PowerShell: Export All Exchange Mailbox Folder Permissions In A Format For Further Processing: Part 1

Within Exchange (on-premise or Online) it’s sometimes helpful to export the delegate permissions that a user can set within their mailbox.  Get-MailboxFolderPermission is the cmdlet which will export that information for a particular folder.  The identifier needs to be in the format “john@contoso.com:\Marketing\Reports”.

That said there’s not an easy way to export the permissions on ALL folders within a mailbox and the output for that command isn’t very helpful for further processing.

So;  script.  It’ll take a mailbox as a parameter and output the permissions on all the mailbox folders (and subfolders) as objects.

This is the explanation about the initial version of the script, here.

The full version of the script is here.

The initial part of the script is pretty straight-forward.  The first interesting bit is;

$FolderNames=$MailboxToProcess| Get-MailboxFolderStatistics |
 Select -ExpandProperty FolderPath | %{$MailboxToProcess.DistinguishedName.ToString() +":"+($_ -replace ("/","\"))}

This gets a list of all the folders within a mailbox (via Get-MailboxFolderStatistics | Select -ExpandProperty FolderPath) and then builds a string of the format Get-MailboxFolderPermission wants;  the mailbox name, a colon (“:“) and then the folder path (using “\” as a separator).

$PermissionsList=@()
 Foreach ($FolderName in $FolderNames)
 {
 $FolderPermissions=Get-MailboxFolderPermission -Identity $FolderName
 foreach ($FolderPermission in $FolderPermissions)

Here the script loops through each of the folder identifiers it’s found and then loops again through each permission on that folder.

$PermissionsObject=New-Object -typename PSObject
 $PermissionsObject | Add-Member -MemberType NoteProperty -Name "Identity" -Value ([string]$FolderName)
 $PermissionsObject | Add-Member -MemberType NoteProperty -Name "User" -Value ([string]($FolderPermission.User.ToString()))
 [string[]]$AccessRightsStringArray=@()
 foreach ($Right in $FolderPermission.AccessRights)
 {
 $AccessRightsStringArray+=$Right.ToString()
 }
 if ($AccessRightsStringArray.Count -eq 0)
 {
 Write-Verbose "No Access Rights detected" -Detailed
 Continue
 }

For each permission entry on the folder the code above creates an object and populates it with the identity of the folder (“john@contoso.com:\Marketing\Reports“), the user with the permission on that folder and the access rights they have.

if ($AccessRightsStringArray.Count -eq 1)
 {
 $AccessRightsString=$AccessRightsStringArray[0]
 }else
 {
 $AccessRightsString=$AccessRightsStringArray -Join ","
 }
 $PermissionsObject | Add-Member -MemberType NoteProperty -Name "AccessRights" -Value ([string]$AccessRightsString)
 $PermissionsList+=$PermissionsObject
 }
 }
 Return @($PermissionsList | ?{!((($_.User -eq "Default") -or ($_.User -eq "Anonymous")) -and ($_.AccessRights -eq "None"))})

The access rights returned by Get-MailboxFolderPermission could be a single or multiple entries (“Editor, Reviewer”).  I really want these as a string so if there’s more than one entry the script concatenates them with a “,” connector.

The script builds an array of all the permissions and outputs it at the end.  If you wanted it to output each permission object as it’s built (streamed to the output) you could change the end to;

$PermissionsObject | Add-Member -MemberType NoteProperty -Name "AccessRights" -Value ([string]$AccessRightsString)
 Write-Output $PermissionsObject
 }
 }
 }

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s