Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Exchange 2010: User Permission Enumeration Script

Introduction

Recently, someone asked me if it was possible to get an overview of all the permissions one might have been granted on other mailboxes. The first thing that popped up in my mind was to use the Get-MailboxPermission cmdlet, but soon I realized there were some limitations.

First of all, the cmdlet appears to only take into consideration explicitly granted permission. Thus if a user would be granted access through means of a group, those permissions would not show up. Secondly, the cmdlet would not return all permissions one might have over a mailbox. To overcome that, I would also need to run the Get-AdPermission cmdlet.

As you will notice, the script is not very performing. One might ask why I created it then. Well, first of all there was the question that got me to write the script. And secondly (probably the most important reason) was that I wanted to prove that PowerShell could handle virtually anything. I hope by sharing this script, you maybe pick up some ideas or learn a few tricks. Either way, there’s still a lot room left for improvement and I’m eagerly awaiting your feedback. If you have any comments, suggestions or you found a bug: please let me know!

The Script

The script will  create a HTML-report listing either all Mailbox- or all AD Permissions (on a mailbox) for a given user. The script will also take into account that permissions might have been granted through group membership. However; this currently goes only one level deep. Groups that are within the top-level group are disregarded.

You can download the script from here: http://www.pro-exchange.be/media/p/1362.aspx

Requirements

Due to some restrictions, the script can – for now – only be run from an Exchange Server. It needs both the AD Module for PowerShell as well as the Exchange Management Shell. The script takes into account that the AD Module for PowerShell isn’t loaded by default and will do so – if available:

    Get-Module -ListAvailable | foreach{ if($_.Name -eq "ActiveDirectory"){$module = "true"} }
    if($module -eq "true"){
        Import-Module ActiveDirectory
    }
    else{
        // end script and notify
        Write-Output "This script requires AD DS Remote Server Administration Tools to be installed"
        Exit
    }

How does it work?

When taking a look at the logic behind the script it’s all very simple:

image

How to use the script

I have tried making the usage of the script as easy as possible. To be honest,  Jason Helmick inspired me during one of his presentations @ TechDays 2012; so that is why I chose to create a “tool”-alike script. When dot-sourcing the script, you will actually be able to start the process by running the Get-UserMailboxPermission cmdlet.

First, dot-source the script:

. .\Get-UserMailboxPermissions.ps1

After doing this, the Get-UserMailboxPermission cmdlet will be available, allowing you to kick of the processing:

Get-UserMailboxPermission –User <username> –path <path_to_report> –query <AD/Mailbox>

About the arguments:

  • The User-parameter is used to indicate which user you want to look for permissions for. In other words: “what permissions does this user have on all other mailboxes?”. Enter a users’ alias here.
  • The Path-parameter is just the location where the report will be stored. It only needs a path as the filename is – at this time – chosen by the script.
  • The Query-parameter is used to indicate whether to look for mailbox permissions or for AD permissions on mailboxes. Hence either to use “AD” or “Mailbox”.

Running Get-Help Get-UserMailboxPermission will provide you with more information about the script:

image

The result

After processing, a HTML-report is generated which provides you with a table that lists all the users’ permissions for other mailboxes. Different colors are used to indicate whether a permission was granted (or denied) explicitly or through group membership:

image

Performance

Unfortunately (but not totally unexpected) the script is not very performing. This is largely due to the fact that it will enumerate all permissions for all mailboxes. It goes without saying that the more mailboxes you have, the more time it will take to process. As a reference: I used the script in a medium-sized environment with about 750 mailboxes and it took a little over a half our to complete processing the mailbox permissions. Given the fact that going through the AD permissions is an even bigger task, one might expect that it could run well over a few hours. However; at this point I haven’t been able to test the report for AD-permissions on such a scale yet. I expect it to run at least twice as long (if not even longer…).

The future

I’m planning on continuing to develop this script and maybe add some features over time.

The next release I should have fixed/added:

  • Allow the user-argument to accept values from the pipeline
  • Combine both AD- and mailbox permissions in a single report
  • Better error handling
  • ….

Don’t forget to check back regularly for updates!


Posted 02-27-2012 10:40 by Michael Van Horenbeeck

Comments

Ruben Nauwelaers wrote re: Exchange 2010: User Permission Enumeration Script
on 02-28-2012 7:34

Great work & nice script!