Full Access Mailbox Permissions Report using Powershell

In this post, we will explore how to list users who have full access permission in other users’ mailbox. We can use the Exchange Powershell command Get-MailboxPermission to extract assigned permissions from a particular mailbox.

Before proceed connect Exchange Online Powershell module or Exchange Management Shell for On-premise environment.

Run the below command to list specific mailbox permissions

Get-MailboxPermission "Aldo Muller" | Select Identity,User,AccessRights

The above command not only list explicitly assigned full access permissions to a mailbox, it will also list inherited permissions, built-in system groups and the mailbox’s SELF access, these extra permissions are unnecessary entries for our current report, so we can filter them using Where logic operation.

Get-MailboxPermission "Aldo Muller" | Where { ($_.IsInherited -eq $False) -and ($_.AccessRights -like "*FullAccess*") -and -not ($_.User -like "NT AUTHORITYSELF") } |
Select Identity, User, AccessRights

You can also list access rights only for a specific user on a specific mailbox. You can provide the required user account with the parameter -User in Get-MailboxPermission cmdlet.

$Mailbox = "Aldo Muller"
$UserToCheck = "Alex Wilber"
Get-MailboxPermission -Identity $Mailbox -User $UserToCheck | Select Identity,User,AccessRights

List all mailboxes in which a specific user has Full Access permissions

In some scenarios, you may need to extract all mailboxes in which a given user account has full access permission. For this need, first we have to fetch all mailboxes and pipe the result to Get-MailboxPermission cmdlet.

Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission  -User "Alex Wilber" | Select Identity,User,AccessRights

List all mailboxes with Full Access permissions

The below command retrieves mailboxes and users with full access permission.

Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission |
Where { ($_.IsInherited -eq $False) -and ($_.AccessRights -like "*FullAccess*") -and -not ($_.User -like "NT AUTHORITYSELF") } |
Select-Object @{n="Mailbox"; e={$_.Identity}},@{n="UserHasFullAccess"; e={$_.User}},@{n="Access"; e={$_.AccessRights}} 

Export Result to CSV:

You can export the report to csv file by running below commands.

Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission |
Where { ($_.IsInherited -eq $False) -and ($_.AccessRights -like "*FullAccess*") -and -not ($_.User -like "NT AUTHORITYSELF") } |
Select-Object @{n="Mailbox"; e={$_.Identity}},@{n="UserHasFullAccess"; e={$_.User}},@{n="Access"; e={$_.AccessRights}}  |
Export-CSV "C:\FullAccessPermissionsReport.csv" -NoTypeInformation -Encoding UTF8

Advertisement

1 thought on “Full Access Mailbox Permissions Report using Powershell”

  1. Hi,

    You need to change to – NT AUTHORITY\SELF not all one word

    Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission |
    Where { ($_.IsInherited -eq $False) -and ($_.AccessRights -like “*FullAccess*”) -and -not ($_.User -like “NT AUTHORITY\SELF”) } |
    Select-Object @{n=”Mailbox”; e={$_.Identity}},@{n=”UserHasFullAccess”; e={$_.User}},@{n=”Access”; e={$_.AccessRights}}

    Reply

Leave a Comment