Exchange 2010 Powershell commands?

Solution 1:

#1 - Wrote this one myself (revised). It isn't a simple one-liner since it evaluates the value of each permission entry on each mailbox in a couple of nested loops. Unfortunately, I couldn't figure out a way to simplify this any further (likely due to my lack of expertise in powershell). It basically gets all mailboxes and stores them in a variable, then it gets the permissions on each mailbox, evaluating each permission entry for a specific criteria (the system user with a FullAccess entry on the mailbox). If that criteria is met on any of the permission entries, it sets the $access variable to "True". After it has gone through all permission entries on the mailbox it takes a look at the $access variable, and if it is still False it adds the mailbox to the csv file (not really a csv though since there is only 1 entry per line in the file).

Import-Module C:\Temp\Exchange.psm1
$csv = "C:\Temp\systemuser.csv"
$user = "<system user>"
$mailboxes = Get-Mailbox *
ForEach ($mailbox in $mailboxes) {
    $access = "False"
    $perms = $mailbox | Get-MailboxPermission
    ForEach ($item in $perms) {
        if ($item.User -like $user -and $item.AccessRights -like "*FullAccess*") {
        $access = "True"        
        }
    }
    if ($access -eq "False") {
        ac $csv "$($mailbox)"
    }
}

#2 - Wrote most of it myself, but was struggling getting the AccessRights property to a string so it would export to the csv so I googled and found the same article you found with the script in your question and it works fine. I think the discrepancy between what the csv says and what the EMC says is that the script in the article filters out inherited permissions. I modified it below not to filter out inherited permissions and include the "IsInherited" Property in the output so you can tell if it is explicit or not.

Get-MailboxPermission * | ? {$_.user -notlike "NT AUTHORITY\SELF"} | Select Identity ,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}},IsInherited | Export-csv -NoTypeInformation c:\temp\mailboxpermissions.csv

Solution 2:

I tested the command on my systems, and it is working as you are hoping it to.

Although, if you are only comparing to what you are seeing in the EMC, you may be expecting the wrong outcome. The command is setup to show only non-Inherited rights. The EMC will show you both Inherited, and non-Inherited (without specifying which is which). What you may want to do, is run just this portion of the code in Powershell:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false}

And compare that to your resulting CSV.

Alternately, you could run this:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF”}

Which will show you both Inherited, and non-Inherited rights via Powershell, then compare that with your CSV result.