How to bulk add Send-As and FullAccess permissions using exchange 2007 powershell using add-adpermission and add-mailboxpermission
Posted by shauncroucher on October 28, 2009
Some email administrators have been asking how to add the Send-As and FullAccess permission to many users at once for a particular user account.
Its quite a straightforward command to achieve this, but it should be noted that it is not the Add-MailboxPermission you use, it is the Add-ADPermission for the Send-As rights.
You can easily amend this for adding FullAccess rights in bulk
So, to add Send-As rights for user JoeBloggs to ALL Mailboxes in your organisation:
Get-Mailbox | foreach-object{$mbDN = $_
.distinguishedname; Add-ADPermission -identity $mbDN -User “DOMAIN\JoeBloggs”
-ExtendedRights “Send-as”}
The CSV Approach
And if you have a list of users\mailboxes OR both you wish to process:
Create a CSV with 2 colums. TheMailbox and TheUser
For instance lets say the CSV looks like this:
TheMailbox,TheUser
emp70,emp66
emp71,emp67
emp72,emp68
This will give user emp66 Send-As rights to user emp70′s mailbox, user emp67 to user emp71′s mailbox etc etc
$Thelist = Import-csv “C:\thelist.csv”
ForEach($theobject in $thelist) {$theMBDN = (Get-Mailbox $theobject.the
mailbox).distinguishedname; Add-ADPermission $thembDN -Extendedrights “Send As”
-User $theobject.theuser}
To Add Mailbox ‘FullAccess’ permissions using the CSV approach…
Just a few small changes needed…
ForEach($theobject in $thelist) {$theMBDN = (Get-Mailbox $theobject.the
mailbox).distinguishedname; Add-MailboxPermission $thembDN -Accessrights “FullAccess” -User $theobject.theuser}
Shaun
Lee Stevens said
this is good info, but how can I do the reverse? I need to see what mailboxes a certain user has access to
shauncroucher said
Hi Lee,
Something like this will give you a list of all mailboxes that a particular user has FullAccess for (replace DOMAIN\user accordingly). It will run for the whole Exchange Organisation:
Get-Mailbox | Get-MailboxPermission | ?{($_.AccessRight
s -eq “FullAccess”) -and ($_.User -like ‘DOMAIN\user’) -and ($_.IsInherited -eq $false)} | ft Id*
Shaun
Lee Stevens said
Hi Shaun,
This not working correctly in my environment, there is a secific user that has permissions to several mailboxes and can verify this by manually checking each mailbox that I know this person has access to, but when I run this script it return no results. If I run it on myself I get results but they are not comlpetely accurate. Any ideas why this would be acting this way?
Tracy
shauncroucher said
The code will only show ‘Explicit permissions’. you could try removing the explicit entry and it will show all entries, whether inherited from an object above or not.
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | ?{($_.AccessRight
s -eq “FullAccess”) -and ($_.User -like ‘DOMAIN\user’)} | ft Id*
Shaun
jt said
To fix the send-as permission script, you should move the end bracket for the foreach-object cmdlet to after the add-adpermission cmdlet, otherwise it will only set these permissions on the last object.
Get-Mailbox | foreach-object{$mbDN = $_
.distinguishedname; Add-ADPermission -identity $mbDN -User “DOMAIN\JoeBloggs”
-ExtendedRights “Send-as”}
shauncroucher said
Quite right, thanks for spotting this type and visiting the blog
Cheers
Shaun