Hi All,
I’m connected to exchange online with powershell. A client wants me to show all of the mailbox permissions for a large number of shared mailboxes to find out who has access.
So I can
Get-Mailbox | Get-MailboxPermission
But I can’t run any Where-object {} script or Export-CSV, out-gridview, anything.
Any ideas?
Cheers
Liam K
Hi Liam,
Can you give an example of the first few lines of what is actually resturned when you run the first command?
Thanks Tim,
Identity User AccessRights IsInherited Deny
John Smith NT AUTHORITY\SELF {FullAccess,ReadPermission} False False
Bringing up all of the permissions is not a problem, that works fine. The problem is if I try to filter them with
where-object {$.user.tostring() -ne “NT AUTHORITY\SELF” -and $.IsInherited -eq $false} or something like that. Where-Object does not exist in Exchange Online, nor do things like Export-CSV. What the client is after is a report of all the permissions on all the mailboxes that aren’t “self” or inherited, which should leave only permissions that have been set by the admin.
Exchange Online lacks Where-Object because people tend to abuse it ;). In a case like this, you’d be engaging some serious processing power if you had a lot of mailboxes, and Microsoft doesn’t want their servers bogged down like that.
You’re probably going to have to get a list of mailboxes, bring that over to your local computer, and then enumerate them. For each mailbox, you’ll have to get its permissions and store that information locally.
This gets easier if, instead of using Invoke-Command to run the commands, you implicitly remote the commands. That gives you deserialized objects on your computer - meaning you could run Where-Object, but the processing for that would happen locally, not remotely, so it’d work. So you’d start with your connection to Exchange as a PSSession, and then use Import-Module with that PSSession to bring the server module over to your computer (it doesn’t actually copy the module).
Thanks Don. I was connecting as a PSSession - but then I was entering the session, and hence could do nothing. Did it your way and it worked perfectly.
Thankyou!