Get-MailboxPermission
Get-Mailbox | Get-MailboxPermission | Where-Object { ($_.AccessRights -eq "*fullaccess*") -and ($_.User -like "*THEUSER*") } Hi All, I used the above command to find out which mailboxes "THEUSER" has full access to, there was no output of the command, so it means that they don't have full access to no mailbox ? Now, what I cannot understand is that "THEUSER" actually can open all mailboxes via outlook / owa but the above command doesn't outputs anything ? any thoughts on the above ? "THEUSER" and myself have exactly the same permissions and groups assigned in AD Users and Computers. Also, when I change eq to like in the following command : Get-Mailbox | Get-MailboxPermission | Where-Object { ($_.AccessRights -Like "*fullaccess*") -and ($_.User -like "*THEUSER*") } it shows me some mailboxes which are generic ones but "THEUSER" can open all mailboxes in outlook / owa Will be grateful for your expert clarification ! Kind Regards
November 24th, 2010 7:56am

Hi, I tested the PS you wrote, but mine came up empty as well. I then changed a little so it looks like this: [PS] C:\Get-Mailbox | Get-MailboxPermission | where-object {$_.user -like "*USER*" -and $_.accessrights -eq "FullAccess"} That showed me the correct list of permissions. /MartinExchange is a passion not just a collaboration software.
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2010 9:55am

Hi Martin Once again thanks for the prompt response, Yes your command shows the output for "THEUSER" and lists the 4 Mailboxes they have full access to, BUT :-) it isn't showing all the other mailboxes "THEUSER" has full access too, as they can open any mailboxes in outlook / owa. I am lost here and trying to figure out why when both me and theuser have same permissions - i can't open any mailbox and they can ? Do one need to be a member of Exchange organization admin ? funny thing is that I was actually the admin of all exchange admin groups in ADUC but still wasn't able to open mailboxes, where as "TheUser" wasn't a member of any exchange admin group apart from PublicFolder group and yet they were able to open all mailboxes. any thoughts ?
November 24th, 2010 10:41am

You've filtered your results down to just the permssions explicitly granted to that user. From the symptoms, it sounds like the user is a member of a group that's been granted full access to the mailboxes, that you are not a member of. [PS] C:\Get-Mailbox | Get-MailboxPermission | where-object { $_.accessrights -like "*FullAccess*"} and investigate the membership of the groups that have full access. [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2010 11:04am

Hi, Could you please try and run this command to see what mailbox permissions is on the mailbox? get-mailbox user@domain.com | Get-MailboxPermission |ft It sounds a bit like some rights are messed up. When I ran the first command I got the complete list of mailboxes that the user has full access to. /MartinExchange is a passion not just a collaboration software.
November 24th, 2010 11:08am

Sorry, I missed the fact that there's no filtering on get-mailbox. The return is going to be really busy. If the user in question has access to all the mailboxes, just pick one, and figure out where that access is being granted. Chances are that's where all the rest are getting it, too.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2010 11:17am

I am actually more worried about the fact that a user that shouldn't have access to the mailboxes actually has it and that is why i wanted to list of permissions on a specific mailbox. I am guessing that a certain security group is listed a place that it shouldn't be. /MartinExchange is a passion not just a collaboration software.
November 24th, 2010 11:20am

Identity User AccessRights IsInherited Deny -------- ---- ------------ ----------- ---- domainname.internal/Users/virus NT AUTHORITY\SELF {FullAccess, ReadPermission} False False domainname.internal/Users/virus domainname\Administrator {FullAccess} True False domainname.internal/Users/virus domainname\EXCHSRV1$ {ReadPermission} True False domainname.internal/Users/virus domainname\Exchange Servers {FullAccess} True True domainname.internal/Users/virus domainname\Administrator {FullAccess} True True domainname.internal/Users/virus domainname\Domain Admins {FullAccess} True True domainname.internal/Users/virus domainname\Enterprise Admins {FullAccess} True True domainname.internal/Users/virus domainname\Exchange Organization Administrators {FullAccess} True True domainname.internal/Users/virus NT AUTHORITY\NETWORK SERVICE {ReadPermission} True False domainname.internal/Users/virus domainname\Exchange Servers {FullAccess} True False domainname.internal/Users/virus domainname\Exchange Public Folder Administrators {ReadPermission} True False domainname.internal/Users/virus domainname\Administrator {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False domainname.internal/Users/virus domainname\Exchange Servers {ReadPermission} True False domainname.internal/Users/virus domainname\Exchange Organization Administrators {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False domainname.internal/Users/virus domainname\Exchange View-Only Administrators {ReadPermission} True False domainname.internal/Users/virus domainname\Enterprise Admins {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False domainname.internal/Users/virus domainname\Domain Admins {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} True False Hi Martin & Mjolinor, Above is the output of get-mailbox mailboxname | Get-MailboxPermission |ft Virus is the name of a mailbox"" Both me and "THEUSER" are member of the ABOVE Listed Groups, hard to understand why theuser can open in outlook /owa and not me ? any thoughts ! thanks for the prompt responses !!
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2010 11:40am

The default is that noone can open other users mailboxes. I haven't actually tried using the public folder group for these settings. Normally I like to create ny own security groups for these purposes so I don't mess around with the defaults. To try and sort it out remove your two users from the above groups and create a new one called something like: SG_FullMailboxRights add your users to this group and try and give permissions to this group instead. Oh, and do remember to check that your permissions are the same when not in any of the default Exchange groups. /MartinExchange is a passion not just a collaboration software.
November 24th, 2010 11:53am

Has the user been mad a delegate of the mailbox? [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2010 12:02pm

Hi Mjolinor, How can I check whether they are a delegate or not ? I am not sure, I am left with this mess to deal with :-) so I have to figure it out - I guess. Thanks Marting and Mjolinor for your prompt responses ! Kind Regards
November 24th, 2010 12:07pm

I think it's also possible the access is being done by impersonation: http://msdn.microsoft.com/en-us/library/bb204095.aspx[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2010 12:08pm

I think it's also possible the access is being done by impersonation: http://msdn.microsoft.com/en-us/library/bb204095.aspx [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " " This is Exchange 2007 SP1, not sure whether this is applicable to it as the msdn link takes to a Ex2010 reference.
November 24th, 2010 12:13pm

Here's a link that appears to be 2007 specific: http://msdn.microsoft.com/en-us/library/bb204095(EXCHG.80).aspx[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2010 12:17pm

Which Exchange Groups are you using as the one to give access to mailboxes?Exchange is a passion not just a collaboration software.
November 24th, 2010 12:30pm

Hi Martin, As I have inherited this setup, those are the only groups listed in the above permissions, upon looking in ADUC, they have some security groups which are part off Enterprise admin / Domain admin etc and then the admin users are part of those security groups. What I cannot understand is that none of these security groups are part of any Exchange Admin groups.. still cant understand what's going on :-) Will do more findings and post back ! Thanks so much for your and mjolinor's prompt responses !!!
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2010 5:06am

Hi, Any news on the troubleshooting? Do try and find out which groups belongs to the Exchange groups so we can figure out how it is all put together. If the reason for the groups being in the Exchange groups is only giving full access to mailboxes I would remove the groups and start with making your own groups instead an using them. /MartinExchange is a passion not just a collaboration software.
November 29th, 2010 11:58am

Hi, Any news on the troubleshooting? Do try and find out which groups belongs to the Exchange groups so we can figure out how it is all put together. If the reason for the groups being in the Exchange groups is only giving full access to mailboxes I would remove the groups and start with making your own groups instead an using them. /Martin Exchange is a passion not just a collaboration software. Hi Martin, sorry for the delayed response. "Do try and find out which groups belongs to the Exchange groups" By above line you mean, I should check for any Groups which are member of any Exchange Groups and make a note of them ? I will be on this site tomorrow and will do that - will update here when I have the details. Kind Regards
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2010 4:32am

Hi, Yeah that is what I mean. That way you can try and sort out who has the permission you want and who might have permissions that you maybe didn't want them to have. It is important to know who has access to what because when strange things happen you will want to know who had access to doing things :-) If a "normal" user has Exchange Orgazation rights the user will actually be able to delete databases and so on, and all he/she actually needed was to view the inbox of a public mailbox. /MartinExchange is a passion not just a collaboration software.
December 1st, 2010 7:43am

Hi Martin, Sorry for another delayed response - bad weather has restricted me - hence the delay - still awaiting for all to clear up and then would be on that site - meanwhile - I might try to seek remote access (if allowed) and will then be able to go through the groups etc. What my plan of action is : Will open up ADUC (dsa.msc) and then check for all "Default / built-in" Exchange groups and see who is the member of which groups, make a note of them and then see which users are members of those groups. Please keep an eye on this thread ! Will update this space soon. Meanwhile - a quick suggestion is required - one of my Exchange server is running out of space (still 30GB left on the DB partition), I was thinking to : a) Shrink the Logs partition (get 40GB) from there (leavin the logs with 20GB) b) Extend the DB Partition then via Diskmgmt.msc Any thoughts on that ? Is it a straight forward procedure or shall i dis-mount the db's first - stop exchange services - then do this ? Kind Regards!!
Free Windows Admin Tool Kit Click here and download it now
December 7th, 2010 4:58am

Hey, Been away on work these last days. Resizing the log drive really depends on the amount of mails you receive between backup windows and how often you are taking a full backup. The logs will only be flushed on when a full backup is done, so you need to be sure that you still have enough space on the log drive to support the mail flow. Are both log and db on the same drives (raid, lun) since you can shrink and extend the volumes? If so and you are sure that 20 GB is enough for the log drive i see no problem in doing the task mentioned. /MartinExchange is a passion not just a collaboration software.
December 9th, 2010 3:00pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics