An interesting task to go about today.

“How do I tell if a User has rights to another user’s Mailbox?”

In Exchange 2007, in the new Console, an Enterprise Exchange Admin can now EASILY grant FullAccess and SendAs rights to users.

the problem comes up that after a few years, well you’re going to wonder WHO is able to access WHAT?   Especially with staff changes and Administrator switches.

But thankfully with Powershell, this is a Breeze!

We have a commandlet called GET-MAILBOXPERMISSION.  It ties right into GET-MAILBOX too.

So watch this little trick.

GET-MAILBOX john.smith | GET-MAILBOXPERMISSION | where { $-.Name –like ‘*Joey.Admin*’ }

That one line will tell you if “Joey.Admin” has rights (any rights) on John.Smith’s mailbox.

Now it gets cooler.  Maybe “Joey.Admin” got fired and we need to make sure he doesn’t have access to other mailboxes.  Or better yet.  Perhaps “Joey.Admin” didn’t LISTEN to his boss and was casually granting himself full access to corporate mailboxes abusing his admin rights.

Wouldn’t you like to EASILY know?

Same command but don’t get specific

GET-MAILBOX | GET-MAILBOXPERMISSION | where { $-.Name –like ‘*Joey.Admin*’ } | Select-Object $Identity

Now you have all the Mailboxes “Joey.Admin” had rights on (even if he wasn’t SUPPOSED to have rights on them)

Fine.  So we figured out the mess Joey left.   Wouldn’t it be nice if there was an EASY way to clean it up after we Demote Joey to Janitor?

Piece of cake in Powershell

GET-MAILBOX | GET-MAILBOXPERMISSION | where { $-.Name –like ‘*Joey.Admin*’ } | REMOVE-MAILBOXPERMISSION –user ‘DOMAINJoey.Admin’ –inheritancetype ‘All’ –AccessRights ‘FullAccess’


I agree that’s a mouthful to type, but that will go through the list and prompt you to remove Joey.Admin from the permissions.  If you want to have him removed from all those mailboxes, just choose “Yes to All” when prompted. 

This will work for anywhere from 1 to however many mailboxes you have.  All in one line.

The Power of Shell is in YOU

The Energized Tech