Exchange 2010 Powershell commands?

Question

1. I was wondering if anyone knows the PowerShell command for Exchange 2010 that lists mailboxes and/or users that a particular mailbox does NOT have access to.
   We have a system account that we need to grant full access to most (but not all) user mailboxes. We would like to run a command each month that will tell us which users this account doesn't have full rights to so we can correct that if necessary and exports to a csv.

2. I'd like a command that lists users and who has full permissions to each. I found this but the results it returns don't seem entirely accurate (when i compare the csv to the EMC, some accounts on the EMC will show that 3 other users have access to their mailbox but the CSV only reports 1 user).

   Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[string]::join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv
   

Answer 1

I tested the command on my systems, and it is working as you are hoping it to.

Although, if you are only comparing to what you are seeing in the EMC, you may be expecting the wrong outcome. The command is setup to show only non-Inherited rights. The EMC will show you both Inherited, and non-Inherited (without specifying which is which). What you may want to do, is run just this portion of the code in Powershell:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false}

And compare that to your resulting CSV.

Alternately, you could run this:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF”}

Which will show you both Inherited, and non-Inherited rights via Powershell, then compare that with your CSV result.

Answer 2

#1 - Wrote this one myself (revised). It isn't a simple one-liner since it evaluates the value of each permission entry on each mailbox in a couple of nested loops. Unfortunately, I couldn't figure out a way to simplify this any further (likely due to my lack of expertise in powershell). It basically gets all mailboxes and stores them in a variable, then it gets the permissions on each mailbox, evaluating each permission entry for a specific criteria (the system user with a FullAccess entry on the mailbox). If that criteria is met on any of the permission entries, it sets the $access variable to "True". After it has gone through all permission entries on the mailbox it takes a look at the $access variable, and if it is still False it adds the mailbox to the csv file (not really a csv though since there is only 1 entry per line in the file).

Import-Module C:\Temp\Exchange.psm1
$csv = "C:\Temp\systemuser.csv"
$user = "<system user>"
$mailboxes = Get-Mailbox *
ForEach ($mailbox in $mailboxes) {
    $access = "False"
    $perms = $mailbox | Get-MailboxPermission
    ForEach ($item in $perms) {
        if ($item.User -like $user -and $item.AccessRights -like "*FullAccess*") {
        $access = "True"        
        }
    }
    if ($access -eq "False") {
        ac $csv "$($mailbox)"
    }
}

#2 - Wrote most of it myself, but was struggling getting the AccessRights property to a string so it would export to the csv so I googled and found the same article you found with the script in your question and it works fine. I think the discrepancy between what the csv says and what the EMC says is that the script in the article filters out inherited permissions. I modified it below not to filter out inherited permissions and include the "IsInherited" Property in the output so you can tell if it is explicit or not.

Get-MailboxPermission * | ? {$_.user -notlike "NT AUTHORITY\SELF"} | Select Identity ,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}},IsInherited | Export-csv -NoTypeInformation c:\temp\mailboxpermissions.csv