How do I get all mailboxes that have AD security groups with send as permissions

Question

I'm in need of assistance on finding a powershell command to find all shared mailboxes that have AD Security Groups with 'SendAs' permissions assigned to them; to a text file.

The script I have so far is:

$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "http://MY-EXCHANGE BOX/PowerShell/" -Authentication Kerberos
Import-PSSession $ExchangeSession 
$WFMGroups = $GroupSAMs = %{Get-Mailbox $_ | select -ExpandProperty dist* | %{Get-ADPermission $_ | 
    ?{$_.extendedrights -like '*Send-As*'} | select -ExpandProperty User | %{$_.tostring().replace("DOMAIN\","")}} | 
    %{get-adobject -filter{samaccountname -eq $_}} | ?{$_.ObjectClass -eq "group"}} | select -ExpandProperty name
foreach ($WFMGroup in $WFMGroups)
{
    $WFMGroup.GroupScope = "Universal"
    Set-DistributionGroup -Identity $WFMGroup -Alias $WFMGroup
    Set-DistributionGroup -Identity "$WFMGroup" -EmailAddressPolicyEnabled "$false" -DisplayName "$WFMGroup" -PrimarySmtpAddress "$WFMGroup@maildomain.com" -HiddenFromAddressListsEnabled:$true -ManagedBy "AD-OBJECT"
}

Is this for an Exchange Online or On-Prem Exchange? – eKKiM Oct 10 '19 at 14:13 — eKKiM, Oct 10 '19 at 14:13
This is for On-Prem Exchange. – WoodMadeIT Oct 10 '19 at 15:16 — WoodMadeIT, Oct 10 '19 at 15:16

Semicolon · Accepted Answer · 2019-10-10T20:22:42.870

Without access to the ActiveDirectory module (as noted in your thread on the other forum), to achieve what you are seeking, you would need to do this by using the tools available in the Exchange Management Shell (or its implicit remoting equivalent).

Specifically, replace this line of your script:

%{get-adobject -filter{samaccountname -eq $_}} | ?{$_.ObjectClass -eq "group"}} | select -ExpandProperty name

With this line (notice the alias expansion):

ForEach-Object {Get-Recipient $_} | Where-Object {$_.RecipientType -like "*Group"}

Test thoroughly before use.

Also, I strongly advise against programatically updating the Group Scopes in this manner - the other settings are probably fine. The issue with changing the group scopes of so many scopes is that inevitablly you will run into situations where you're changing the scope of a Global group to a Universal Group, but fail because it is a member of another Global group (which cannot have Universal Groups as members).

How do I get all mailboxes that have AD security groups with send as permissions

1 Answers1