PowerShell: Export All Exchange Mailbox Folder Permissions In A Format For Further Processing

Within Exchange (on-premise or Online) it’s sometimes helpful to export the delegate permissions that a user can set within their mailbox.  Get-MailboxFolderPermission is the cmdlet which will export that information for a particular folder.  The identifier needs to be in the format “john@contoso.com:\Marketing\Reports”.

That said there’s not an easy way to export the permissions on ALL folders within a mailbox and the output for that command isn’t very helpful for further processing.

So;  script.  It’ll take a mailbox as a parameter and output the permissions on all the mailbox folders (and subfolders) as objects.

I wrote a post about the initial version of the script and how it works in Part 1 here.

The first update, allowing the function to deal with special folders and the root better is here (Part 2).
The following is the most recent version of the script;

function New-PermissionReportObjectArray
        Write-Verbose "Started running $($MyInvocation.MyCommand)"
        [string[]]$FolderExclusions = @("/Sync Issues","/Sync Issues/Conflicts","/Sync Issues/Local Failures","/Sync Issues/Server Failures","/Recoverable Items","/Deletions","/Purges","/Versions")

        Write-Verbose "Getting array of all mailbox folder permissions" 
        Write-Verbose ("Mailbox: "+$MailboxToProcess.PrimarySMTPAddress)

        $FolderNames=$MailboxToProcess| Get-MailboxFolderStatistics | Where-Object {!($FolderExclusions -icontains $_.FolderPath)} |
                Select-Object -ExpandProperty FolderPath | ForEach-Object{$MailboxToProcess.DistinguishedName.ToString() +":"+($_ -replace ("/","\"))}
        Foreach ($FolderName in $FolderNames)
            Write-Verbose "Getting Permissions On $FolderName"
            $FolderName=$FolderName -replace ("Top Of Information Store","")
            $FolderPermissions=Get-MailboxFolderPermission -Identity $FolderName
            foreach ($FolderPermission in $FolderPermissions)
                $PermissionsObject=New-Object -typename PSObject      
                $PermissionsObject | Add-Member -MemberType NoteProperty -Name "Identity" -Value ([string]$FolderName)
                $PermissionsObject | Add-Member -MemberType NoteProperty -Name "User" -Value ([string]($FolderPermission.User.ToString()))
                foreach ($Right in $FolderPermission.AccessRights)
                if ($AccessRightsStringArray.Count -eq 0)
                    Write-Verbose "No Access Rights detected"
                if ($AccessRightsStringArray.Count -eq 1)
                    $AccessRightsString=$AccessRightsStringArray -Join ","
                $PermissionsObject | Add-Member -MemberType NoteProperty -Name "AccessRights" -Value ([string]$AccessRightsString)
        Return @($PermissionsList | ?{!((($_.User -eq "Default") -or ($_.User -eq "Anonymous")) -and ($_.AccessRights -eq "None"))})
        Write-Verbose "Stopped running $($MyInvocation.MyCommand)"

3 thoughts on “PowerShell: Export All Exchange Mailbox Folder Permissions In A Format For Further Processing”

  1. Would love to know the version of PowerShell used for this. Trying to do similar things with the pipeline input for the mailbox object type but running into either pipeline is already executing or if I handle that with old methods I’m getting duplicates in my output.

  2. I would love to know the version of PowerShell and Operating System used for this. I’m trying to do something similar with accepting the mailbox object from the pipeline, with 2012R2 and PowerShell 4.0 but running into Pipeline is already executing errors. When I try to address that using new variables in the script with | foreach, that works but I’m getting duplicates in my final output.

    1. Hi. Just tested it on Windows 2008 R2 + PowerShell 2 (the version with Exchange 2010). I piped a variable containing the results of “Get-Mailbox” to it and it worked ok.

      I “.” sourced the script (. [Path the script]) and ran the command with $MBS | New-PermissionReportObjectArray.

      Looking at it I’ve made some improvements though; I’ll post the updated version at the end of the week.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s