Get list of user and shared mailbox who have full, SendAs and SendOnBehalf right

This topic contains 3 replies, has 2 voices, and was last updated by  Jon 2 weeks, 1 day ago.

  • Author
    Posts
  • #101903

    Neville D’Souza
    Participant

    Hi All,

    I have a powershell script that needs to be modified to get list of mailboxes (shared and User) that have Full, SendAs and SendOnBehalf and list those users and export it to csv.

    $RMailbox = Get-Mailbox -RecipientTypeDetails Usermailbox,Sharedmailbox -ResultSize Unlimited
    $(Foreach ($R in $RMailbox){
    $St = $R | Get-MailboxStatistics 
    	New-Object PSObject -Property @{
    		Name = $R.Name
    		Email = $R.PrimarySmtpAddress
    		LastLoggedOnUserAccount = $St.LastLoggedOnUserAccount
    		LastLogonTime  = $St.LastLogonTime
    		LastLogoffTime = $St.LastLogoffTime
    		FullMBXPerm = ($R | Get-MailboxPermission |?{$_.AccessRights -like "Fullaccess" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
    		SendAs = ($R | Get-ADPermission |?{$_.ExtendedRights -like "Send-as" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
    		Owner = ($R | get-recipient).Manager
    	}
    }) | Select Name,Email,Owner,FullMBXPerm,SendAS,Last* | Export-Csv C:\Scripts\Output.csv -NTI -Append
    
    

    The only thing missing in this script is users having SendOnBehalf rights to mailboxes. Can anyone help me added it in the script please.

  • #101915

    Jon
    Participant

    I would add this into your custom object

    SendOnBehalf = $R.GrantSendOnBehalfTo

    If you only want it to return when valued something like this

    SendOnBehalf = $R | Where {$_.GrantSendOnBehalfto -ne $null}
  • #101992

    Neville D’Souza
    Participant

    Thanks Jon,

    I tried the solution. It gives wrong users in Sendonbehalf Columns. Mostly the actual Mailbox owner comes in that column rather than user who has SendOnBehalf rights. Any ideas?

    $RMailbox = Get-Mailbox -RecipientTypeDetails UserMailbox,Sharedmailbox -ResultSize Unlimited
    $(Foreach ($R in $RMailbox){
    $St = $R | Get-MailboxStatistics 
    	New-Object PSObject -Property @{
    		Name = $R.Name
    		Email = $R.PrimarySmtpAddress
    		LastLoggedOnUserAccount = $St.LastLoggedOnUserAccount
    		LastLogonTime  = $St.LastLogonTime
    		LastLogoffTime = $St.LastLogoffTime
    		FullMBXPerm = ($R | Get-MailboxPermission |?{$_.AccessRights -like "Fullaccess" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
    		SendAs = ($R | Get-ADPermission |?{$_.ExtendedRights -like "Send-as" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
    		SendOnBehalf = ( $R | Where {$_.GrantSendOnBehalfto -ne $null})
    		Owner = ($R | get-recipient).Manager
    	}
    }) | Select Name,Email,Owner,FullMBXPerm,SendAS,SendOnBehalf,Last* | Export-Csv C:\Scripts\MailboxRights.csv -NTI -Append
    

    Does the SendOnBehalf need to look like this? Not sure if it would make much sense either. Any help would be great.

    SendOnBehalf = ( $R | Where {$_.GrantSendOnBehalfto -ne $null -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
    
  • #102008

    Jon
    Participant

    It looks like you may be running exchange on prem? I only have exchange online to validate against. In O365 GrantSendOnBehalfTo is valued as null if no one else is granted that permission.

    Not knowing how it behaves on premise, I can't tell you how to format it. You will need to play around with it until you get the query that suits your needs.

You must be logged in to reply to this topic.