When you use the Get-MailboxPermission cmdlet or Manage Full Access Permission in the Exchange Management Console you can view the users and groups who have Full permissions over a mailbox in Exchange.
However, if a group is assigned access you may struggle to quickly see who has access. If we look at an example mailbox, we’ll see Test Group has been assigned access:
However when we examine the group we might find that the members are still not easily apparent if it contains another group as a member, otherwise known as Nested Groups:
These layers of abstraction can be untangled with the following script that recursively lists all users who have Full Access permissions whether or not they are assigned membership by group or nested group:
# Helper function to get group members recursivelyparam($Mailbox)
function Get-GroupMembersRecursive
{
param($Group)
[array]$Members = @()
$Group = Get-Group $Group -ErrorAction SilentlyContinue
if (!$Group)
{
throw "Group not found"
}
foreach ($Member in $Group.Members)
{
if (Get-Group $Member -ErrorAction SilentlyContinue)
{
$Members += Get-GroupMembersRecursive -Group $Member
} else {
$Members += ((get-user $Member.Name).UserPrincipalName)
}
}
$Members = $Members | Select -Unique
return $Members
}
# Mailbox Full Access Permissions
[array]$Result = Get-MailboxPermission $Mailbox | where { ($_.AccessRights -like "*FullAccess*") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") } | Select User
[array][email protected]()
$Members = @()
foreach ($Item in $Result)
{
$User = Get-User $Item.User.ToString() -ErrorAction SilentlyContinue
if (!$User)
{
$Members += Get-GroupMembersRecursive $Item.User.ToString();
} else {
$Members += $User.UserPrincipalName
}
}
$Members
To use this script, copy and paste into a new PS1 file and execute as shown below:
Hi,
I can’t get this to run. Pictures of how to run are missing.
Thanks Ryan