Thank you Lynn-Li for your reply.
However, this does not answer my question. The admin users who will be using the script do not have and cannot have any administrative access to Exchange. This means that they will not have access to any of the EMS commandlets. Get-Mailbox and in particular,
Get-ADPermission are not available to them. The only commands available are general Powershell commands and Active Directory Module commands. Do not ask me why they cannot be assigned appropriate RBAC role. It is internal politics.
I know that the required information can be found by verifying security settings for shared mailbox objects in adsiedit.msc console. However, this is cumbersome and a lot of time is wasted.
Because my organization is heavily decentralized, there is one OU for each work unit that uses a unique value for the AD attribute Department. All users and their shared mailboxes from given work unit have common value for Department
attribute. I have now opted to query users by Department attribute which effectively, is the same as querying users by OU.
I can settle on any of the two possible outputs of the script:
1. get all shared mailboxes in given work unit and all users who have Send-As AD permission, or
2. get all shared mailboxes to which given user has Send-As AD permission
I got as far as this:
First, I load Active Directory module
Second, I declare a variable $dept that can be populated by admin user who will be using the script. This variable will have the name of the work unit that is used in department attribute
Third, I get all shared mailboxes that have the same Department attribute and put the output to another variable called $shmbx that will be called to get AD ACLs in the next step
Fourth, I get all ACLs forall shared mailboxes in the same work unit. Among the values returned are also AD extended right Send-As. It is identified by ObjectType value ab721a54-1e2f-11d0-9819-00aa0040529b.
The actual output consists of all ACLs and is similar to this (note that the first block represents Send-As AD permission):
ActiveDirectoryRights : ExtendedRight
InheritanceType
: None
ObjectType
: ab721a54-1e2f-11d0-9819-00aa0040529b
InheritedObjectType
: 00000000-0000-0000-0000-000000000000
ObjectFlags
: ObjectAceTypePresent
AccessControlType
: Allow
IdentityReference
: BIGCORP\SMITHBOB
IsInherited
: False
InheritanceFlags
: None
PropagationFlags
: None
ActiveDirectoryRights : ReadProperty, WriteProperty
InheritanceType
: None
ObjectType
: 66f97680-8811-11d4-a5fb-00c04facb35a
InheritedObjectType
: 00000000-0000-0000-0000-000000000000
ObjectFlags
: ObjectAceTypePresent
AccessControlType
: Allow
IdentityReference
: BIGCORP\Enterprise Admins
IsInherited
: False
InheritanceFlags
: None
PropagationFlags
: None
This is where I am stuck. I need to extract only those Send-As extended rights, get the value of associated IdentityReference and output them along with the shared mailbox Display Name.
Right now, it seems that I am closer to getting satisfied the requirement presented in point 1. above (get all shared mailboxes, one by one and, all those users who have Send-As permission for each shared mailbox).
Below is the code I manage to produce. Note that it certainly is not optimal and might seem awkward. Mind you, I am no Powershell savvy and these are my first steps.
## first, load AD Module
Import-Module Active*
## second, set a variable for the Department attribute. Those who will use the script can change the value of this variable
$dept = "accounting"
## third, get all shared mailboxes that have specific Department attribute value (i.e. Accounting) and put the output into a variable called $shmbx
$shmbx = (Get-ADUser -properties * -Filter 'Department -eq $dept' | where {$_.msExchRecipientTypeDetails -eq "4"})
## forth, get AD ACLs of all shared mailboxes collected in the $shmbx variable. The output also include extended right Send-As
foreach ($mbx in $shmbx) { (Get-ACL "AD:$((Get-ADUser $mbx).distinguishedname)").access }
-
Edited by
JScorupka
Friday, June 26, 2015 5:06 AM
Other recent topics
