Script to gather FullAccess and SendAs permissions

I wrote this script to gather FullAccess and SendAs permissions to divide mailboxes into logical batches. May be somebody find it helpful.

#Purpose of this script is to gather full access and Send-As permissions of all mailboxes in organization
#Author: Zbynek Salon
#importing needed module
Import-Module Servermanager
$out = @()
$path = "c:\temp\FASA.txt"
$out +="Identity-email;Full Access;Send AS"
set-adserversettings -ViewEntireForest $true
#gathering info
$list = Get-Mailbox -resultsize unlimited | select alias,displayname,primarysmtpaddress,userprincipalname,distinguishedname
$i = 0
Foreach ($line in $list){
$sa = $null
$fa = $null
$fa = get-mailbox "$($line.distinguishedname)" | get-mailboxpermission | where {($_.IsInherited -like $false) -and ($_.accessrights -like "*Full*") -and ($_.user -notlike "*SELF*")}
$sa = get-mailbox "$($line.distinguishedname)" | get-adpermission | where {($_.extendedrights -like "*Send*") -and ($_.IsInherited -like $false) -and ($_.Deny -like $false)  -and ($_.user -notlike "*SELF*")}
Write-host "°°°°°°°°°°°°°°$($line.alias)"
#Full Access section
write-host "Full Access $($line.displayname)"
if ($fa -ne $null){
$fapo = "FA:"
            foreach ($fap in $fa){
                #query object from AD using LDAP (translate SID to DN)
                $o = [adsi]"LDAP://<SID=$($fap.user.securityidentifier)>"
                #query needed properties of AD object (AD object is used to query for all object types
                $o2 = get-adobject "$($o.distinguishedname)" -properties * | select displayname,userprincipalname
                if($o2 -ne $null){
                    $fapo = $fapo + "|$($o2.displayname)*$($o2.userprincipalname)"
                else{$fapo = $fapo + "|NoExist*$($fap.user.securityidentifier)" }
#Send As section
write-host "Send - AS $($line.displayname)"
if ($sa -ne $null){
$sapo = "SA:"
            foreach ($sap in $sa){
                $u = [adsi]"LDAP://<SID=$($sap.user.securityidentifier)>"
                $u2 = get-adobject "$($u.distinguishedname)" -properties * | select displayname,userprincipalname
                if($u2 -ne $null){
                    $sapo = $sapo + "|$($u2.displayname)*$($u2.userprincipalname)"
                else{$sapo = $sapo + "|NoExist*$($fap.user.securityidentifier)" }
$out += "$($line.displayname)*$($line.userprincipalname);$($fapo);$($sapo)"

$out | out-file "$($path)"

3 thoughts on “Script to gather FullAccess and SendAs permissions

  1. Hi Zbycha, You are a genius ! Thank you so much, this is the only combined script I could find on the whole entire world of internet. I have been looking for months and completely failed in making my own as I am a novice when it comes to bigger scripts such as this.

    So, to push my luck 🙂
    I have been asked to get Full Access and Send As access for all users but they want the output to be in CSV.
    You don’t happen to have another script that exports into a CSV with the data in separate columns ?
    Please help me 🙂 Thanks again.

    • Hi Mat,

      basically the output is CSV, but you should select “;” as delimiter. Please try that one. I have another script to gather permissions but usually this one is enough. Please let me know if the output is enough.

      BR Zbynek

  2. Thanks Zbycha, I am having trouble making the changes to what I am being asked for.
    I need to get Alias and Display name for both User and the user who has the access then the level of access they have.
    Column A (Displayname) Column B (Alias) Column C (Display name of user who has FASA access) Column D (Alias of user who has FASA access) then Column E (Level of Access).

    I don’t know if this might be too much to ask but any help would be much appreciated.
    I am trying to export the data into separate columns but I cant work it out.

    Also the Set-ADServerSettings -viewentireforrest $True = What exactly does this change, I only ask as I am in a large protected environment and currently our production environment is set to $false.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s