Search code examples
powershellactive-directoryoffice365exchange-server

PowerShell to list Exchange mailbox that have Full Access delegate permission more than 1 person

I need to know which Exchange User Mailbox is currently accessed by more than one person other than the user display name itself. Here is my code:

Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where-Object { ($_.AccessRights -eq "FullAccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") -and -not ($_.User -like '*Discovery Management*') } |
   Select @{Name="User Name";expression={(Get-Recipient $_.user.tostring()).displayname}}, Identity,AccessRights,PrimarySMTPAddress | Export-Csv C:\Results.csv -NoTypeInformation

What needs fixing here?

Solution

  • Although using -and -not is correct, I'd not say it's not the most elegant approach as there are contrary operators to -like and -eq (which was suggested by @Paxz in now deleted comments). Your where statement could be modified to something like:

     Where-Object { ($_.AccessRights -like "*FullAccess*") -and (-not $_.IsInherited) -and ($_.User -ne "NT AUTHORITY\SELF") -and ($_.User -notlike '*Discovery Management*') }

    Changes I made:

    # from
($_.AccessRights -eq "FullAccess")
# to 
($_.AccessRights -like "*FullAccess*")

    to include the situation when user has one or more access entry in AccessRight (although I'm not sure if it's needed in real life). Your code would filter {FullAccess, ReadPermission} as it's not equal to FullAccess.

    # from
($_.IsInherited -eq $false) 
# to 
(-not $_.IsInherited)

    Why? More elegant. IsInherited is boolean value you can directly use -not.

    # from
-and -not ($_.User -like "NT AUTHORITY\SELF")
# to
-and ($_.User -ne "NT AUTHORITY\SELF")

    Why? like/notlike is not needed here, you can use -ne directly.

    # from 
-and -not ($_.User -like '*Discovery Management*')
# to
-and ($_.User -notlike '*Discovery Management*')

    similar as above but I'm not sure what values are possible here so I haven't changed to -ne.

    Also, in your Select-Object you use PrimarySMTPAddress which won't work as permission entry doesn't have such parameter. You'll have to use similar approach as you used for User Name (also, I don't think that .ToString() is necessary in that case):

    @{Name="PrimarySMTPAddress";expression={(Get-Recipient $_.user).PrimarySMTPAddress}}