Unable to show Exchange "Mailbox Send On Behalf" Permission

PowerShell Help
1

I tried to use the following script to show which user has “Send On Behalf” permission to the mailbox of “myUserID” on Exchange 2012 environment, but the result does not show the users who actually have “Send On Behalf” permission to the mailbox of “myUserID” comparing to the results from “Exchange admin center” GUI. Please advise which command/parameter to use to show the results correctly. Thanks in advance.

Get-ADUser -identity "myUserID" | %{Get-ADPermission -Identity $_.DistinguishedName | where {$_.ExtendedRights -like "*Send*"} | ft User,AccessRights -AutoSize}
Here is the result which does not show the users who actually have “Send On Behalf” permission to the mailbox of “myUserID” comparing to the results from “Exchange admin center” GUI

User              AccessRights   
----              ------------   
NT AUTHORITY\SELF {ExtendedRight}
2

I googled it for you … :wink:

https://www.google.com/search?q=powershell+exchange+GrantSendOnBehalf

Here are some of the first hits:

And BTW:

Something like that does not exist. :smirk:

3

Thanks Olaf for your quick response with useful links. What command/parameter to use to show the “Send As” or “Send On Behalf” permission list of mailbox “myUserID” in Exchange 2012 environment?

4

I do believe Olaf kindly pointed out there is no such build for Exchange Server 2012. I suspect what you are really referring to is the Server OS of 2012. If that is the case, you should really think about upgrading the server as it reaches end of life soon.

5

Sorry my bad. It’s Exchange 2013 version 15.0 (Build 1497.2) on Windows Server 2012.

6

That’s very very very outdated as well and you run your Exchange server for more than 2 years in an unsupported state.

Are the links I posted not working for you? Did you read the help on the sites? Actually it is on the first link I posted. :man_shrugging:t3:

7

Thanks @Olaf, thanks all for your help.

8

First, not to beat the dead horse or to pile on about upgrading, but if you have any pull with your organization I also strongly encourage getting on a current Windows OS and version of Exchange. In addition to typical supportability and security issues, an often less thought of reason is documentation. It is going to get harder and harder to come by information and examples for the versions you are on. Also, people who have moved on, years ago, they are going start to forget stuff and be less able to help those still on old versions. No longer used knowledge is perishable.

A prime example of what I am getting at is the links googled for you, they mostly talk about newer versions of Exchange, primarily Exchange Online and not everything you can do there is possible with Exchange 2013/2016/2019. Fortunately, for now the answer to your “Send on Behalf” question is the same for Exchange 2013 as it is for Exchange online, so the links are still useful for your core question today.

You need to use Get-Mailbox

Get-Mailbox -Identity bugs.bunny | Format-List name,GrantSendOnBehalfTo

Name                : Bugs Bunny
GrantSendOnBehalfTo : {contoso/UserTestAccounts/Elmer Fudd}

If you want to just check the occasional request, this is all you need. If you want a script that will check all mailboxes, this will get you started. Same for if you want to manipulate data into a more usable format for your needs.

As for the cmdlets you shared in your opening post. Why did it not work? First, for “send on behalf” it was the wrong cmdlets. What you posted is usable for finding “send as”, but how you approached it has some room for improvement.

First, while using Get-ADuser will work, it is not the best choice. Primary reason, what if the AD account is not mailbox enabled? It is still checked. So not efficient and wastes processing. A small AD with just a few hundred and a decent place to run the script, not a problem. But if you have 1000s in your AD, becomes a problem. Next, the return is the same regardless of not being mailbox enabled or simply having no delegate.

User              AccessRights
----              ------------
NT AUTHORITY\SELF {ExtendedRight}

So unless you KNOW the ID being checked does have a mailbox, on the surface it would appear to failed. But it did not.

If there is a mailbox, and it has a delegate, you get a return like this. Still room for improvement because how can you be sure “ExtenedRight” is "SendAs ?

User                AccessRights
----                ------------
NT AUTHORITY\SELF   {ExtendedRight}
contoso\daffy.duck  {ExtendedRight}

If you use Get-Mailbox, you are able to be more efficent and be sure you are only checking mailboxes.

Get-Mailbox -Identity bugs.bunny | Get-ADPermission | Where-Object { $_.ExtendedRights.rawidentity -like "*send*" } |ft user,extendedrights

Returns

User                ExtendedRights
----                --------------
NT AUTHORITY\SELF   {Send-As}
contoso\daffy.duck  {Send-As}

More useful, more efficient. But not complete if you want to check more than one mailbox at a time.

The “Send As” is also an example of where things are going to slowly become harder to find if you have not learned how to find this already. The example for Exchange online use different cmdlets not available to Exchange on prem.

9

Wow, thank you Matt. Deeply appreciate your insightful response. Thank every one for your help/response. I learn more than I expected when I posted my initial question. Thanks all.