Get list of user and shared mailbox who have full, SendAs and SendOnBehalf right

Hi All,

I have a powershell script that needs to be modified to get list of mailboxes (shared and User) that have Full, SendAs and SendOnBehalf and list those users and export it to csv.

$RMailbox = Get-Mailbox -RecipientTypeDetails Usermailbox,Sharedmailbox -ResultSize Unlimited
$(Foreach ($R in $RMailbox){
$St = $R | Get-MailboxStatistics 
	New-Object PSObject -Property @{
		Name = $R.Name
		Email = $R.PrimarySmtpAddress
		LastLoggedOnUserAccount = $St.LastLoggedOnUserAccount
		LastLogonTime  = $St.LastLogonTime
		LastLogoffTime = $St.LastLogoffTime
		FullMBXPerm = ($R | Get-MailboxPermission |?{$_.AccessRights -like "Fullaccess" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
		SendAs = ($R | Get-ADPermission |?{$_.ExtendedRights -like "Send-as" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
		Owner = ($R | get-recipient).Manager
	}
}) | Select Name,Email,Owner,FullMBXPerm,SendAS,Last* | Export-Csv C:\Scripts\Output.csv -NTI -Append

The only thing missing in this script is users having SendOnBehalf rights to mailboxes. Can anyone help me added it in the script please.

I would add this into your custom object

SendOnBehalf = $R.GrantSendOnBehalfTo

If you only want it to return when valued something like this

SendOnBehalf = $R | Where {$_.GrantSendOnBehalfto -ne $null}

Thanks Jon,

I tried the solution. It gives wrong users in Sendonbehalf Columns. Mostly the actual Mailbox owner comes in that column rather than user who has SendOnBehalf rights. Any ideas?

$RMailbox = Get-Mailbox -RecipientTypeDetails UserMailbox,Sharedmailbox -ResultSize Unlimited
$(Foreach ($R in $RMailbox){
$St = $R | Get-MailboxStatistics 
	New-Object PSObject -Property @{
		Name = $R.Name
		Email = $R.PrimarySmtpAddress
		LastLoggedOnUserAccount = $St.LastLoggedOnUserAccount
		LastLogonTime  = $St.LastLogonTime
		LastLogoffTime = $St.LastLogoffTime
		FullMBXPerm = ($R | Get-MailboxPermission |?{$_.AccessRights -like "Fullaccess" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
		SendAs = ($R | Get-ADPermission |?{$_.ExtendedRights -like "Send-as" -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","
		SendOnBehalf = ( $R | Where {$_.GrantSendOnBehalfto -ne $null})
		Owner = ($R | get-recipient).Manager
	}
}) | Select Name,Email,Owner,FullMBXPerm,SendAS,SendOnBehalf,Last* | Export-Csv C:\Scripts\MailboxRights.csv -NTI -Append

Does the SendOnBehalf need to look like this? Not sure if it would make much sense either. Any help would be great.

SendOnBehalf = ( $R | Where {$_.GrantSendOnBehalfto -ne $null -and $_.User -NotMatch "(Self|SYSTEM|^S-1-5-)"} | %{$_.User.ToString()}) -join ","

It looks like you may be running exchange on prem? I only have exchange online to validate against. In O365 GrantSendOnBehalfTo is valued as null if no one else is granted that permission.

Not knowing how it behaves on premise, I can’t tell you how to format it. You will need to play around with it until you get the query that suits your needs.