Mailbox access rights in Exchange are easy to assign, however managing them can be a bit of a pain, especially if they are assigned on a per-user basis, or assigned when troubleshooting issues for a user. What would be really useful is the ability to quickly generate a report against a subset of users to check that their access rights fall in line with organisational policies or just to check for any permissions that need revoking.To help with visibility in this area, I've written a little script that let's you discover this information so you can act on it. Basically, it takes a group of users, then checks all the mailboxes to find out if any of those users have full access rights to mailboxes other than their own, and outputs the results to the console.
So, why did I write this script? Quite simply, to meet a business need - a management requirement to provide a report on what mailboxes the people in the IT department have full access to. However it's not just useful for that - users move around between departments often and while group memberships are routinely updated in most organisations, there's always the off-chance a user's been granted full access to a certain mailbox and that permission hasn't been revoked.
Usage is fairly straightforward. You need to know the group name; after that simply specify it when executing the script:
.\Get-MailboxPermissionForGroupMembers.ps1 "Example Group"
After execution, the script will expand all the group members (including any in sub-groups), then get all mailboxes. It will compare each mailbox's full access permissions list against those group members and output a result similar to this:
Currently, this is a version 1.1 script. It's aimed at both Exchange 2007 and 2010 at the moment, but I envisage a future version would not only check for other types of permissions set at the mailbox level, but also check for mailbox folder permissions in an Exchange 2010 environment. And, as always your comments and ideas for improvements would be very much appreciated
Download Get-MailboxPermissionsForGroupMembers.zip
No comments:
Post a Comment