Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1: Get the list of shared mailboxes
- Command : Get-Mailbox | where {$_.recipientTypeDetails -eq 'sharedmailbox'}
- 2: Iterate over each shared mailbox
- A: Get-Mailbox (Mailbox details and GrantSendOfBehalf)
- We will store the following attributes of each mailbox object
- ExternalDirectoryObjectId - will be used to uniquely identify shared mailboxes.
- DisplayName - will store this to show shared mailbox name.
- EmailAddresses - Will expand this multi-valued attribute to get all the email addresses(primary as well as alias) of this shared mailbox.
- GrantSendOnBehalfTo - This gives comma separated list of members who have 'Send on Behalf' rights.
- We will get the entity of each comma-separated Identity given against the attribute GrantSendOnBehalfTo by the ‘getEntity’ logic explained later.
- B: Get-MailboxPermission (Full Access)
- Get-MailboxPermission -Identity $sharedmailbox.ExternalDirectoryObjectId | ? { $_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false -and $_.AccessRights -like '*FullAccess*' }
- We will use string value of 'User' from the results of this query to fetch entities.
- We will get the entity using the value returned against the user attribute by ‘getEntity’ logic
- C: Get-RecipientPermission (Send As)
- Get-RecipientPermission -Identity $sharedmailbox.ExternalDirectoryObjectId | ? { $_.Trustee -ne "NT AUTHORITY\SELF" -and $_.AccessRights -like '*SendAs*' }
- We will get the entity using the value returned against the Trustee attribute by ‘getEntity’ logic
- D: Get user or group if we have found an email:
- Get-User -Identity EMAIL_ID -Filter { WindowsEmailAddress -eq EMAIL_ID } -ErrorAction SilentlyContinue
- Get-Group -Identity EMAIL_ID -Filter { WindowsEmailAddress -eq EMAIL_ID } -ErrorAction SilentlyContinue
- E: Get only group if we have found a name:
- Get-Group -Identity NAME_OF_GROUP -Filter { Name -eq NAME_OF_GROUP } -ErrorAction SilentlyContinue
- GetEntity logic:
- 1: Ignore if SID - We will use SID regex. (get SID from Ashok).
- 2: Ignore if the string contains ‘/’.
- 3: If its email getUser and getGroup by the email filter.
- 4: If above all is false getGroup using Name filter.
- We will give rights to all the entities fetched by the above logic
Add Comment
Please, Sign In to add comment