A demonstration of one way to get shared\u00a0mailbox permissions exported to a CSV file. We needed both users, groups and users in groups (so, a recursive search). Only Shared mailboxes had to be included, we could identity these by a simple rule:<\/p>\n
the first portion of the primary email address does not contain a dot<\/p><\/blockquote>\n
See line 126 and 127 for this rule if you need a different method.<\/p>\n
Edit: make sure you replace CED\\ with your own domain! Sorry bout that…<\/p>\n
This export excludes Deny permissions and looks for users in groups up to 2 levels deep. Credits to Piotrek<\/a> for his Get-ADNestedGroupMember function.<\/p>\n
Script source:<\/p>\n
\n\n#Module name: reportSharedMailboxPermissions\n#Author: Jos Lieben (OGD)\n#Date: 08-06-2016\n#Script help: www.liebensraum.nl\n#Purpose: writes a csv report of user and group permissions (recursive) on mailboxes with a . in their primary email prefix\n#Requirements: run from Exchange Shell, requires AD module\n\nipmo ActiveDirectory\n\n$users = Get-Mailbox -Resultsize Unlimited\n$script:csvEntries = @()\n$csvExportPath = "C:\\Scripts\\mailboxRights.csv"\n\nfunction searchForUserOrGroup{\n param(\n [String]$name\n )\n $found = $False\n try{\n $adresult = Get-ADUser -filter{samAccountName -eq $name}\n if($adresult) {$found = $True}\n }catch{$Null}\n if($found -eq $False){\n try{\n $adresult = Get-ADGroup -filter{samAccountName -eq $name}\n if($adresult) {$found = $True}\n }catch{$Null}\n }\n if($found){\n return $adresult\n }else{\n return $False\n }\n}\n\nfunction Get-ADNestedGroupMembers {\n param ( \n [Parameter(ValuefromPipeline=$true,mandatory=$true)][String] $GroupName, \n [int] $nesting = -1, \n [int]$circular = $null \n ) \n $table = $null \n $nestedmembers = $null \n $adgroupname = $null \n $nesting++ \n $ADGroupname = get-adgroup $groupname -properties memberof,members \n $memberof = $adgroupname | select -expand memberof \n if ($adgroupname){ \n if ($circular){ \n $nestedMembers = Get-ADGroupMember -Identity $GroupName -recursive \n $circular = $null \n } \n else{ \n $nestedMembers = Get-ADGroupMember -Identity $GroupName | sort objectclass -Descending\n if (!($nestedmembers)){\n $unknown = $ADGroupname | select -expand members\n if ($unknown){\n $nestedmembers=@()\n foreach ($member in $unknown){\n $nestedmembers += get-adobject $member\n }\n }\n\n }\n } \n foreach ($nestedmember in $nestedmembers){ \n $Props = @{Type=$nestedmember.objectclass;Name=$nestedmember.name;DisplayName="";ParentGroup=$ADgroupname.name;Enabled="";Nesting=$nesting;DN=$nestedmember.distinguishedname;Comment=""} \n if ($nestedmember.objectclass -eq "user"){ \n $nestedADMember = get-aduser $nestedmember -properties enabled,displayname \n $table = new-object psobject -property $props \n $table.enabled = $nestedadmember.enabled\n $table.name = $nestedadmember.samaccountname\n $table.displayname = $nestedadmember.displayname\n $table | select type,name,displayname,parentgroup,nesting,enabled,dn,comment \n } \n elseif ($nestedmember.objectclass -eq "group"){ \n $table = new-object psobject -Property $props \n \n if ($memberof -contains $nestedmember.distinguishedname){ \n $table.comment ="Circular membership" \n $circular = 1 \n } \n $table | select type,name,displayname,parentgroup,nesting,enabled,dn,comment \n if($nesting -lt 3){\n Get-ADNestedGroupMembers -GroupName $nestedmember.distinguishedName -nesting $nesting -circular $circular \n } \n } \n else{ \n if ($nestedmember){\n $table = new-object psobject -property $props\n $table | select type,name,displayname,parentgroup,nesting,enabled,dn,comment \n \n }\n } \n } \n } \n \n}\n\nfunction addToCSV{\n Param(\n [String]$mailboxEmail,\n [String]$mailboxAlias,\n [String]$mailboxDisplayName,\n [String]$mailboxType,\n [String]$permissionName,\n [String]$permissionClass,\n [String]$permissionType\n )\n $csvEntry = New-Object PSObject\n $csvEntry | Add-Member NoteProperty mailboxEmail($mailboxEmail)\n $csvEntry | Add-Member NoteProperty mailboxAlias($mailboxAlias)\n $csvEntry | Add-Member NoteProperty mailboxDisplayName($mailboxDisplayName)\n $csvEntry | Add-Member NoteProperty mailboxType($mailboxType)\n $csvEntry | Add-Member NoteProperty permissionName($permissionName)\n $csvEntry | Add-Member NoteProperty permissionClass($permissionClass)\n $csvEntry | Add-Member NoteProperty permissionType($permissionType)\n $script:csvEntries += $csvEntry\n}\n\nWrite-Progress -Activity "Running report" -PercentComplete 0 -Status "Indexing..."\n\n$done = 0\nforeach($user in $users){\n \n $mail = $user.PrimarySMTPAddress.ToString()\n if($mail.Split("@")[0] -like "*.*"){\n write-verbose "$mail not shared" \n }else{\n try{\n $perms = $user | Get-MailboxPermission -erroraction stop | where{$_.Deny -eq $False}\n }catch{\n write-error "failed to retrieve mailbox permissions for $mail"\n continue\n }\n foreach ($perm in $perms){\n $permUserName = $perm.User.ToString()\n if($permUserName -like "*CED\\*"){\n $permAdInfo = searchForUserOrGroup -name $permUserName.Split("\\")[1]\n if($permAdInfo -eq $False){\n $rights = $perm.AccessRights -Join ","\n addToCSV -mailboxEmail $mail -mailboxAlias $user.alias -mailboxDisplayName $user.displayName -mailboxType $user.recipientTypeDetails -permissionName $permUserName -permissionClass "failed to retrieve" -permissionType $rights \n write-output "failed to find AD object for $permUserName"\n }else{\n if($permAdInfo.ObjectClass -eq "group"){\n try{\n $members = Get-ADNestedGroupMembers -GroupName $permAdInfo.Name\n foreach($member in $members){\n Write-Output "$mail : $($member.Name)"\n $rights = $perm.AccessRights -Join ","\n addToCSV -mailboxEmail $mail -mailboxAlias $user.alias -mailboxDisplayName $user.displayName -mailboxType $user.recipientTypeDetails -permissionName $member.DisplayName -permissionClass $member.ObjectClass -permissionType $rights\n }\n }catch{\n Write-Output "$mail : $($permAdInfo.Name)"\n $rights = $perm.AccessRights -Join ","\n addToCSV -mailboxEmail $mail -mailboxAlias $user.alias -mailboxDisplayName $user.displayName -mailboxType $user.recipientTypeDetails -permissionName $permAdInfo.Name -permissionClass $permAdInfo.ObjectClass -permissionType $rights\n }\n }else{\n Write-Output "$mail : $($permAdInfo.Name)"\n $rights = $perm.AccessRights -Join ","\n addToCSV -mailboxEmail $mail -mailboxAlias $user.alias -mailboxDisplayName $user.displayName -mailboxType $user.recipientTypeDetails -permissionName $permAdInfo.Name -permissionClass $permAdInfo.ObjectClass -permissionType $rights \n }\n }\n }\n }\n }\n $done++\n try{$percent_done = ($done\/($users.Count))*100}catch{$percent_done = 0}\n Write-Progress -Activity "Running report" -PercentComplete $percent_done -Status "$percent_done % done"\n}\n\n$csvEntries | Export-CSV -Path $csvExportPath -Delimiter ";"\n\n<\/pre>\n","protected":false},"excerpt":{"rendered":"A demonstration of one way to get shared\u00a0mailbox permissions exported to a CSV file. We needed both users, groups and users in groups (so, a recursive search). Only Shared mailboxes had to be included, we could identity these by a simple rule: the first portion of the primary email address does not contain a dot … Continue reading Exporting shared mailbox permissions to a CSV<\/span>