Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In case someone is looking for a script that works with mailbox permissions like this, here's a small example of what I came up with to help someone check that all mailboxes have the SELF right in the permissions:
#Script to check mailboxes for fullaccess rights for NT AUTHORITYSELF
#Written by jtedoff@microsoft.com 4/21/2012
$logfile = "c:selfrightstest.log"
if (test-path $logfile) {remove-item $logfile}
function WriteLog
{
PARAM($msg)
END
{
Add-Content -Path $logfile -encoding ASCII -value $msg
}
}
#Modify the next line to narrow the scope of the Get-Mailbox results
#For example, set it to -> $mailboxes = Get-Mailbox -server <servername> -resultsize unlimited <- to only check mailboxes on a particular server
$mailboxes = Get-ExchangeServer | ?{$_.ServerRole -like "*mailbox*"} | Get-Mailbox -resultsize unlimited
WriteLog "Checking for FullAccess rights for NT AUTHORITYSELF"
$mailboxes | foreach {
$perms = get-mailboxpermission $_.identity | ?{$_.user -like "NT AUTHORITYSELF" -and $_.accessrights -like "*fullaccess*"}
if ($perms) {
Write-Host "Mailbox for $_" -nonewline
Write-Host " OK" -foregroundcolor green
}
else { $erruser = $_.Identity
Write-Host "FullAccess right for NT AUTHORITYSELF not detected on the mailbox for " -foregroundcolor red -nonewline
Write-Host $_.Identity -foregroundcolor red -backgroundcolor white
WriteLog "FullAccess right for NT AUTHORITYSELF not detected on the mailbox for $erruser"
}
}
Here's an output example where one user doesn't in fact have SELF rights over their mailbox:
