Master Exchange 2007

powershell, automation & more…

How to bulk add Send-As and FullAccess permissions using exchange 2007 powershell using add-adpermission and add-mailboxpermission

Posted by shauncroucher on October 28, 2009


Some email administrators have been asking how to add the Send-As and FullAccess permission to many users at once for a particular user account.

Its quite a straightforward command to achieve this, but it should be noted that it is not the Add-MailboxPermission you use, it is the Add-ADPermission for the Send-As rights.

You can easily amend this for adding FullAccess rights in bulk

So, to add Send-As rights for user JoeBloggs to ALL Mailboxes in your organisation:

Get-Mailbox | foreach-object{$mbDN = $_
.distinguishedname; Add-ADPermission -identity $mbDN -User “DOMAIN\JoeBloggs”
-ExtendedRights “Send-as”}

The CSV Approach

And if you have a list of users\mailboxes OR both you wish to process:

Create a CSV with 2 colums. TheMailbox and TheUser

For instance lets say the CSV looks like this:

TheMailbox,TheUser
emp70,emp66
emp71,emp67
emp72,emp68

This will give user emp66 Send-As rights to user emp70’s mailbox, user emp67 to user emp71’s mailbox etc etc

$Thelist = Import-csv “C:\thelist.csv”

ForEach($theobject in $thelist) {$theMBDN = (Get-Mailbox $theobject.the
mailbox).distinguishedname; Add-ADPermission $thembDN -Extendedrights “Send As”
-User $theobject.theuser}

To Add Mailbox ‘FullAccess’ permissions using the CSV approach…

Just a few small changes needed…

ForEach($theobject in $thelist) {$theMBDN = (Get-Mailbox $theobject.the
mailbox).distinguishedname; Add-MailboxPermission $thembDN -Accessrights “FullAccess” -User $theobject.theuser}

Shaun

Advertisements

12 Responses to “How to bulk add Send-As and FullAccess permissions using exchange 2007 powershell using add-adpermission and add-mailboxpermission”

  1. Lee Stevens said

    this is good info, but how can I do the reverse? I need to see what mailboxes a certain user has access to

    • shauncroucher said

      Hi Lee,

      Something like this will give you a list of all mailboxes that a particular user has FullAccess for (replace DOMAIN\user accordingly). It will run for the whole Exchange Organisation:

      Get-Mailbox | Get-MailboxPermission | ?{($_.AccessRight
      s -eq “FullAccess”) -and ($_.User -like ‘DOMAIN\user’) -and ($_.IsInherited -eq $false)} | ft Id*

      Shaun

  2. Lee Stevens said

    Hi Shaun,

    This not working correctly in my environment, there is a secific user that has permissions to several mailboxes and can verify this by manually checking each mailbox that I know this person has access to, but when I run this script it return no results. If I run it on myself I get results but they are not comlpetely accurate. Any ideas why this would be acting this way?

    Tracy

    • shauncroucher said

      The code will only show ‘Explicit permissions’. you could try removing the explicit entry and it will show all entries, whether inherited from an object above or not.

      Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | ?{($_.AccessRight
      s -eq “FullAccess”) -and ($_.User -like ‘DOMAIN\user’)} | ft Id*

      Shaun

  3. jt said

    To fix the send-as permission script, you should move the end bracket for the foreach-object cmdlet to after the add-adpermission cmdlet, otherwise it will only set these permissions on the last object.

    Get-Mailbox | foreach-object{$mbDN = $_
    .distinguishedname; Add-ADPermission -identity $mbDN -User “DOMAIN\JoeBloggs”
    -ExtendedRights “Send-as”}

  4. Garry said

    I find this hard to follow. Why did you specify the csv columns as “TheMailbox” and “TheUser”, then immediately give an example that doesn’t use either?

    • Garry said

      lol sorry, disregard. I was looking at something completely different.

    • shauncroucher said

      Hi,

      This is because you do not use the column names, you load the script into an array and then iterate through each item.

      Hope this helps
      Shaun

  5. Alberto said

    Hi,
    is there a way to list FullAccess and Send-as permission from a csv list? The best would be export all in a CSV

  6. Daniel said

    Thank you so much for this. The code really helped me out. I had to tweak it a bit for my environment (Exchange 2010, multi-domain), but it worked very well. Here is what I ended up with after changing it up a bit:

    $Thelist = Import-csv “”

    ForEach($theobject in $thelist) {Add-ADPermission -DomainController -identity $theobject.themailbox -User $theobject.theuser -AccessRights ExtendedRight -Extendedrights “Send As”}

    Make sure the first line of the csv has TheMailbox,TheUser. My csv didn’t have that header at first and kept getting NULL errors for the parameters.

    • Daniel said

      Whoops, my brackets got eaten.

      $Thelist = Import-csv “full path to csv”

      ForEach($theobject in $thelist) {Add-ADPermission -DomainController fully.qualified.domain.name -identity $theobject.themailbox -User $theobject.theuser -AccessRights ExtendedRight -Extendedrights “Send As”}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: