Auditing full access mailbox members

Similar Messages

• Auto-Mapping with Full Access Mailboxes-not working in exchange 2010 clients outlook 2013

  hello, I have exchange server 2010, the clients are running outlook 2013, I set an mailbox for automapping (full access) but when i restart client it does not appear in the client. i also did the command in the exchange shell, no errors. how can i fix this.

  no sp info shows with the 
  Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersionName                
  Edition             : Enterprise
  AdminDisplayVersion : Version 14.0 (Build 639.21)
  chart says 
  Exchange Server 2010 November 9, 200914.00.0639.021
  is that the issue need sp 1? 

• How to give full access to mailbox to users in trusted domain?

  Hi,
  I am working on a migration-project where we migrate all users from one domain to a new domain. I have Exchange in both domains, and migrates mailoboxes from the old to the new domain. In the old domain I have a number of mailboxes that are used for common
  calendars for the departments. My problem is: How can I give the users who has been  migrated to the new domain full access to the existing calendar-mailboxex in the old domain? I have given the accounts in the new domain full access to the mailboxes
  in the old domain by using to following command: get-mailbox mailboxname | add-mailboxpermission -accessrights FullAccess,ExternalAccount -user newdomain\username
  After the command has completed I can see the account listed in the "Manage Full Access Permission"-dialog, but still the new useraccount cannot create appointments etc in the original calendar from Outlook.
  Any tips on this?
  Thor-Egil

  Hi Thor,
  Thank you for your question.
  Did the issue occur when we use OWA?
  Are there any errors when they cannot create appointments?
  We could enable “Support cross forest delegation” on FIM(Forefront Identity Manager) to check if the issue persist.
  There is an article for us to how to enable “Support cross forest delegation” by the following link:
  http://blogs.technet.com/b/neiljohn/archive/2011/10/12/exchange-server-2010-cross-forest-delegation.aspx  
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Jim Xu
  TechNet Community Support

• Single mailbox manage permissions issues full access/send as

  Exchange 2010 SP3 RU7
  I have a weird issue with one mailbox.  This user has 2 AD accounts.  Say "userprimary" and "usersecondary".  This user was set up by another admin that is no longer here.  "userprimary" is the actual mailbox
  account.
  User logs on to workstation using "usersecondary" AD credentials and manually sets up outlook 2010 to connect to "userprimary" mailbox.  The userprimary mailbox has manage full access permissions assigned to it for the usersecondary
  account.  The userprimary mailbox does NOT have "send as permissions" set up.  When the user logs in with "usersecondary" he can access the mailbox fine but can also send email.  In theory he shouldn't be able to send as
  there are no send as permissions set up on the "userprimary" mailbox.
  How is this happening and what can I check to resolve this.

  Userprimary account > manage full access > add usersecondary account.
  Userprimary account > manage send as > nothing exists here.
  Person logs onto workstation as usersecondary ad account
  Person configures outlook to use userprimary account. (supplies no additional credentials)
  Person launches outlook and is able to open userprimary account and send and receive emails.
  Both AD accounts are Domain Admins.
  Person doesn't need to have under the userprimary account, send as permissions with the usersecondary account specified.  Reason seems that in AD, domain admins have 'send as' and 'receive as' set for all accounts.

• Previous Exchange Admin has somehow granted himself inherited Full access rights to All Exchange Mailboxes -AccessRights -InheritanceType

  Good Day,
  There is a previous employee that was a Systems Admin and somehow he granted himself access to Every Mailbox item at one point in time and the cleanup has been a bit messy.
  When this user is listed as "Full Access Granted" in the Manage Full Access Permissions function, and I delete him, I get a confirmation that he was removed, but then an additional item below it.  (This is depicted in the attached photo)
  How do I remove the hierarchical inheritance of this user?
  the commands in the photo show:
  Remove-Mailboxpermission -identity %OU String% -user %user% -inheritancetype 'All' -Accessrights 'FullAccess'
  Add-Mailboxpermission -identity %OU String% -user %user% -Deny -Accessrights 'FullAccess'

  Hello,
  I have removed permission to this user in ADSI Edit Microsoft Exchange Configuration CN and ensured that his name was no where to be found in the ADSI permissions for Exchange.  I was running the following command:
  Get-Mailbox | Remove-MailboxPermission -User %USER% -AccessRights FullAccess,SendAs,Exter
  nalAccount,DeleteItem,ReadPermission,ChangePermission,ChangeOwner -InheritanceType All
  and I get a return warning:
  WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl,
  WriteOwner, ControlType: Allow] 
  and was ignored on object "CN=%FullAccessUser%"
  How can I ensure that this user had NO permissions at all to the exchange mailboxes?

• How to Find mailboxes a specific user has full access to

  Hi, 
  I have been searching all the threads but all i am getting is user mailbox is accessible to following users. I run this command:
  Get-Mailbox -resultsize unlimited | Get-MailboxPermission | Where {(!$_.isinherited) -and ($_.user.SecurityIdentifier -ne "S-1-5-10") -and  ($_.accessrights -contains "fullaccess")  } | Select Identity,User
  It is taking so much time as we have 20K mailboxes. Then i tried this:
  Get-Mailbox -server exdm01 -resultsize unlimited | Get-MailboxPermission | Where {(!$_.isinherited) -and ($_.user.SecurityIdentifier -ne "S-1-5-10") -and  ($_.accessrights -contains "fullaccess")  } | Select Identity,User
  It gives me list of those users who have access to mailboxes. But what if i want to see user_A is accessing which mailboxes. we
  need to find out which mailboxes user has FULL MAILBOX ACCESS to NOT which users can access this user's mailbox. I hope you will understand, i DONT want the list which MANAGE FULL ACCESS PERMISSION option gives in GUI, but i WANT vice-versa. 
  We migrated 100 users to different domain, now i want to know these users' association with others' mailboxes. 
  Hasan

  Please check with this
  Get-Mailbox -Server "SERVERNAME" -resultsize "Unlimited" | Get-MailboxPermission | where { ($_.AccessRights -eq "FullAccess") -and ($_.User -like "DOMAIN\TESTUSER") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") } | ft User, @{Name="Identity";expression={($_.Identity -split "/")[-1]}} -Autosize
  Replace "DOMAIN\TESTUSER" with "Yourdomain\Yourusername" to check,  which will list the users which testuser has FullAccessPermission on.
  @Amit
  Apologize for the duplicate posting.
  Thanks, MAS
  Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• CmdLet to list all mailboxes on which an account has full access permission

  Hi, there
  Just wondering what cmdLet can list all mailboxes on which a specific account has full access permission,
  thanks

  This should help you...
  Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | where { ($_.AccessRights -eq "FullAccess") -and ($_.User -like "*SpecificUserAccount*") }
  Amit Tank
  MVP: Exchange Server | MCTS: Microsoft Exchange Server 2010, Configuration
  MCITP: EMA | MCSA: M | Blog: http://ExchangeShare.WordPress.com

• Who has full access on all mailboxes in Exchange 2010 using Powershell ?

  Greetings,
  Could you please tell me how can i know Who has full access on all mailboxes in Exchange 2010 using Powershell ?
  Thanks.
  Redouane SARRA

  This is going to depend greatly on WHICH inherited permissions you plan to delete - there are some that you can never delete if you want the system to function properly.  Now, that being said, let's look at some example permissions.  First, here
  are some permissions on a standard mailbox:
  Identity             User                 AccessRights                                               
  IsInherited Deny
  users.corp.... USERS\btwatcher    {FullAccess}                                               
  False       False
  users.corp.... USERS\svcactAdmin {FullAccess}                                               
  True        False
  users.corp.... CORP\Domain Ad... {FullAccess}                                               
  True        True
  users.corp.... CORP\Enterpris... {FullAccess}                                               
  True        True
  users.corp.... CORP\Organizat... {FullAccess}                                               
  True        True
  users.corp.... CORP\adminact    {FullAccess}                                               
  True        True
  users.corp.... CORP\esswin       {FullAccess}                                               
  True        True
  users.corp.... USERS\svcactEncase {FullAccess}                                               
  True        False
  users.corp.... CORP\Exchange ... {FullAccess}                                               
  True        False
  users.corp.... NT AUTHORITY\SYSTEM  {FullAccess}                                               
  True        False
  As you can see, the first is not inherited.  All others are, and two are from service accounts (svcact...).  Also, some are Exchange system permissions, some are denies, and some are just administrative accounts.  Once you determine which
  you wish to remove, the SIMPLEST way to set the permissions you want is to open the account properties in ADSIEdit, and go to the Security tab.  Here, click the Advanced button and find the inherited permission you wish to remove.  ADSIEdit will
  show where the permission is inherited from - you will need to go to that container to remove the inherited permission.  You can also grant inherited denies at the same level(s).
  Now, something you will need to understand is that if you hope to remove permissions granted to domain administrators, the system will replace them - these permissions are required by the system and can't be modified permanently.

• Exchange 2010 Full Access to mailbox not working.

  Hi Guys
  Few changes were made to exchange so users can only have "send on behalf of" when using shared mailboxes.
  for example : Sent from Bob Smith on behalf of [EmailAddress1]
  need to grant full access, then use the client delegate (outlook 2010) and add them to that also.
  even if you set permissions to none in Delegate the full access kicks in.
  if you remove the users name from delegate (set with no permissions) full access is gone.
  has anyone else come across this ?
  ive been trolling the net the last 2 days and havernt found a thing . .
  any help would be great.

  Hi ITWizchch,
  Try these methods to check what's happening and set the required access (i.e. SendOnBehalfOf without Full Access)
  Check for individual user or all users having access on John's mailbox:
  Get-MailboxPermission -Identity [email protected] | Format-List
  Get-MailboxPermission -Identity [email protected] -User "Ayla"
  Once permission is set you can use below to remove it:
  Remove-MailboxPermission -Identity John -User 'Ayla' -AccessRights FullAccess -InheritanceType All
  Set SendOnBehalf Permission:
  Set-mailbox John -GrantSendOnBehalfto @{Add="Ayla"}
  Set SendOnBehalf Permission:
  Set-mailbox John -GrantSendOnBehalfto @{Remove="Ayla"}
  NOTE:- When you modify a multivalued property, you must ensure that you append / remove the values accordingly , without Overwriting the existing list.
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• User with Full Access to mailbox cannot view calendar

  I have a user who one of several users that manages the schedules for several conference rooms using regular mailboxes on Exchange Server 2007.  She (and she alone), has lost the right to manage the mailbox calendar.  When she tries to access the
  calendar she gets the error message, "You do not have permission to view this calendar".
  I verified her rights as Full Access and even ran the cmdlet below which says, "Appropriate ACE is already present on object ".
  [PS] C:\Windows\system32>Add-MailboxPermission -Identity "mailbox" -User user -AccessRights FullAccess -InheritanceType All
  WARNING: Appropriate ACE is already present on object "CN=mailbox
  49,OU=Service Accounts,OU=  xxx,OU=xxxxx),OU=xxx,DC=xxx,DC=xx,DC=xxx" for
   account "user".
  Identity             User                 AccessRights        IsInherited Deny
  Domaim      domain\user       {FullAccess}        False       False
  When I get the permissions on the mailbox she has the following:
  AccessRights    : {FullAccess}
  Deny            : False
  InheritanceType : All
  User            : domain\user
  Identity        : domain/OU/OU/OU/mailbox
  IsInherited     : False
  IsValid         : True
  ObjectState     : Unchanged
  Any help out there?
  [email protected]

  Hi,
  According to your post, the permission seems to be configured properly in your Exchange server. This user has full access permission to Domaim’s mailbox.
  Please try to open shared mailbox in OWA to check whether she can access the calendar. In Outlook, we can open shared calendar in Calendar panel by clicking Open Calendar > Open shared calendar. If it fails, please try the following steps:
  1. Click File > Account Settings > Change > More Settings > Advanced.
  2. Add the Shared mailbox that you want to open and click OK.
  If there is any updates, please feel free to let us know.
  Best Regards,
  Winnie Liang
  TechNet Community Support

• Granting full access and Mailbox Caching

  Hi!
  We have a Microsoft Server 2008 R2 (terminal server) with Office 2013. The mailboxes are hosted by Microsoft Online. If a user creates a Outlook profile everything goes well. I
  even have a policy set up that forces to Cache one month to speed things up.
  Now when I give this person 'full access to a colleges mailbox it appears (magically) on its own which is perfect yes? However it starts caching the entire mailbox from that college
  and not just a month. What Group Policy should I set? Or should I do this differently.
  The only Group Policies which I have set (for Outlook that is) are:
  Cached Exchange Mode Sync Settings (1 month)
  Use Cached Exchange mode for new and existing Outlook profiles. (enable)

  Thank you for sharing your solution and experience here. Have a good time.
  Tony Chen
  TechNet Community Support

• Send As, Send on Behalf and Full Access for Exchange server 2010/2013

  [This FAQ contains 2 parts]
  Testing and watching the behavior of Send As, Send On Behalf and Full Access permission.
  Common issue and Troubleshooting on the three permission.
  [Testing and Watching]
  Based on following blog, I decide to test on my lab:
  Full Mailbox Access Rights + Send On Behalf = Send As ?
  http://blogs.technet.com/b/ehlro/archive/2012/04/06/full-mailbox-access-rights-send-on-behalf-send-as.aspx
  Description on my lab and test:
  Exchange 2010 + Outlook 2010
  Exchange 2013 + Outlook 2013
  Senders: A01, A02, … , A07, A08
  Recipient: A09
  A01 grand permission to other senders.
  Two methods:
  a. Use A0x’s credential configure A01’s profile, then send From both A01 and A0x via Outlook. Watching result in A09’s Inbox and Sent Items which has message copy left.
  b. Use A0x’s credential configure A0x’s profile, then send From both A01 and A0x via Outlook. Watching result in A09’s Inbox and Sent Items which has message copy left.
  Result as following forms:
  1. Exchange 2010 + Outlook 2010 / Exchange 2013 + Outlook 2013
  Using A0x’s credential configure A01’s mailbox, then send From both A01 and A0x
  To A09.
  2. Exchange 2010 + Outlook 2010 / Exchange 2013 + Outlook 2013
  Using A0x’s credential configure A0x’s mailbox, then send From both A01 and A0x
  To A09.
  [Common Issue]
  1. [Issue]
  Exchange 2010 + Outlook 2010. A01 grand A03 Send As permission. However A03 can’t send as A01 to A09 and get NDR:
  You can’t send a message on behalf of this user unless you have permission to do so. Please make sure you’re sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk.
  Details as following pic:
  [Troubleshooting]
  1) Based on the NDR, it seems a permission issue. Check Send As permission, however the Send As permission configured correctly. Pic as below:
  2) ince the Send As permission configured correctly, it seems the permission hasn’t been replicated. Try to restart Microsoft Exchange Information Store service. It works.
  Note: The Send As permission isn’t granted until after replication has occurred. Replication times depend on your Exchange and network configuration. To grant the permission immediately, stop and then restart the Microsoft Exchange Information
  Store service.
  2. [Issue]
  Exchange 2013 + Outlook 2013. A01 grand A03 Send As permission. However A03 can’t send as A01 to A09 and get NDR:
  Your message did not reach some or all of the intended recipients.
  Subject: xxx
  Sent: xx/xx/2014 8:20 AM
  The following recipient(s) cannot be reached: A09
  This message could not be sent. Try sending the message again later, or contact your network administrator. Error is [0x80070005-00000000-00000000].
  Details as below:
  [Troubleshooting]
  1) Also check the Send As permission configuration first.
  2) Then try to use A03 send as A01 to A09 via OWA. If OWA works well, it seems and issue on the Outlook client side.
  3) This behavior may occur if the OAB in Outlook isn’t updated. Try to download OAB manually.
  4) If doesn’t work, please close Outlook and try to delete all the OAB folder on your computer. The path of OAB folder in Win7, Win8 as below:
  \Users\<UserName>\AppData\Local\Microsoft\Outlook\Offline Address Books
  5) Restart Outlook.
  Note: Be aware that you cannot send e-mail messages on behalf of a mailbox if the mailbox is hidden from address list. When sending a message, Exchange requires that e-mail address is resolved in the
  From field.
  3. [Issue]
  Exchange 2010. A01 grant A0x “Send As” or “Send on Behalf” permission. A0x send as/ send on behalf of A01. The message is only copied to the Sent Items folder in A0x’s mailbox (same as the result of my test). Also cannot configure Exchange 2010 so that the
  message is copied to the Sent Items folder of both A01 and A0x.
  [Troubleshooting]
  This issue occurs because Exchange server 2010 was designed to copy message to the Sent Items folder of the sender only. This issue can be solved by installing Exchange 2010 SP2 UR4. More details in the following KB:
  Messages that are sent by using the "Send As" and "Send on behalf" permissions are copied only to the Sent Items folder of the sender in an Exchange Server 2010 environment
  http://support.microsoft.com/kb/2632409/en-us
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Nice guide Mavis, I recently explored the same topic. Few things you might want to add is the type of connectivity (Cached vs Online will produce different results) and to expand further on the methods of adding the other mailbox in Outlook (additional mailbox
  vs additional account defaults to different methods). Check the screenshot:
  And please post this somewhere more visible, like blog/wiki page.

• Exchange 2010 Unable to Assign Full Access Permissions using a Security Group

  I've been running into this issue lately.  I cannot seem to use groups to allow full access to mailboxes.  When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...".  After waiting a day and even restarting
  the Information Store service, the permissions do not take effect.  When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed.
  When I grant a user full permission, it works and updates the attribute.  However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute.  So the mailbox
  will still appear in Outlook, but the user isn't able to see new emails.
  Any ideas on what may be going wrong?
  Environment:
  Exchange Server 2010 SP1 Standard
  Windows Server 2008 R2 Standard
  Outlook 2010 SP1 (tried without SP1 as well)
  I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups.  Is this not possible?

  I never got a proper fix.
  I worked around it by creating a script which gets the members of an AD Mail Enabled security group, and updates the full access based on the groups members.
  Here's a script I'm running every hour which updates permissions. It's probably not the most efficient script ever, but it works. It has several benefits
  1. Managers of the distribution group can add/remove mailbox members using OWA or through the address list
  2. New members of groups are added to FULL Access Permissions
  3. Members removed from the groups are removed from FULL access permissions
  4. Automapping works :)
  5. Maintains a log of access added / removed / time taken etc.
  Obviously I have had to remove domain related information, replace with whatever your domain requirements are, and PLEASE debug it properly in your environent first, don't complain to me if it wipes out a load of access for you or something like that!
  It takes about 5 minutes to run in my environement. Some formatting seems to have got messed up on here, sorry. I hope it is of use!
  # Mailbox Permissions Setter for Exchange #
  # v1.1 #
  # This script will loop through all mailboxes in Exchange and find any where #
  # the type is 'SHARED'. These should be determined to be a GROUP/SHARED mailbox #
  # and access to these mailboxes are controlled by a single ACL, e.g. 'ACL_Shared_Mailbox'. #
  # This script will add any members of these ACLs directly to the Full Access Permissions #
  # of the mailbox and also remove them if they no longer need the access. #
  # Script created by Jon Read, Technical Administration
  # Recent Changes
  # 15/11/2012
  # 1.1 Added exclusions for ACLs that we don't want automapping to happen for
  # 12/11/2012
  # 1.0 Initial script
  #Do not change these values
  Add-PSSnapin *Ex*
  $starttime = Get-Date
  $logfile = "C:\accesslog.txt"
  $logfile2 = "C:\accesslog2.txt"
  $totaladditionstomailboxes = 0
  $totalremovalsfrommailboxes = 0
  $totalmailboxesprocessed = 0
  $totalmailboxesskipped = 0
  # Exclude any ACLs that shouldn't be processed here if they are used for a non-standard purpose and
  # we don't want FULL access mapping to happen. Seperate array values with commas
  $ExcludedACLArray = "DOMAIN\ACL_ExcludedExample"
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "#----------------------------------------------------------------#" >> $logfile
  Write-Output "# Mailbox Permissions Setter for Exchange #" >> $logfile
  Write-Output "# v1.1 #" >> $logfile
  Write-Output "#----------------------------------------------------------------#" >> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-output "Start time $starttime ">> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  # Set preferred DCs and GCs
  $preferredDC = "preferredDC.domain"
  $preferredGC = "preferredGC.domain"
  Write-Output " PreferredDC = $preferredDC ">> $logfile
  Write-Output " PreferredGC = $preferredGC " >> $logfile
  Set-ADServerSettings -PreferredGlobalCatalog $preferredGC -SetPreferredDomainControllers $preferredDC
  # The first part of this will ADD permissions to the mailbox, reading from an associated ACL.
  # Check for all mailboxes where the type is SHARED. These are the only ones we would
  # want to apply group mailbox permissions to.
  foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
  $totalmailboxesprocessed = $totalmailboxesprocessed + 1
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  Write-Output "| MAILBOX ADDITIONS: $mailbox " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  $mailbox=$mailbox.ExchangeGuid.ToString()
  # For each of them, get the distribution list applied to the mailbox (Starting DOMAIN\ACL_)
  # We then need it to be turned into a string to use later.
  #Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
  $changes = 0
  foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
  $skipACL = 0
  #Get the distribution group and put the name in a useable format
  $distributiongroup=$distributiongroup.user.tostring()
  Write-Output "Found ACL $distributiongroup" >> $logfile
  # Check if this distribution group needs to be excluded and if it shouldn't be processed
  # then move onto the next ACL. This will stop FULL access being granted if the mailbox is
  # used for a non-standard purpose. See the start of this script
  # for where these are excluded (ExcludedACLArray)
  foreach ($ACL in $ExcludedACLArray )
  if ($distributiongroup -eq $ACL)
  $skipACL = 1
  Write-Output "ACL $distributiongroup is excluded so skipping mailbox " >> $logfile
  $totalmailboxesskipped = $totalmailboxesskipped + 1
  if ($skipACL -eq 0)
  # Get each user in this group and for each of them, add try to add them to full access permissions.
  foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
  # Get the user to try, convert to DOMAIN\USER to use shortly
  $user="DOMAIN\" + $user.alias.ToString()
  # Check to see if the user we have chosen from the ACL group already exists in the full access
  # permissions. If they do, set $userexists to 1, if they do not, leave $userexists set to 0.
  # Set $userexists to 0 as the default
  $userexists = 0
  foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission)
  # See if the user exists in the mailbox access list.
  # Change $fullaccessuser to a useable string (matching $user)
  $fullaccessuser=$fullaccessuser.user.tostring()
  if ($fullaccessuser -eq $user)
  $userexists=1
  # Break out of foreach if the user exists so we don't unnecessarily loop
  break
  # Now we know if the user needs to be added or not, so run code (if needed) to add
  # the user to full access permissions
  if ($userexists -eq 0)
  Add-MailboxPermission $mailbox –user $user –accessrights "FullAccess"
  Write-Output "Added $user " >> $logfile
  $changes = 1
  $totaladditionstomailboxes = $totaladditionstomailboxes + 1
  #Now repeat for other users in the ACL
  #if changes were 0, then log that no changes were made
  if ($changes -eq 0)
  Write-Output "No changes were made." >> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "---------------------------------------------------------------------------------" >> $logfile
  Write-Output " FINISHED ADDING PERMISSIONS" >> $logfile
  Write-Output "---------------------------------------------------------------------------------" >> $logfile
  Write-Output " " >> $logfile
  # The second part of this will REMOVE permissions from the mailbox, reading from an associated ACL.
  ## Check for all mailboxes where the type is SHARED. These are the only ones we would
  ## want to apply group mailbox permissions to.
  foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  Write-Output "| MAILBOX REMOVALS : $mailbox " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  $mailbox=$mailbox.ExchangeGuid.ToString()
  #Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
  $changes = 0
  # For the current mailbox, get a list of all users with FULLACCESS, and then for each of them
  # check if they exist in the ACL
  foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.Accessrights -like "FullAccess" })
  # Get the security identifier (SSID) of the FULLACCESS user to store for later.
  $fullaccessuserSSID=$fullaccessuser.user.SecurityIdentifier.ToString()
  $fullaccessuser=$fullaccessuser.User.ToString()
  #If user needs to be excluded then skip this bit
  #Users added or removed will only start with 07 (07$, 07T, so only run if the user starts with this.
  #This stops it trying to remove NT AUTHORITY\SELF and other System entries
  if ($fullaccessuser -like "DOMAIN\07*")
  # Set $userexists to be 0. if we find the use user needs to remain, then change it to 1.
  $userexists=0
  # Check if this user exists in the ACL, if not, remove.
  foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
  $distributiongroup=$distributiongroup.user.tostring()
  #Write-Output "Found associated distribution group $distributiongroup" >> $logfile
  # Get each user in this group and for each of them, See if it matches the user in the mailbox.
  foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
  # Get the user to try, convert to DOMAIN\USER to use shortly
  $userguid = $user.Guid.ToString()
  $user="DOMAIN\" + $user.alias.ToString()
  if ($fullaccessuser -eq $user)
  $userexists=1
  #we have found the user exists so no need to continue
  break
  # If userexists = 0, then they are NOT in the ACL, and should be removed from
  # the full access permissions. Run the code to remove them from full access.
  #CONVERT FULLACCESSUSER TO GUID AND REMOVE $FULLACCESSUSERGUID NOT $USERGUID
  if ($userexists -eq 0)
  Remove-MailboxPermission -Identity $mailbox –user $fullaccessuserSSID –accessrights "FullAccess" -Confirm:$false
  Write-Output "Removed $fullaccessuser " >> $logfile
  $changes = 1
  $totalremovalsfrommailboxes = $totalremovalsfrommailboxes + 1
  # if changes = 0, no changes were made to this mailbox, so log this fact.
  if ($changes -eq 0)
  Write-Output "No changes were made." >> $logfile
  #Put the time in a displayable format
  $endtime = Get-Date
  $runtime = $endtime - $starttime
  $runtime = $runtime.ToString()
  $runtime1 = $runtime.split(".")
  $totaltime = $runtime1[0]
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
  Write-Output "| SCRIPT COMPLETE : STATS " >> $logfile
  Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
  Write-Output "| Total Mailboxes Processed : $totalmailboxesprocessed " >> $logfile
  Write-Output "| Total Additions : $totaladditionstomailboxes " >> $logfile
  Write-Output "| Total Removals : $totalremovalsfrommailboxes " >> $logfile
  Write-Output "| Total Mailboxes Skipped due to ACL : $totalmailboxesskipped " >> $logfile
  Write-output "| Start time : $starttime ">> $logfile
  Write-output "| End time : $endtime ">> $logfile
  Write-Output "| **END OF RUN** - Elapsed time : $totaltime " >> $logfile
  Write-Output "|---------------------------------------------------------------------------------------" >> $logfile
  Write-Output " " >> $logfile

• Exchange Admin without the right to assign / revoke the Full Access Permission

  Hello,
  I would like to create Exchange Administrator who can do all mail box related administration except assign/revoke Full Access Permission and Send As Permission to other users' mail box or hims own mail box.
  Exchange: MS Exchange 2007
  OS: Windows 2008

  You would have to regularly update his rights on the mailboxes - you can't grant the rights to the distribution group and have them apply to the mailboxes it contains.  This means that when someone moves from his department, you would need to immediately
  have to remove his rights from that mailbox, since just basing his rights on mailboxes in the group would add more members, but never remove him from existing ones.
  For instance, in your list above, Bill manages John, Paul, Jim, and Harry.  Suppose Harry moves from Bill's department, and Dave joins it.  If you just go by group membership, Dave would get added, but there's no easy way to see that Harry is no
  longer in the department.  You would either have to mark this in the notes of the group ("Harry left 3/16/2015'), or you would have to immediately remove Harry from the group.  Consider if Harry was promoted to Bill's level - he wouldn't want
  Bill to have rights on his mailbox just because he had them when he was Bill's direct report.
  As for a script you can run each week to add the mailbox rights, that's pretty simple.  You'd use
  Get-Group <group alias> | % { $_.Members } to get the list of group members, and you'd use
  Add-MailboxPermission $ChkMbx -User $_.Alias -AccessRights FullAccess
  to add the full mailbox access rights.  The following would be a good starting point:
  Get-Group <group alias> | % { $_.Members } | % {
      Add-MailboxPermission $_.DistinguishedName -User <manager alias> -AccessRights FullAccess
  I'll caveat this response - I have Exchange 2010 and don't have an Exchange 2007 system to check the commands or their syntax with.  Your mileage may vary.

• Auditing on Room mailboxes

  Hi,
  Environment Exchange 2010 sp3
  Outlook 2010 sp2
  Rooms are Auto Accept (majority)
  Scenario:
  Users call me and ask me who deleted my apt in this room? This is Auto-Accept room and there are about 5 people that have full access to the resource.
  question:
  Is it recommended to turn ON mailbox auditing on all rooms (Auto Accept and Regular Rooms)?
  thanks,
  Alexis

  That's totally up to you.  Unless you have a huge number of rooms that need to be audited (or really underpowered servers), it's not going to put a huge load on your servers.  We audit all of our mailboxes (admin and delegate), with higher level
  auditing on some of them, and we don't see any huge performance issues from it.  obviously, if you NEED to know who did what in the mailbox, you need to audit access - and possibly at a higher level than the default setting (in case you need to know who
  moved an item between folders in the mailbox, but didn't delete anything).