

Quickly list all mailboxes to which a particular user has access
source link: https://www.michev.info/Blog/Post/1516/quickly-list-all-mailboxes-to-which-a-particular-user-has-access
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Quickly list all mailboxes to which a particular user has access
This question seems to get asked a lot, and people are unaware how easy the answer really is. Here it is:
-
List all mailboxes to which a particular user has Full Access permissions:
PS C:\>
Get-Mailbox
|
Get-MailboxPermission
-User
vasil
Identity User AccessRights
-------- ---- ------------
HuKu Vasil Michev {FullAccess}
retail Vasil Michev {FullAccess}
sharednew Vasil Michev {FullAccess}
testplan2 Vasil Michev {FullAccess}
WC Vasil Michev {FullAccess}
-
List all shared/user/room/whatever mailboxes to which particular user has Full Access permissions:
PS C:\>
Get-Mailbox
-RecipientTypeDetails
UserMailbox,SharedMailbox
-ResultSize
Unlimited |
Get-MailboxPermission
-User
vasil
Identity User AccessRights
-------- ---- ------------
HuKu Vasil Michev {FullAccess}
retail Vasil Michev {FullAccess}
sharednew Vasil Michev {FullAccess}
testplan2 Vasil Michev {FullAccess}
-
List all mailboxes to which members of a particular security group have access:
PS C:\>
Get-Mailbox
|
Get-MailboxPermission
-User
secgrp
Identity User AccessRights
-------- ---- ------------
Bathroom secgrp {FullAccess}
-
List all mailboxes to which a user has Send As permissions:
PS C:\>
Get-Mailbox
|
Get-RecipientPermission
-Trustee
vasil
Identity Trustee AccessControlType AccessRights
-------- ------- ----------------- ------------
sharednew Vasil Michev Allow {SendAs}
-
List all user mailboxes to which members of a particular security group have Send As access:
PS C:\>
Get-Mailbox
-RecipientTypeDetails
UserMailbox
-ResultSize
Unlimited |
Get-RecipientPermission
-Trustee
secgrp
Identity Trustee AccessControlType AccessRights
-------- ------- ----------------- ------------
HuKu secgrp Allow {SendAs}
-
List all mailboxes to which a particular security principal has Send on behalf of permissions:
PS C:\>
Get-Mailbox
| ? {
$_
.GrantSendOnBehalfTo
-match
"vasil"
}
Name
Alias
ServerName ProhibitSendQuota
---- ----- ---------- -----------------
Bathroom bathroom amspr03mb084 49.5 GB (53,150,220,288 bytes)
WC WC dbxpr03mb096 9.5 GB (10,200,547,328 bytes)
There will be slight differences if you are running this against on-prem Exchange, but remember that you can also look at the AD attributes there (msExchDelegateListLink and msExchDelegateListBL).
104 Responses to Quickly list all mailboxes to which a particular user has access
-
ihsan says:
How to list all shared mailboxes that don‘t have a specific security group assigned when you check under full access permission? We have lots of shared mailboxes and I need to find out which one we have forgot to grant full acces.
-
Waseem says:
Hi Vasil,
can you pls share a command for all the users mailbox permission not a particular user
-
Mir says:
Hello,
I have about 200 shared mailboxes and I need the list of Owners for each. I stumbled upon (cmd below) but that also gives a lot os NT system addresses too. I want the result to give me only valid user ID’s and if the mailbox is Orphan, it should give a blank field or a message “No Owner”. Seek Help“Get-Content ‘C:\Mailboxs.txt’ | Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation NewFilenames.csv”
-
Klaus says:
Very good article, but for my questions I don´t find the answer.
We use Exchange 2010 and I will know for one specific user which access he had for different mailboxes. For one mailbox I find with the following command who has access for a specific folder:
Get-MailboxFolderPermission -Identity “username:\Inbox” | where {($_.user -ne “Standard”) -and ($_.user -ne “Anonym”)} | select-object user,foldername,accessrights
I will get the following answer:
User Foldername AccessRights
User A Inbox PublishingEditor
User B Inbox EditorHow can I get a command for an user to how much mailboxes he has access like the command above? With all the commands on this side I don´t find an answer.
Best regards
Klaus-
Vasil Michev says:
The article only covers mailbox-level permissions, not folder-level ones. See this script for your scenario: https://gallery.technet.microsoft.com/Office-365-Mailbox-Folder-17251cab?redir=0
-
-
Pingback: Get list of Full mailbox, Send As, Send on Behalf of Permissions in Office 365 – Tech Shizz
-
Imran Karim says:
Is there a way to get a users list of all contacts he/she has delegate permissions for?
-
Vasil Michev says:
For that, it’s best to use some EWS-based code. There are samples available online, look them up.
-
-
Michelle says:
The command worked against a user, but we have thousands of mailboxes, and the script only pulls back the first 1000 accounts.
Another issue is, I am receiving 2 lines for each user. Under the header Deny, has both True and false. All under ‘is inherited’ shows True.
Please may I know how to break down the results to only show which user mailboxes he has full access to?Thank you
-
Jeff Sowell says:
I recently found 2 mailboxes in which the SEND AS feature was set to EVERYONE within AD. In essence everyone could send an email as that user.
Is there a way to list all mailboxes that have SEND AS set to EVERYONE.This is not something we want.
-
Vasil Michev says:
Sure, just use the relevant AD cmdlet, Get-ADPermission.
-
-
Pingback: List all mailboxes to which a particular user has access – supreme sysops
-
Boris Kaminsky says:
Hello,
I have a question regarding -AutoMapping: for any user, this 365 exchange environment with on prem AD.
My question is, how to I include automapping true/false in re result?-
Vasil Michev says:
There is no way to get this information in Office 365.
-
Boris Kaminsky says:
Thank you,
I looked at AD user property and msexchdelegatelistlink and was able to put this together with some help from others. I’m using a filter for all the boxes, looking at AD.Get-ADUser -Filter * -Properties msexchdelegatelistlink |
where {$_.msexchdelegatelistlink -ne “”} |
Select-Object name,@{label=’msexchdelegatelistlink’;expression={$_.msexchdelegatelistlink -replace ‘^CN=|,.*$’}}
-
-
-
John117 says:
Hello,
If I execute this
C:\> Get-Mailbox | Get-MailboxPermission -User vasil
Then I don’t get any results shown. Of corse I type in the user I would like to check. It loads for about a minute (we heve about 2000 maolboxes) but nothing is shown. Also no errors. Do you have any advices?Thank you in advance.
-
Vasil Michev says:
If nothing is returned, it simply means there are no matches, as in this user hasn’t been granted Full Access permissions on any other mailbox. Try a different user/address?
-
John117 says:
Hello, thank you very much for your answer. I tried with many accounts that I know for sure they have access to many mailboxes. Do I have Windows 10 Pro 1809. Any idea? Thank you in advance
-
Vasil Michev says:
Access can be given on the folder level, not necessarily via Full Access (which is what the above cmdlet checks for). You can simply do a
Get-MailboxPermission [email protected]
on any of the mailboxes you believe the user has permissions to and check the result.
-
-
-
-
a7259w says:
There seem to be something I don’t understand fully.
Doing the command Get-Mailbox | Get-MailboxPermission -User MyUsername
Gives me an output of boxes
1
2
3
4Doing the command Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox -ResultSize Unlimited | Get-MailboxPermission -User MyUsername
Gives me an output of boxes
4
2
3Shouldn’t the latter command give me more info than the first command? What strange kind of box is my number 1 that doesn’t show up in the latter command? (I can tell you it is a ‘room’, actually a car, that we can book in Outlook if that is any clue to it’s strangeness)
And also; neither command lists my own regular mailbox. I.e. my [email protected] .
Surely I have Full Access to that?Hope you can answer these questions. Otherwise thanks anyway!
-
Vasil Michev says:
No. When you run the cmdlet without the RecipientTypeDetails parameter, it includes all mailbox types, including Room, Equipment, Discovery, PF, etc. With the parameter, you are limiting it so just the selected types, thus the number of entries returned will be lesser.
And you don’t have explicit Full Access permissions on your own mailbox, you can easily verify that by running the Get-MailboxFolderPermission cmdlet against it.
-
-
Farid says:
Hi, I have a system account which has fill delegate permissions on most my O365 hybrid accounts. Is the a way to remove this user from all other users delegates with PS?
Thanks-
Vasil Michev says:
If you have found a way to add them, there is a way to remove them
There is no such thing as “full delegate permissions” however, if you have granted Full Access, use the Remove-MailboxPermission cmdlet, if you have granted delegate access, use some EWS-based script such as the one here: http://www.flobee.net/powershell-module-for-managing-exchange-2010-mailbox-delegates/
-
-
Artur Rybarczyk says:
Hi Vasil,
I’m looking for a way to list all permissions that are granted to users tenant wide. I’ve tried few Get-Mailbox and Get-MailboxPermission combiations for listing but cannot achieve exactly what I’m aiming for.
-
-
Alan Bardgett says:
Exactly what I was looking for, and then some! Excellent utility Vasil.
-
-
Saad Khan says:
Hi Vasil,
Thanks for this helpful post! I have a query:
I want to find out who has permissions (accessrights) on a shared mailbox with their details like title,userprincipalnameif am not wrong, this could somehow be achieved by combining:
get-mailboxpermissions sharedmbx (which tells me info about User,AccessRights) &
get-user (which user tells me about UserPrincipalName,Ttitle)am not able to join them and combine a result which should show me :
UserPrincipalName(or user), Title, AccessRightsany help on this would be highly appreciated!
Regards,
Saad K-
Vasil Michev says:
The problem is that Get-MailboxPermissions returns only a string value for the User, not the full object. Luckily, in Exchange Online this value corresponds to the UPN, so you can just use it. If you are looking to do this for on-premises Exchange, because it only returns the display name, you will have to do something like this:
Get-MailboxPermission shared | select AccessRights,@{n=”user”;e={(Get-User $_.User).UserPrincipalName}}
Just add the “filtering” part that removes any “default” entries and do the same for any other properties.
Do note that there can be multiple entries matching the same display name, and to get the proper one you need to check the permissions against each entry. It’s even more complicated if you want to account for Groups that have been granted permissions.
-
-
David Schieber says:
When I run this command I get an error and no results. Can you help me with it?
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission -User areyna
Sending data to a remote command failed with the following error message: The total data received from the remote client exceeded the allowed maximum. The allowed maximum is
524288000. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OperationStopped: (outlook.office365.com:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : JobFailure
+ PSComputerName : outlook.office365.comThanks in advance!
-
Vasil Michev says:
You simply have way too many entries. You can either limit the number of results or filter based on the mailbox type or some other criteria.
The examples above are intended to give you a quick way to list permissions in most scenarios, but they are far from a full-blown script, with proper error checks in place, etc.
-
-
Chaim says:
HI Vasil,
Thanks so much for this informative article.
Is there any way to modify this command to show which users a particular security group does NOT have FullAccess to? We have a security group that should have FullAccess to every mailbox, but there are some mailboxes missing, and I want to get a list of the mailboxes missing that permission.
Thanks in advance.
-
Vasil Michev says:
For that scenario you can try something like this:
Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | ? {!(Get-MailboxPermission $_.PrimarySmtpAddress -User secgrp)}
-
-
Sam says:
Hi Vasil
I am looking for a script to pull information for all the mailboxes whos mailbox limit has exceeded and also for those who is now been issued mailbox full warnings
I have tried the below command but i am getting error message
Pipeline not run because a pipeline is already running. Pipelines cannot be run concurrently.
+ CategoryInfo : OperationStopped: (Microsoft.Power…tHelperRunspace:ExecutionCmdletHelperRunspace) [],
PSInvalidOperationException
+ FullyQualifiedErrorId : RemotePipelineExecutionFailedObject reference not set to an instance of an object.
At C:\Users\mohammed_adm\AppData\Roaming\Microsoft\Exchange\RemotePowerShellSCRIPT:
Get-Mailbox -ResultSize Unlimited | Get-MailboxStatistics | where {$_.StorageLimitStatus -notlike “BelowLimit*”} | Select DisplayName,StorageLimitStatus,@{name=”TotalItemSize (MB)”;expression={[math]::Round((($_.TotalItemSize.Value.ToString()).Split(“(“)[1].Split(” “)[0].Replace(“,”,””)/1MB),2)}},@{name=”TotalDeletedItemSize (MB)”;expression={[math]::Round((($_.TotalDeletedItemSize.Value.ToString()).Split(“(“)[1].Split(” “)[0].Replace(“,”,””)/1MB),2)}},ItemCount,DeletedItemCount | Sort “TotalItemSize (MB)” -Descending | Export-CSV “C:\mydocuments\ExceededQuotas.csv” -NoTypeInformationAppriciate your help.
-
Vasil Michev says:
And what does this have to do with the current article?
Your example runs fine here, but will probably give you trouble when you run it against large number of mailboxes. Instead of using the pipeline, write a proper script to store the results in a variable and interate over them with a foreach loop.
-
-
Merlin Beedell says:
Can you obtain the same or similar information when using EWS or the much more recent “Graph” – for those situations where Remote Powershell is not available (say, in a Linux client)?
If so, are there examples that I could be pointed at that may help me? Preferably when using Java!-
Vasil Michev says:
Neither EWS nor the Graph API (currently) covers mailbox permissions.
-
-
Savio says:
Hi Vasil
Thanks for the above command …
How do I get the mailbox name under ” identity ” instead of the path as belowIdentity User AccessRights IsInherited Deny
——– —- ———— ———– —-
abc.ae/XYZX/Grou… ABC\savio {FullAccess} False False
abc.ae/XYZX/Grou… ABC\savio {FullAccess} False FalseAppreciate
Best Regards
Savio-
Vasil Michev says:
You can use calculated properties:
Get-Mailbox | Get-MailboxPermission -User vasil | select @{n=”Identity”;e={(Get-Mailbox $_.Identity).DisplayName}},User,AccessRights
As this is a string value though, and not the full object, it can lead to duplicate/missing results
-
savio says:
After running the above command , I do get the identity properly except that some are missing
Identity User AccessRights
——– —- ————
ABC\savio {FullAccess}
Info Sec ABC\savio {FullAccess}Any idea ?
Thanks
-
Vasil Michev says:
I told you it’s not a perfect solution, you should avoid using any attribute that returns a simple string, non-unique value. This one should be a bit better:
Get-Mailbox | % { Get-MailboxPermission $_.PrimarySmtpAddress -User vasil | select @{n=”Identity”;e={(Get-Mailbox $_.Identity).DisplayName}},User,AccessRights }
But it still doesn’t solve issues with duplicates.
-
-
-
-
PETIT CHRISTOPHE says:
Hello, great job !
Is there any way to list acces on all mailboxes ???
Thanks-
Vasil Michev says:
The first example does just that. You might want to add the -ResultSize Unlimited switch in case you have a large number of mailboxes to look at.
If you want an actual report, take a look at this script: https://gallery.technet.microsoft.com/Office-365-Mailbox-c2adf0db?redir=0
-
-
Minto says:
Hi Vasil,
I am not able to get any info with this commands. See below error and help.
WARNING: By default, only the first 1000 items are returned. Use the ResultSize parameter to specify the number of
items returned. To return all items, specify “-ResultSize Unlimited”. Be aware that, depending on the actual number of
items, returning all items can take a long time and consume a large amount of memory. Also, we don’t recommend storing
the results in a variable. Instead, pipe the results to another task or script to perform batch changes.-
Vasil Michev says:
You seem to have over 1000 mailboxes in the organization, so you will have to run the cmdlets with the -ResultSize Unlimited switch.
-
-
Ravi says:
hey can u tell me how to find user’s listing from mailboxsubfolder. I used below
$inbox = Get-Mailbox -Identity $Id | Get-MailboxFolderStatistics | ? {$_.FolderType -eq “Inbox”} | select @{n=”Identity”; e={$_.Identity.Replace(“\”,”:\”)}}
$inboxlist = ($inbox | % {Get-MailboxFolderPermission -Identity $_.Identity}).Identitycan u tell me how to find users list under inbox.
-
Vasil Michev says:
That should do it, simply replace Identity with User at the end:
$inboxlist = ($inbox | % {Get-MailboxFolderPermission -Identity $_.Identity}).User
Or a faster variant:
Get-Mailbox blabla | Get-MailboxFolderStatistics -FolderScope Inbox | select @{n=”Identity”; e={$_.Identity.Replace(“\”,”:\”)}} | Get-MailboxFolderPermission | select User,AccessRights
-
Ravi says:
That thing I knew, I want subfolder of inbox userlisting, not inbox userlisting.
-
Vasil Michev says:
So just enumerate the folders under Inbox then. Don’t use FolderType as a filter, as that will change the output of the Identity parameter. You can still filter them out client-side:
Get-Mailbox blabla | Get-MailboxFolderStatistics | ? {$_.FolderPath -like “/Inbox/*”} | select @{n=”Identity”; e={$_.Identity -replace ‘^([^\\]+)\\’,’$1:\’}} | Get-MailboxFolderPermission | select FolderName,User,AccessRights
-
-
-
-
Dan says:
How would I structure my script if I wanted to get mailbox permissions for users that are members of a group that has full-access permission to a mailbox? The group would be different for each mailbox and they may still have directly assigned full-access permission to a mailbox as well, so I’d like the search to be recursive to groups that have full access. I already know the syntax for ignoring inherited permissions and specific system assigned permissions. I just can’t figure out how to get powershell to check for a specific user within a group that has mailbox permission.
-
Vasil Michev says:
That scenario calls for a proper script, and not the one-liner approach presented in this article. But in nutshell, you get the permissions, check the recipient type of the “User” value (as User objects are represented by the UPN in O365 now, you can just check for the presence of the @ sign), then if it’s a group, use the relevant cmdlets to expand the membership. Store the results in a variable or CSV file, then check against each user you care about.
-
Dan says:
Thanks! I think I’ll approach it as storing results of each query in a variable then running a comparison and seeing if the group permissions on the mailbox match one of the groups a user is a member of. I appreciate the feedback.
-
-
-
milen nikolov says:
Hello
i looking for command for :
i need 1 accunt which can send mail for all user send as behalf coukd you help me-
Vasil Michev says:
There is no one command that will work for all, the permissions need to be added to all users that currently exist (Get-Mailbox -RecipientTypeDetails UserMailbox | Set-Mailbox -GrantSendOnBehalfTo user), and repeat the same for any newly added mailboxes.
-
-
kumar says:
How to get, the user in exchange server to whom send the mail and from whom he has got mail details in Exchange server 2016.
-
jeremy says:
Hello
i am trying to find out the correlation of the send-as, send-on.-behalf and delegate for my on-premise users to know what will break when i move certain users to Office 365 since the above doesnt support cross-permission.
would you happen to know how?
-
Vasil Michev says:
Best thing to do is to contact the FastTrack center – they have a ready PowerShell script you can use for that. We’re not allowed to distribute it, sorry.
-
-
Troy says:
I am trying to get a folder count for individuals that include all mailboxes they have access to. I tried the following however it did not return what I was expecting. Any direction on this would be greatly appreciated.
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission -User trosmi | Get-MailboxFolderStatistics |%{$_.folderID} | measure-object | fl count | Export-Csv -NoTypeInformation resultaug2.csv
Thank You
Troy-
Vasil Michev says:
Not sure what you are expecting here? The example you gave above will return the number of folders across all mailboxes the user has access. Do you perhaps want to count them per mailbox or?
-
-
Dusty says:
Is there a way to list out the mailboxes a user has then remove the user as in the case of a terminated user?
-
Vasil Michev says:
If I understand you correctly, this should do it:
Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox -ResultSize Unlimited | Remove-MailboxPermission -User [email protected] -AccessRights FullAccess -Confirm:$false
It will generate Warning messages for all mailboxes the user doesn’t have access to, but you can just ignore those. Or just write a proper script to handle this
-
-
Stephen Watson says:
Hi Vasil,
This is fantastic. Thanks for posting. I have a question though, using the command to get send as permissions. However this isn’t showing up all results. For instance, it is showing me shared mailboxes that were created in exchange online, but the ones that were imported from our old on-prem exchange are not showing up.
Can you think of a possible reason for this?
Thanks
Steve
-
Vasil Michev says:
Cross-premises Send As permissions are not supported, if that’s what you mean? Or you mean migrated mailboxes?
-
Stephen Watson says:
Sorry, they are migrated mailboxes. They all reside in the same tenant now.
-
Vasil Michev says:
They should be covered too. Make sure you use the -ResultSize Unlimited parameter and try not filtering by recipient type.
-
-
-
-
Rashi says:
Hi Vasil,
I have connected to O365 using powershell and run the above commands like
get-mailbox -ResultSize Unlimited| get-mailboxpermission -User “XXXX” | fl id* however it does not give any output and shows like this “WARNING: By default, only the first 1000 items are returned. Use the ResultSize parameter to specify the number of items returned. To return all items, specify “-ResultSize Unlimited
“. Be aware that, depending on the actual number of items, returning all items can take a long time and consume a large amount of memory. Also, we don’t recommend storing the results
in a variable. Instead, pipe the results to another task or script to perform batch changes.-
Vasil Michev says:
That’s simply because you have a large number of mailboxes in the company, and only a limited number are returned by default. Use the second example instead or this cmdlet:
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission -User vasil
-
-
Pingback: List mailboxes user has Full Control permissions to – Just another WordPress site
-
John says:
Hello!
We have a huge directory so I tried to use the Get-Mailbox -OrganizationalUnit and it sort of worked. But when I add the | Get-MailboxPermission -User then it results in just nothing. If I remove the “-User” and only have the | Get-MailboxPermission then it lists all the permissions of the users in the specific OU which is too much.
How can I see the permission of a single user without having to loop through all the users in the directory?
-
Vasil Michev says:
It should work just fine with OU based or any other type of filter. No output from the cmdlets simply means the user has no permissions on any of the mailboxes in the scope of the filter.
-
-
Steph says:
I have logged into 365 using powershell and it has connected fine – but ”Get-Mailbox’ command is not working.
PS C:\scripts> PS C:\ Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox -ResultSize Unlimited | Get-MailboxPermission -User DanielleA
Get-Process : A positional parameter cannot be found that accepts argument ‘Get-Mailbox’.
At line:1 char:1
+ PS C:\ Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox -R …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-Process], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetProcessCommandPlease can you help?
Thanks-
Vasil Michev says:
You are pasting a bit too much, remove the “PS C:\” part
-
-
Eddie says:
Hello
I cannot see the name of mail box as the identity path is too long. Have outputted the command to text file but still i just get
Domain.local/London/…
Domain.local/London/…
Domain.local/London/…Am I am doing something stupid?
Thank you !
-
Vasil Michev says:
Eddie, those examples are intended for ExO, On-Prem the output format is different. Easy fix for that is to simply export the result to CSV file. There are many examples in Paul’s article here: http://practical365.com/exchange-server/list-users-access-exchange-mailboxes/
-
-
Kevin Payton says:
That appears to list Every Shared Mailbox in the Organization alone with the users. We have about 18,000 associates so Yeah Is there a way to zero that down a little more? I ran the first list with only 106 people in it, but it was grabbing names from more than just that.
-
Vasil Michev says:
The name for the column that designates users in your CSV file needs to match the one in the script, otherwise the Get-MailboxPermission will return all permissions (including the “default” ones).
-
-
Kevin Payton says:
I have a list of users (Approximately 300) that I need to find out what Shared Mailbox’s they have access to. I assume I can use the PS command:
Get-Mailbox -RecipientTypeDetails UserMailbox,SharedMailbox -ResultSize Unlimited | Get-MailboxPermission -User vasil
But I don’t want to run that 300 Times
I have the 300 Users in a Excel document. How would I inject that in and have it exported to a xls document?
-
Vasil Michev says:
That’s a loot of looping, I’d suggest using some permission inventory script.
But something like this can work:
$sharedmailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize Unlimited
Import-CSV blabla.csv | % {
$sharedmailboxes | Get-MailboxPermission -User $_.User }where the blabla.csv file contains the user list under a column called “User”.
Pretty sure you’d get throttled though, so maybe add some delay in between the iterations (Start-Sleep 3 or similar).
-
-
James says:
Hi Vasil
How would we find out who’s calendars a user has access to and what level of access they have?
-
Vasil Michev says:
James, Calendar and folders in general are a bit trickier, as permissions can be given on multiple levels. That is directly to the user, or via the Default level, or via Group, etc. If you only care about direct assignment, something like this should work:
/// Get all the Calendars (folder name can be localized)
$calendars = Get-Mailbox -RecipientTypeDetails UserMailbox | Get-MailboxFolderStatistics | ? {$_.FolderType -eq “Calendar”} | select @{n=”Identity”; e={$_.Identity.Replace(“\”,”:\”)}}///Check which Calendars user XXX has access to:
$calendars | % {Get-MailboxFolderPermission -Identity $_.Identity -User vasil -ErrorAction SilentlyContinue}-
Justin Irving says:
Thanks for this great post. I learnt about Calculated Properties!
-
Muhammad Kamran Khan says:
Hello Can you tell me how export list of users have calender permssion on which mailbox calander i want output in CSV with email address
-
Muhammad Kamran Khan says:
Your command running perfectly but not showing output when i See Using $calendar, it give blank result. i think some thing need to be done this portion
| select @{n=”Identity”; e={$_.Identity.Replace(“\”,”:\”)}}
can you revert back i am stuck in between, i have 1000 users . i need to check whether who has permission 1000 users calendar and 1000 users have permission on whom mailbox calendar. want output in excel.
-
-
Muhammad Kamran Khan says:
Hello Can you tell me how export list of users have calender permssion on which mailbox calander i want output in CSV with email address
Your command running perfectly but not showing output when i See Using $calendar, it give blank result. i think some thing need to be done this portion
| select @{n=”Identity”; e={$_.Identity.Replace(“\”,”:\”)}}
can you revert back i am stuck in between, i have 1000 users . i need to check whether who has permission 1000 users calendar and 1000 users have permission on whom mailbox calendar. want output in excel.
-
Vasil Michev says:
Calendar permissions are a bit trickier, as you can have multiple entries affecting the same user (i.e. you need to check the Default entry too), you need to check for the actual Calendar folder name, and so on.
In general, you can do something like this:
Get-Mailbox | % { Get-MailboxFolderPermission (($_.PrimarySmtpAddress)+”:\Calendar”) -User vasil -ErrorAction SilentlyContinue} | select Identity,User,AccessRights
But that’s very simplistic and some major improvements can be made. I’m doing a Permissions Inventory series for Cogmotive now, I’ll do a Calendar permissions article as part of those in the near future and provide sample script.
-
Muhammad Kamran Khan says:
Thanks Vasil, can you help me out. i am in mid of migration. 1000 user have permission on others mailboxes Calendar which are either on-premises / Cloud. same i need vice versa those have permission on 1000 mailbox. i need report in Excel.
realy appreciate if you help me create short script. thanks in Advance.
-
Muhammad Kamran Khan says:
I am getting error by running above command.
foreach : Method invocation failed because [Microsoft.Exchange.Data.SmtpAddress] does not contain a method named
‘op_Addition’.
At line:1 char:15
+ Get-Mailbox | foreach{Get-MailboxFolderPermission (($_.PrimarySmtpAddress)+”:\Ca …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (op_Addition:String) [ForEach-Object], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound,Microsoft.PowerShell.Commands.ForEachObjectCommand -
Vasil Michev says:
If you are doing this On-Prem, put a ToString() to get the proper value. This should work:
Get-MailboxFolderPermission (($_.PrimarySmtpAddress.ToString())+”:\Calendar”) blablabla
-
-
Chad E says:
So this is only giving me output about what permissions the specified user has but it doesn’t tell me to which mailbox they have the permissions to .. am i missing something?
-
Vasil Michev says:
Which one of the examples is “this”? In most of them, the Identity column designates the mailbox on which the permissions are granted.
-
Chad E says:
Apologies, this function
// Get all the Calendars (folder name can be localized)
$calendars = Get-Mailbox -RecipientTypeDetails UserMailbox | Get-MailboxFolderStatistics | ? {$_.FolderType -eq “Calendar”} | select @{n=”Identity”; e={$_.Identity.Replace(“\”,”:\”)}}///Check which Calendars user XXX has access to:
$calendars | % {Get-MailboxFolderPermission -Identity $_.Identity -User vasil -ErrorAction SilentlyContinue} -
Vasil Michev says:
Right, this example is simply missing the select operation at the end, try it like this:
$calendars | % {Get-MailboxFolderPermission -Identity $_.Identity -User vasil -ErrorAction SilentlyContinue | select Identity,User,AccessRights}
I’ve published a more detailed script for that, check it out here: https://gallery.technet.microsoft.com/Office-365-Calendar-29ef6211?redir=0
-
-
-
-
steve says:
is this valid for Office 365 also? We have hybrid environment running on prem and cloud. while this gave me output from the exchange server does this also cover mailboxes that are only on the cloud?
-
Vasil Michev says:
You can run the same cmdlets in EO Remote PowerShell. Cross-prem permissions should be listed where appropriate, if that’s what you mean.
-
-
josh says:
: The term ‘get-mailbox’ is not recognized as the name of a cmdlet, function, script file, or operable
program.
Leave a Reply Cancel reply
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK