Do you know the Full Access Permissions in your environment? – Be aware if you migrate your Exchange to a newer version!


During Exchange Migrations some ‘new’ features can make your day happy – or not. While migrating from Exchange 2007 a new feature on Exchange/Outlook can have a hughe impact on your access permissions for mailboxes.

Think about the following scenario:

User A – lets call him EXGuru and User B – lets call him User B should get access to the mailbox of User B. Years ago this permission was assigned on Exchange 2007. The permission was assigned but the Helpdesk-Team never added the mailbox into the existing Outlook-Profile from EXGuru. Everyone (EXGuru, UserB and the Helpdesk) did not remember about that permission.

Now the Mailbox will be moved to Exchange 2013/2016 and wohooo – the Mailbox of User B will show up at the EXGuru Outlook Profile. This happens because the existing permissions will be migrated and because of the ‘new’ auto mapping feature from Exchange those mailboxes will show up even if they were not shown in Exchange 2007.

Normally this shouldn’t be a problem but eventually it is. With this script you can check the existing permissions and recap the details if there are still permissions assinged they shouldn’t. Good place to start are Management mailboxes.

Get-Mailbox -Identity <mailbox> | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITYSELF" -and $_.IsInherited -eq $false -and $_.AccessRights -match "FullAccess" -and ($_.User -notlike 'S-1-5*')} | Select Identity,User,@{Name='AccessRights';Expression={[string]::join(', ', $_.AccessRights)}}

Your EXGuru – aka Peter Forster – aka Satschent Peter

Leave a Reply

Your email address will not be published. Required fields are marked *