Wednesday, October 31, 2012

Auditing Full Access Permissions

One of the nice things about Exchange Management Console (EMC) is how easy it is to grant Full Access permissions. One of the bad things about EMC is also how easy it is to grant Full Access permissions! For troubleshooting purposes or through the course of creating resource/shared mailboxes, it is often necessary to do just that - for example, it can be helpful for an admin to be able to get in to a mailbox for resetting permissions, or it can be most useful for a user (or users) to manage a resource mailbox instead of granting a lot of granular permissions. Well, because of how easy it is, it can be easy to lose track of those mailboxes to which your admin account has been granted access. Or maybe an admin is leaving and it is necessary to determine which mailboxes they granted their own account or their admin account access to to make sure no permissions remain that shouldn't. The question that I had was how to get this information - how to determine (without checking every mailbox manually via EMC) what mailboxes a specific user account had been granted Full Access to.

While researching this issue and how to get this information, I came across a lot of great sites with great information and ideas. I picked out a couple of common threads which I was able to put to use in our environment. First is Get-Mailbox, and second is Get-MailboxPermission. As mentioned above, I basically want to query all of the mailboxes for instances in which a known, specific account has been granted explicit Full Access permissions. Below is what I came up with:

Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission -User [USERNAME] | where{$_.IsInherited -eq $false} | fl Identity,User,AccessRights

To break this down piece by piece, here are the different elements:

  • ResultSize: this is set to "Unlimited" because we have over 1,000 mailboxes and I want to query all of them
  • User: here is where I am entering the name of my administrative account (or the name of any other user who may have rights) - the brackets are not part of the actual input
  • where{$_.IsInherited -eq $false}: This is the piece that will tell me if the account has been given explicit permissions via EMC - which reminds me, if you haven't become familiar with it already, make sure to read up on the "$_." trick
  • fl: (a.k.a., format-list) I found these three pieces of information to be the most useful; I can see the mailbox to which permissions have been granted, I can confirm it's the user I'm checking for, and I can see if it is truly Full Access or some other combination of permissions
This can be a handy way to do some quick administrative access auditing, and hopefully this script has been helpful. As always, feel free to leave some feedback with any questions/comments!
Posted by at
Labels: , ,

1 comment:

  1. UnknownDecember 11, 2014 at 2:53 AM

    A well described article on audit full access permission. I found good information and ideas to grant full access permission and know who changes what mailboxes a specific user account. I tested this exchange server auditing tool ( http://www.lepide.com/lepideauditor/exchange.html ) to know that who access what mailboxes, what items inside mailboxes such as E-mails, appointments, tasks, and what did it (deleted, items viewed, edited). It enables real-time tracking alerts of any unauthorized activity.

    ReplyDelete

Subscribe to: Post Comments (Atom)