Cmdlet to get Mailbox Permission "Manage Full Access Permission" RRS feed

  • Question

  • Hi ,

    We are trying to find out the users/ groups having “Manage Full Access Permission” on particular user mailbox.

    We are using below cmdlet

     Get-Mailbox “” | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false -and $_.Deny -eq $false} | Select User

    Now we were getting correct result for some users and some users we are not.

    We are comparing this command results with Exchange Management console UI i.e. we right click on user mailbox and select “Manage Full Access Permission” menu but our command results are not matching with the UI.

    Can some body suggest a command which will match the results as per the EMC UI?



    Thursday, September 26, 2013 2:37 PM

All replies

  • I've previously used something like:-

    Get-MailboxPermission -Identity ""

    ..and eventually expanded it to:-

    get-get-mailbox -server "YOURSERVER"| get-mailboxpermission | where { ($_.AccessRights -eq "FullAccess") -and -not ($_.User -like "NT AUTHORITY\SELF") -and ($_.Identity -like "YourDomain.local/CompanyNameInAD/Users/%")} | Format-List > c:\FullMailboxAccessUsers.txt

    This exported a list of all account to a text file to show which users had full access to each others mailboxes.

    For your solution, if you can provide the account user name (Joe Bloggs) then this should work:-

    get-mailbox -server "YOURSERVER"| get-mailboxpermission | where { ($_.AccessRights -eq "FullAccess") -and -not ($_.User -like "YOURDOMAIN\Domain Admins") -and -not ($_.User -like "YOURDOMAIN\Exchange Organization Administrators") -and -not ($_.User -like "YOURDOMAIN\Enterprise Admins") -and -not ($_.User -like "NT AUTHORITY\SELF") -and ($_.Identity -like "*Joe Bloggs")} | Format-List

    (Above code this filters off some standard full access permission user accounts such as Enterprise Admins etc).

    Have a play with the above code, especially with regards to the identity parameter to search for a specific user.

    • Edited by Si_UK Friday, September 27, 2013 11:10 AM
    Friday, September 27, 2013 10:40 AM
  • Hi,

    I have tried the command but its giving me users having full access but Deny = true which means now these users don't have access on mailbox (and thats why they are not gettingr reflected on ui) thats why I used and $_.Deny -eq $false.

    Do you have any idea what is meaning of IsInherited -eq $false  in context of my requirement? I know what is meaning of  $_.Deny -eq $false. but not much knowldege about IsInherited -eq $false



    • Edited by ABBhagwat Monday, September 30, 2013 4:15 PM updation
    Monday, September 30, 2013 4:02 PM