In this post, we will explore how to list users who have full access permission in other users’ mailbox. We can use the Exchange Powershell command Get-MailboxPermission to extract assigned permissions from a particular mailbox.
Before proceed connect Exchange Online Powershell module or Exchange Management Shell for On-premise environment.
Run the below command to list specific mailbox permissions
Get-MailboxPermission "Aldo Muller" | Select Identity,User,AccessRights
The above command not only list explicitly assigned full access permissions to a mailbox, it will also list inherited permissions, built-in system groups and the mailbox’s SELF access, these extra permissions are unnecessary entries for our current report, so we can filter them using Where logic operation.
Get-MailboxPermission "Aldo Muller" | Where { ($_.IsInherited -eq $False) -and ($_.AccessRights -like "*FullAccess*") -and -not ($_.User -like "NT AUTHORITYSELF") } | Select Identity, User, AccessRights
You can also list access rights only for a specific user on a specific mailbox. You can provide the required user account with the parameter -User in Get-MailboxPermission cmdlet.
$Mailbox = "Aldo Muller" $UserToCheck = "Alex Wilber" Get-MailboxPermission -Identity $Mailbox -User $UserToCheck | Select Identity,User,AccessRights
List all mailboxes in which a specific user has Full Access permissions
In some scenarios, you may need to extract all mailboxes in which a given user account has full access permission. For this need, first we have to fetch all mailboxes and pipe the result to Get-MailboxPermission cmdlet.
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission -User "Alex Wilber" | Select Identity,User,AccessRights
List all mailboxes with Full Access permissions
The below command retrieves mailboxes and users with full access permission.
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where { ($_.IsInherited -eq $False) -and ($_.AccessRights -like "*FullAccess*") -and -not ($_.User -like "NT AUTHORITYSELF") } | Select-Object @{n="Mailbox"; e={$_.Identity}},@{n="UserHasFullAccess"; e={$_.User}},@{n="Access"; e={$_.AccessRights}}
Export Result to CSV:
You can export the report to csv file by running below commands.
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where { ($_.IsInherited -eq $False) -and ($_.AccessRights -like "*FullAccess*") -and -not ($_.User -like "NT AUTHORITYSELF") } | Select-Object @{n="Mailbox"; e={$_.Identity}},@{n="UserHasFullAccess"; e={$_.User}},@{n="Access"; e={$_.AccessRights}} | Export-CSV "C:\FullAccessPermissionsReport.csv" -NoTypeInformation -Encoding UTF8
Hi,
You need to change to – NT AUTHORITY\SELF not all one word
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission |
Where { ($_.IsInherited -eq $False) -and ($_.AccessRights -like “*FullAccess*”) -and -not ($_.User -like “NT AUTHORITY\SELF”) } |
Select-Object @{n=”Mailbox”; e={$_.Identity}},@{n=”UserHasFullAccess”; e={$_.User}},@{n=”Access”; e={$_.AccessRights}}