exchange 2007: powershell how to see if someone has delegated access of their inbox to others?
is there a script to show who a user has delegated to his/her inbox? Additionally is there a way to remove delegation without logging in as the user? I'm not talking about the send as and full mailbox permissions I can see in the EMC.
October 1st, 2010 3:31pm
On Fri, 1 Oct 2010 19:29:23 +0000, philldogger wrote:
>is there a script to show who a user has delegated to his/her inbox? Additionally is there a way to remove delegation without logging in as the user? I'm not talking about the send as and full mailbox permissions I can see in the EMC.
You can look at the publicDelegates and publicDelegatesBL properties
on a mailbox to see who the delegates are. You can look at any mailbox
and the publicDelegatesBL and see the mailboxes for which this one is
a delegate. This assumes, of course, that the delegates are added and
remove properly.
Delegate are also represented by hidden rules in a mailbox, so enve if
the delegates property is emptye it's sill possible that the mailbox
things there are delegates. To get at those hidden rules requires you
to either create a profile and open the mailbox, or to write code to
look at the folders in the mailbox for the permissions assigned to
those delgates.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 1st, 2010 9:39pm
Using the EWS managed API:
$MailboxName = "<smtp address of mailbox to check>"
$uri=[system.URI] “https://<CAS server name>/ews/exchange.asmx”
$dllpath = "C:\Program Files\Microsoft\Exchange\Web Services\1.0\Microsoft.Exchange.WebServices.dll"
[void][Reflection.Assembly]::LoadFile($dllpath)
$fcPropset = new-object Microsoft.Exchange.WebServices.Data.PropertySet`([Microsoft.Exchange.WebServices.Data.BasePropertySet]::FirstClassProperties)
$service = new-object Microsoft.Exchange.WebServices.Data.ExchangeService`([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1)
$service.Url = $uri
#$service.TraceEnabled = $true
$del = $service.getdelegates($mailboxname,$true)
$del.delegateuserresponses |% {
$_.delegateuser.userid.displayname
$_.delegateuser.userid.sid
$_.delegateuser.userid.primarysmtpaddress
$_.delegateuser.permissions
}
You can also add and remove delegates.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
October 2nd, 2010 7:34am
is there anyway to show which users in exchange are using Delegation?
Free Windows Admin Tool Kit Click here and download it now
October 4th, 2010 12:57pm
AFAIK, you'd have to go through all the mailboxes and see which ones return delegates.
It wouldn't be too hard to for-each the script through an address collection, you'd just need to run it using an account that has rights to all the mailboxes.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
October 4th, 2010 1:16pm
I'm not much of a script guru, what would that look like to have it pull from a csv full of aliases and output in to a csv format? thanks
Free Windows Admin Tool Kit Click here and download it now
October 4th, 2010 4:22pm
I can work something up, but I'm I won't be back in the office where I could test it for a couple of days.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
October 4th, 2010 4:50pm
That'd be great...thnx for the help
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2010 12:48pm
any luck testing this mjolinor?
October 7th, 2010 4:42pm
I may get to it this evening. I was out of the office for a few days. and came back to... Ever seen "Finding Nemo"? I feel like I'm surrounded by the seagulls. Mine! Mine! Mine! Mine! Mine![string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2010 5:14pm
LOL...yes my kids (and secretly me) love that part
October 8th, 2010 1:14pm
mjo if you don't have time to work on this...no worries, I can always just repost the question again as I need to generate a report for management soon. Just let me know...thanks
Free Windows Admin Tool Kit Click here and download it now
October 11th, 2010 11:29am
I decided to use CSVDE and just grab the publicdelegate and publicdelegatebl info from AD into a spreadsheet. thanks
October 11th, 2010 6:23pm
So my report from AD for publicdelegates clearly wasn't good enough as it only showed who was using delegates, but no permission info :( So back to square one. I'd love it mjolinor if there is some way to take your script above and export it
out to a csv as well as have it read a list of aliases from a CSV to run against. thanks!
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2010 3:20pm
Maybe this will help, Glen's scripts are usually pretty good
Exchange Reverse Permission audit Powershell Gui version 2 Exchange 2007
http://gsexdev.blogspot.com/2008/10/exchange-reverse-permission-audit.html
October 13th, 2010 10:38am
that is controller by the attribute:
ms-Exch-Public-Delegates this attrubute of a user lists delegates. if this is a single user use ADSIEDIT.Dhruv
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2010 5:22pm
that is controller by the attribute:
ms-Exch-Public-Delegates this attrubute of a user lists delegates. if this is a single user use ADSIEDIT.Dhruv
October 13th, 2010 5:22pm
Running against a list of aliases isn't a problem. Exporting the data to .csv will be more difficult, since the results will be "jagged" - ie there won't be a fixed number of results returned for each mailbox, or even a fixed number of permissions
returned for each delegate found.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2010 6:12pm
Running against a list of aliases isn't a problem. Exporting the data to .csv will be more difficult, since the results will be "jagged" - ie there won't be a fixed number of results returned for each mailbox, or even a fixed number of permissions
returned for each delegate found.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
October 13th, 2010 6:12pm
Running against a list of aliases isn't a problem. Exporting the data to .csv will be more difficult, since the results will be "jagged" - ie there won't be a fixed number of results returned for each mailbox, or even a fixed number of permissions
returned for each delegate found.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2010 6:12pm