62134801aa
⚠️ IMPORTANT: These scripts are AI-GENERATED and UNTESTED Exchange Scripts (5): - Get-MailboxPermissions.ps1: Audit delegate access permissions - Get-InactiveMailboxes.ps1: Identify stale mailboxes - Compare-MailboxDatabases.ps1: Database health comparison - Export-DistributionGroups.ps1: Distribution group inventory - Get-MailflowStats.ps1: Transport log analysis Active Directory Scripts (3): - Get-ADUserLastLogon.ps1: True LastLogon across all DCs - Export-OUStructure.ps1: OU hierarchy with GPO links - Compare-ADGroupMemberships.ps1: Compare user group memberships System Maintenance Scripts (4): - Get-ServerInventory.ps1: Hardware/software inventory report - Monitor-DiskSpace.ps1: Disk space monitoring with alerts - Backup-ExchangeCertificates.ps1: Certificate backup to PFX - Test-ExchangeHealth.ps1: Aggregated Exchange health checks Documentation: - Updated CLAUDE.md with AI-generated scripts section - Added AI-GENERATED-SCRIPTS.md with warnings and testing guide All scripts include prominent warnings and follow established patterns from existing scripts. Require thorough testing before production use. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
174 lines
6.1 KiB
PowerShell
174 lines
6.1 KiB
PowerShell
<#
|
|
.SYNOPSIS
|
|
Audit mailbox delegate access permissions across Exchange environment
|
|
|
|
.DESCRIPTION
|
|
Reports on SendAs, SendOnBehalf, and FullAccess permissions for all mailboxes.
|
|
Useful for security audits, compliance reviews, and migration planning.
|
|
|
|
.PARAMETER OutputFolder
|
|
Destination folder for CSV reports. Default: .\MailboxPermissions-<date>
|
|
|
|
.PARAMETER MailboxFilter
|
|
Optional filter for specific mailboxes. Default: all on-premises mailboxes
|
|
|
|
.PARAMETER IncludeInherited
|
|
Include inherited permissions in the report (default: $false)
|
|
|
|
.NOTES
|
|
⚠️ AI-GENERATED SCRIPT - UNTESTED
|
|
This script was generated by Claude AI and has not been tested in production.
|
|
Review and test thoroughly in a non-production environment before use.
|
|
|
|
- Run in Exchange Management Shell with appropriate RBAC permissions
|
|
- Can take significant time with large mailbox counts
|
|
- Tested compatibility: Exchange 2013/2016/2019 (not validated)
|
|
|
|
.EXAMPLE
|
|
.\Get-MailboxPermissions.ps1
|
|
|
|
.EXAMPLE
|
|
.\Get-MailboxPermissions.ps1 -OutputFolder "D:\Reports\Permissions" -IncludeInherited $true
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[string]$OutputFolder = (Join-Path -Path (Get-Location) -ChildPath ("MailboxPermissions-" + (Get-Date -Format "yyyyMMdd-HHmm"))),
|
|
[string]$MailboxFilter = "*",
|
|
[bool]$IncludeInherited = $false
|
|
)
|
|
|
|
function NowTag { (Get-Date).ToString("yyyy-MM-dd HH:mm:ss") }
|
|
|
|
Write-Host "[$(NowTag)] ⚠️ AI-GENERATED SCRIPT - UNTESTED" -ForegroundColor Yellow
|
|
Write-Host "[$(NowTag)] Starting mailbox permissions audit..." -ForegroundColor Green
|
|
|
|
# Create output folder
|
|
New-Item -ItemType Directory -Path $OutputFolder -Force | Out-Null
|
|
|
|
# Get all on-premises mailboxes
|
|
Write-Host "[$(NowTag)] Retrieving mailboxes..."
|
|
$mailboxes = Get-Mailbox -Filter $MailboxFilter -ResultSize Unlimited -ErrorAction SilentlyContinue |
|
|
Where-Object { $_.RecipientTypeDetails -notmatch "^Remote" -and $_.Database }
|
|
|
|
$mbCount = ($mailboxes | Measure-Object).Count
|
|
Write-Host "[$(NowTag)] Found $mbCount mailboxes to audit"
|
|
|
|
# Collections
|
|
$fullAccessPerms = @()
|
|
$sendAsPerms = @()
|
|
$sendOnBehalfPerms = @()
|
|
|
|
$current = 0
|
|
foreach ($mb in $mailboxes) {
|
|
$current++
|
|
$pct = [int](($current / $mbCount) * 100)
|
|
Write-Progress -Activity "Auditing Mailbox Permissions" -Status "Processing $($mb.DisplayName) ($current/$mbCount)" -PercentComplete $pct
|
|
|
|
# FullAccess permissions
|
|
try {
|
|
$fullAccess = Get-MailboxPermission -Identity $mb.Identity -ErrorAction SilentlyContinue |
|
|
Where-Object {
|
|
$_.User -notlike "NT AUTHORITY\*" -and
|
|
$_.User -notlike "S-1-5-*" -and
|
|
$_.AccessRights -like "*FullAccess*" -and
|
|
($IncludeInherited -or -not $_.IsInherited)
|
|
}
|
|
|
|
foreach ($perm in $fullAccess) {
|
|
$fullAccessPerms += [PSCustomObject]@{
|
|
Mailbox = $mb.DisplayName
|
|
PrimarySmtpAddress = $mb.PrimarySmtpAddress
|
|
User = $perm.User
|
|
AccessRights = ($perm.AccessRights -join ", ")
|
|
IsInherited = $perm.IsInherited
|
|
Deny = $perm.Deny
|
|
}
|
|
}
|
|
} catch {
|
|
Write-Host "[$(NowTag)] ERROR getting FullAccess for $($mb.DisplayName): $_" -ForegroundColor Red
|
|
}
|
|
|
|
# SendAs permissions
|
|
try {
|
|
$sendAs = Get-ADPermission -Identity $mb.DistinguishedName -ErrorAction SilentlyContinue |
|
|
Where-Object {
|
|
$_.ExtendedRights -like "*Send-As*" -and
|
|
$_.User -notlike "NT AUTHORITY\*" -and
|
|
$_.User -notlike "S-1-5-*" -and
|
|
($IncludeInherited -or -not $_.IsInherited)
|
|
}
|
|
|
|
foreach ($perm in $sendAs) {
|
|
$sendAsPerms += [PSCustomObject]@{
|
|
Mailbox = $mb.DisplayName
|
|
PrimarySmtpAddress = $mb.PrimarySmtpAddress
|
|
User = $perm.User
|
|
IsInherited = $perm.IsInherited
|
|
Deny = $perm.Deny
|
|
}
|
|
}
|
|
} catch {
|
|
Write-Host "[$(NowTag)] ERROR getting SendAs for $($mb.DisplayName): $_" -ForegroundColor Red
|
|
}
|
|
|
|
# SendOnBehalf permissions
|
|
if ($mb.GrantSendOnBehalfTo -and $mb.GrantSendOnBehalfTo.Count -gt 0) {
|
|
foreach ($user in $mb.GrantSendOnBehalfTo) {
|
|
$sendOnBehalfPerms += [PSCustomObject]@{
|
|
Mailbox = $mb.DisplayName
|
|
PrimarySmtpAddress = $mb.PrimarySmtpAddress
|
|
User = $user
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
Write-Progress -Activity "Auditing Mailbox Permissions" -Completed
|
|
|
|
# Export results
|
|
Write-Host "[$(NowTag)] Exporting results..."
|
|
|
|
$fullAccessFile = Join-Path $OutputFolder "FullAccess-Permissions.csv"
|
|
$sendAsFile = Join-Path $OutputFolder "SendAs-Permissions.csv"
|
|
$sendOnBehalfFile = Join-Path $OutputFolder "SendOnBehalf-Permissions.csv"
|
|
$summaryFile = Join-Path $OutputFolder "Permissions-Summary.txt"
|
|
|
|
if ($fullAccessPerms.Count -gt 0) {
|
|
$fullAccessPerms | Export-Csv -NoTypeInformation -Encoding UTF8 -Path $fullAccessFile
|
|
Write-Host "[$(NowTag)] FullAccess permissions: $fullAccessFile"
|
|
} else {
|
|
Write-Host "[$(NowTag)] No FullAccess permissions found"
|
|
}
|
|
|
|
if ($sendAsPerms.Count -gt 0) {
|
|
$sendAsPerms | Export-Csv -NoTypeInformation -Encoding UTF8 -Path $sendAsFile
|
|
Write-Host "[$(NowTag)] SendAs permissions: $sendAsFile"
|
|
} else {
|
|
Write-Host "[$(NowTag)] No SendAs permissions found"
|
|
}
|
|
|
|
if ($sendOnBehalfPerms.Count -gt 0) {
|
|
$sendOnBehalfPerms | Export-Csv -NoTypeInformation -Encoding UTF8 -Path $sendOnBehalfFile
|
|
Write-Host "[$(NowTag)] SendOnBehalf permissions: $sendOnBehalfFile"
|
|
} else {
|
|
Write-Host "[$(NowTag)] No SendOnBehalf permissions found"
|
|
}
|
|
|
|
# Summary
|
|
$summary = @"
|
|
Mailbox Permissions Audit Summary
|
|
Generated: $(Get-Date)
|
|
|
|
Mailboxes Audited: $mbCount
|
|
FullAccess Permissions: $($fullAccessPerms.Count)
|
|
SendAs Permissions: $($sendAsPerms.Count)
|
|
SendOnBehalf Permissions: $($sendOnBehalfPerms.Count)
|
|
|
|
Output Folder: $OutputFolder
|
|
"@
|
|
|
|
$summary | Out-File -FilePath $summaryFile -Encoding UTF8
|
|
Write-Host "`n$summary"
|
|
Write-Host "[$(NowTag)] Audit complete!" -ForegroundColor Green
|