FAQ: Access on All the Mailboxes of a Server – Exchange 2007

How to give permission to access all the mailboxes of a mailbox database or a server in Exchange 2007?

You can open and read the content of mailbox if you have Full Mailbox Access or Receive As permission on it.

Sometimes auditor, HR person or some application wants access on all the mailboxes of a database or a server, in that case you can assign Receive As permission at mailbox database level for a user/group which grants access to logon to all the mailboxes.

Reference: How to Allow Mailbox Access

 

Example:

Let’s say, I need to give access to open all the mailboxes of a server “ESS-Exch702″ to a user “Auditor”.

We can give Receive-As permission on all the mailbox databases of a server with blow command.

Get-MailboxDatabase -Server “ESS-Exch702″ | Add-ADPermission -User “Auditor” -ExtendedRights Receive-As

Note: The configuration change does not take effect until store cache is refreshed, which is by default two hours interval or for immediate effect we can restart Exchange Information Store service.

After giving Receive-As permission to Auditor on ESS-Exch702 server, it can open all the mailboxes which are available on it.

If you want to give access to open all the mailboxes of just a database then you can run below command.

Get-MailboxDatabase -Identity “Name Of Database” | Add-ADPermission -User “Auditor” -ExtendedRights Receive-As

You can not Send As a mail on behalf of mailbox even though you have Full Mailbox access or Receive As permission and for that you need to assign Send As permission.

How To: Find All Mailboxes with Send-As Permission Assigned

Again, here is a frequently asked question, How to find all the mailboxes with Send-As permission assigned? This would be useful for review and auditing purpose.

 

Let’s take an example..

I have given Send-As permission to Tank, Amit M (User ID: ESS-Test\atank) account on below users.

Miller, Alex T
Ross, Colin T

 

Now, use below command to get list of all mailboxes with some Send-As permission assigned on them.

Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”)} | FT -Wrap

But, you would have noticed that it shows Send-As permissions assigned to SELF on all mailboxes also.

You can eliminate SELF permissions for all mailboxes from your output with below command.

Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT -Wrap

Now, let’s say some of the inherited Send-As permission comes into output which you can eliminate it with below command.

Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT -Wrap

 

You can filter your output as per your requirement, like for a server or database, for a OU or for particular Recipient type.

To filter your output for all users on a server, here is an example.

Get-Mailbox -Server “ESS-Exch702″ | Get-ADPermission | where { ($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | ft -wrap

In same way you can use below switches to filter your output.

-Database
-RecipientTypeDetails
-OrganizationalUnit

 

To generate report in Spread Sheet you can export result in CSV formatted file.

Get-Mailbox | Get-ADPermission | where { ($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | Select Identity, User, Deny | Export-CSV test.csv