Does anyone know if the pfdavadmin tool can produce a report for the permissions for ALL mailboxes on an exchange server, or do you have to supply a parameter of a mailbox to check its permissions?

You can export all the permission for all maiboxes by choosing the option from the menu. Load PFDAVAdmin>connect to Exchange server and select mailboxes>then go to tools>export permissions>All mailboxes on this server. Sukh

You can export all the permission for all maiboxes by choosing the option from the menu. Load PFDAVAdmin>connect to Exchange server and select mailboxes>then go to tools>export permissions>All mailboxes on this server. Sukh You are a legend my freind :)

You can export all the permission for all maiboxes by choosing the option from the menu. Load PFDAVAdmin>connect to Exchange server and select mailboxes>then go to tools>export permissions>All mailboxes on this server. Sukh Will it show both delegate rights and people who have "send as" rights, as well as domain groups added to the mailboxes ACL? It our org their are many domain groups named such as "eft mailbox access group" which I assume they add tot he mailbox ACL, but other folk (mailbox owners) manually add people via delegate rights. So there seems a few ways to give access to a mailbox, I just wondered if pfdavadmin will cover both.

You can export all the permission for all maiboxes by choosing the option from the menu. Load PFDAVAdmin>connect to Exchange server and select mailboxes>then go to tools>export permissions>All mailboxes on this server. Sukh PS - I dont suppose you could upload or show me a sample of the export "output", i.e. the text file/csv or whatever?

pfdavadmin does it within the mailbox, at folder level. e.g below. See permission in bolf which I have given directlt on the Junk email folder within Outlook to myself (Sukh). Created with PFDAVAdmin 2.8 # Mittwoch, 11. Mai 2011 14:11:09 # ************************************************************************ # # This export format is only usable with PFDAVAdmin 2.0 and later. # # ************************************************************************ SETACL Mailboxes\GMS02 NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Common Views NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Deferred Action NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Finder NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Finder\Unread Mail NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Freebusy Data NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Reminders NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Schedule NO SETACL Mailboxes\GMS02\Shortcuts NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Spooler Queue NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\To-Do Search NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Inbox NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Inbox\T NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Outbox NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Sent Items NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Deleted Items NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Calendar NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Contacts NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Drafts NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Journal NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Notes NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Tasks NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Junk E-mail Mydomain\Sukh Editor NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Restored Items NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Sync Issues NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Sync Issues\Conflicts NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Sync Issues\Local Failures NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Top of Information Store\Sync Issues\Server Failures NT AUTHORITY\ANONYMOUS LOGON None NO SETACL Mailboxes\GMS02\Views NT AUTHORITY\ANONYMOUS LOGON None NO

Thanks So GMS02 is the mailbox? Or the user (mailbox owner)? Where does it list the mailbox owner, i.e. if I gave you delegate access to my inbox Where in that output you have sent would it show me (as mailbox) owner, and you as inbox access only? (excuse my ignorance - new to this)

As mentioned above, pfdavadmin works at the folder level. This will report permissions at the folder level. In the e.g above, the gms02 is a user, and Sukh has access to the Junk email folder in gms02's mailbox. The below may help you for the mailbox level. http://forums.techarena.in/windows-server-help/704459.htm http://support.microsoft.com/kb/310866 Which version of Exchange are you using?

Thanks again Sukh Its exchange 2003 (soon to be migrated to exchange 2010). Can you just confirm for me (to set my mind at ease). As I see it there are 2 different ways to grant people access to a mailbox they dont own. I (user x) could in MS outlook (tools > options > delegates) give you (user y) access to my inbox. (delegate access) But also, it would seem, our active direcotory admin can create a windows domain group, i.e. "user X mailbox access group" - add the neccesary people to that group, and then somehow attach that domain group to the mailbox, therefore just by logging in with their domain credentials (them being members of the group "user X mailbox access), they can also see the inbox for that mailbox. I just wanted to confirm pfdavadmin will show both the users setup via outlook delegate rights, and the users added to a domain group which was then (some how) added to the mailboxes ACL would BOTH be returned in the pfdavadmin output in terms of permissions to user X's mailbox. I hope that makes sense. There is also I beleive "send as" option, whereby instead of granting delegate access, which in this case they would reply "user Y on behalf of user X" in an email, it just appears as the original sender, i.e. user X. Will pfdavadmin show me which users have delegate access, and which has "send as" access on all my mailboxes?

Correct. Both ways people can access the mailbox in the way you have descripbed above. pfdavadmin works at the folder level. The AD admin access is different. You can try and use the links above to retrieve that information. For Exchange 2010 you can try the links below http://exchangepedia.com/2008/02/how-to-list-mailboxes-with-full-mailbox-access-permission-assigned.html http://exchangeshare.wordpress.com/2008/09/01/how-to-find-all-mailboxes-with-send-as-permission-assigned/ Sukh

Correct. Both ways people can access the mailbox in the way you have descripbed above. pfdavadmin works at the folder level. The AD admin access is different. You can try and use the links above to retrieve that information. For Exchange 2010 you can try the links below http://exchangepedia.com/2008/02/how-to-list-mailboxes-with-full-mailbox-access-permission-assigned.html http://exchangeshare.wordpress.com/2008/09/01/how-to-find-all-mailboxes-with-send-as-permission-assigned/ Sukh I'm getting a bit lost now (doesnt take much lol). So to summarize, is this accurate: Pfdavadmin is typically then reporting on permissions set via outlook via delegate access. The scripts you link to are reporting on where domain users have been granted access to a mailbox based on their domain account, or based on them being the member of a domain group, which is then granted access to the mailbox?

Correct.

Correct. Are there any issues / best practices doing it one way or the other? I.e. is setting it via AD groups a more secure/effective way than doing it via outlook delegate access? I just wonder why some of ours seem to be done one way and others done another way?

Why they have been done in two different ways is unknown, only the admin who done this know. In my experience, it's best to do this on the client end (Outlook). This way the user has more control to what another user can see and do. Where as, giving fullmailbox permission give the user extra access they may not be needed. Sukh

Why they have been done in two different ways is unknown, only the admin who done this know. In my experience, it's best to do this on the client end (Outlook). This way the user has more control to what another user can see and do. Where as, giving fullmailbox permission give the user extra access they may not be needed. Sukh Good points - thanks so much for the help with this...