox.. how would i include this in the script?

  87. Ravi Prakash Gupta

    Hi Paul,

    I have received a list in which I have notefied that I have access on 600 mailboxes (Exchange 2007&2010), and its very difficult to remove all mailboxes access one by one. Is there any single command to remove all mailboxes access using a single command?

    Rav Prakash Gupta
    Enterprise Messaging & Collaboration.

  88. Naga

    Paul,

    You have provided the below script to pull what level of access for other users/shared mailboxes.

    Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

    Is it possible to pull the list of users accessing shared mailboxes in specific storage group. If so please update me the exact script.

    Thanks in Advance !!

  89. mohamamd

    sorry
    i have not my answer yet
    is it possible to make some one have full access to all mailboxes in a database now and the future ?
    or even on all organization

    i know we can use powershell command to do this (get mailboxdatabase users and set-permission ,,,)
    but what about the future users

    should it be run on a schedule to do this or is there any better way ?

  90. Nonis

    Hello Paul,

    This script is awesome and has helped me. I would like to thank you.

    I would like to ask you if it’s possible to generate a list, the other way around that this command does.
    This command displays the mailboxes one by one, and the users that have access to it.
    something like:
    mailbox1 user1,user2,user2
    mailbox2 user2,user3,user4 etc

    Is it possible to make it generate a list like this:
    user1 mailbox1, mailbox2, mailbox3
    user2 mailbox1,mailbox3, mailbox4

    Thank you,
    Nonis

      1. Nonis

        Well, that’s my problem at the moment, I’ve been trying to do this for the past couple of days, but to no avail.
        I understand it’s the same data, but I didn’t find a way to output it the way I needed it.

        Could you please help in this regard?

  91. Mohammad

    Dear Paul
    Hi and Thanks

    but i have a problem
    the script shows an account having full permission on lot and lots of mailboxes but when i go to some of those and right click – manage full permission .. his user is not there !!
    he is the previous exchange admin here ! could he have made something hidden (to have permission but not to show in the GUI)

      1. Mohammad

        Dear Paul, Thanks so much
        I did a get-mailbox and then remove his permission but i have two more questions

        1- when i get-mailboxpermission i still see him in an entry (although it says full access is denied) – how can i remove him completely

        2- how can we do it ? i mean his permission is on newly created mailboxes too. can a full permission be set on a DB, server or organizational level ?? can u teach me how to do that and how to remove it ?

        Thanks again

  92. Tim Bolton

    THANK YOU!! Was stuck on -ExpandProperty and could not recall how to get the “readable” Access Rights. Thanks!

  93. Carol Ostos

    How about MailboxFolderPermission, I know how to get a list of user that have access to a specific folder within a mailbox

    Get-MailboxFolderPermission – Identity “PrimarySMTPAdd:InboxAutomatedEmail” | Select User, FolderName, AccessRights | fl User, FolderName, AccessRights.

    But what should I do if I want to know which folders a user has access to (any kind of access rights aka reviewer, owner, etc)

    I need to include all folders within the mailbox and the user in question would be an unresolved SID so would be something like “NT User:S-1-5-21-etc”

    Any help would be appreciated!

    Thanks

  94. Dominic

    Hi
    Would this work in an Exch 2K3 / Exch 2K10 co-existance scenario, and would it give the info for the users that have yet to be migrated to 2K10?
    Thanks

  95. Samovar78

    Would this powershell command also display groups (security and distribution) with acces to mailboxes?

  96. Nigel

    Hello,

    I would really appreciate some help with this. I’m not versed in PowerShell to this level. Before SP1 on exchange 2010, the AD attribute was not set to automatically open mailboxes in outlook. I’ve recently moved this exchange server to new fully serviced packed virtualised server. Any new users I grant full access to other mailboxes load automatically.

    Is there a way to export the current full access permissions for all users (about 500) and then clear them and then import again to set the AD attribute?

    This would be a massive time saver.

    Many thanks.

  97. Leslie Horton

    Hi Paul,
    Do you have a cmdlet for a specific user … for instance I need to know what permissions a particular user has for any mailbox/public folder.

    Scenario: user A needs to have the same access and permissions to all mailboxes, public folders and mailgroups as user B. What command could I run that would give me a list of all permissions for user B?

    1. Michelle Arnone

      The user may have permissions by dint of membership in some group, but if the individual user is granted permission, the following might help.

      Replace ” | where {$_.user.tostring() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} ” with “-user USERB” to get the mailboxes’ permissions.

      get-distributiongroup | get-adpermission -user USERB should get the permissions for distribution groups

      Public folders are the harder one. I think you’d have to do get-mailpublicfolder -recurse | get-publicfolderclientpermission -user USERB, but I’m not 100% sure because I don’t have public folders anymore.

      1. Leslie Horton

        Thanks for your response! Would the script be the same on PS version 1 as oppose to version 2.0? We are currenlty using version 1.0 on Exchange Server 2010

  98. Jomon Jose

    Hi Paul.

    I have 3 domain with 5k above users. I get the below error and each time i get different result. Can you advice

    WARNING: By default, only the first 1000 items are returned. Use the ResultSize parameter to specify the number of
    items returned. To return all items, specify “-ResultSize Unlimited”. Be aware that, depending on the actual number of
    items, returning all items can take a long time and consume a large amount of memory. Also, we don’t recommend storing
    the results in a variable. Instead, pipe the results to another task or script to perform batch changes.

    1. Michelle Arnone

      So, after “get-mailbox” but before the ” | get-mailboxpermission” you put “-ResultSize Unlimited”. That lets you get back more than 1000 results at a time.

      For example,

      get-mailbox -resultsize unlimited | get-mailboxpermission | where {… etc.

  99. Daniel Crawford Jr

    I’m wondering if the FullAccess permission will allow users to delete emails within the shared mailbox. Inherited permissions show FullAccess, DeleteItem, ReadPermission, ChangePermission, etc. I added some users to a shared mailbox and gave them full permissions, but some need not delete emails. Will the full access give them delete rights and what is the mininum permission(s) that a user needs to view and read emails in a shared mailbox? Thanks.

      1. Lukasz

        Hi Paul,

        I had similar issue as Daniel Crawford Jr – I needed for some users to be able to see Shared Mailbox, without a right to delete any emails.

        I have applied following cmd:

        Add-MailboxPermission “shared box name” -User domainusername -AccessRights ReadPermission -InheritanceType all

        Right is applied correctly, but then when I add mailbox to some users outlook I cannot expand the added shared box (folder cannot be expanded). It seems it only works with FullAccess right.

        Would you have any tips?

  100. Carol Ostos

    Hey Paul, Great article as always, just a tiny question, Deny equals True in the output means the user listed has been deny access to the mailbox by explicitly removing them from Manage Full mailbox access?

    Basically, I have previously removed the user that appears listed when running this command and when going to Manage Full mailbox access I don’t see them anymore. So i just wanted to confirm if even after revoking access this script will show return results with Deny True?

    Hope this makes sense

    Thanks!!!!

    1. Carol Ostos

      I just tested this, removed full mailbox access from a shared mailbox, run the command again and there you go now you see it listed with Deny equals True, even if you cant see this on EMC you can see who has been denied access when using EMS. Interesting stuff 😉

  101. Joao Ferreira

    Hi Paul,

    Is possible to disabled a default folder from an exchange account ?

    I use osx and i configure mail app with exchange. By default i have a lot of directorys that i can’t delete … say you can’t delete distinguished folders … ! I already search the whole internet to know if i can disable this default folders. You have any idea ? Thanks in advance.

  102. James

    how would you export the permissions for only a specific set of users in a text file?

    forEach ($user in $list)

    Get-Mailbox -Identity $user…

    1. Lars Panzerbjørn

      Dang, I need this now, and was hoping someone else had asked and found out how…

      1. John

        This is a bit old post but thought i’d answer because i had the same question and figured it out.

        $users = Import-csv “C:\source\DisabledUsers.csv”

        foreach ($user in $users){Get-MailboxPermission -Identity $User.samaccountname | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity,User| Export-Csv -NoTypeInformation “c:\source\mailboxpermissions.csv” -append}

  103. Bodo

    With your powershell command, the result is a csv file with the following colums:
    “Identity,”User”,”Access Rights”

    i need to add also the samaccountname of the identity. So i will have the following colums:
    “Identity”,SAMAccountname”,”User”,”Access Rights

    i hope it’s clear…

    thanks !

      1. Sahin Boluk

        Any update on this one?

    1. Rich

      Hi Bodo,
      Curious if you ever got that script to work?
      Thanks,
      Rich

  104. Bodo

    Hello,

    i need to add in every line of the file also the alias. How i can do this ?
    thanks

  105. Edward Walton

    paul,

    great tip

    how can do this on Exchange 2003 SP2 without introdcuing Exchange 2007 or 2010

    is it possible?

    thanks

    edward

    1. T.Lacko

      Handy tip, for sure! We often have staff that move from one group to another and when they do they take access to the group email accounts with them. For security and privacy reasons they shouldn’t carry those permissions with them when they move.

      What command would I run to find a list of all the email accounts Jane Doe has FullAccess permissions to?

Leave a Reply