0 votes

how can i create a report which gives me the details from an exchange mailbox as described in the subject?

I would like to have a Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights

thank you

by (200 points)
0

Hello,

For us to suggest a solution, please, specify the following:

  • Are mailboxes located in Exchange on-premises or Exchange Online?
  • What types of mailboxes should be included into the report?
  • What exactly should be present in the columns for the OU and rights?
  • What version of Adaxes are you using? For information on how to check that, have a look at the following help article: https://www.adaxes.com/help/CheckServiceVersion.

A live example of the report and any additional details will be very helpful.

0

Hello, thank you for your answer!

  • Exchange is hosted on-premise

  • Every Type of Mailboxes (User, Shared, Distributed)

  • In the Columns it should present the following:

    • Parent OU of the Usermailbox
    • Send As (every User who has Send As Rights)
    • Send on Behalf (every User who has Send on Behalf Rights)
    • Full Rights on the Mailbox (every User who has full rights to the Mailbox)
  • Product Version: 3.14.18710.0

A possible Output could be like: image.png

Thank you for your help!

0

Hello,

Thank you for all the provided details. Please, clarify one more point. There can be multiple trustees that have Send As/Send on Behalf/Full Access rights on a mailbox. Unfortunately, there is no possibility to have multiline values in report columns. As a solution, usernames in the columns can be specified in a single line separated by commas. Does this approach meet your needs?

0

Hey, thank you for your fast reply!

it would be ok to get users seperated by commas!

thank you very much

1 Answer

0 votes
by (294k points)

Hello,

Thank you for the confirmation. To create the report:

  1. Launch Adaxes Administration console.
  2. In the Console Tree, right-click your service node.
  3. In the context menu, navigate to New and click Report. image.png
  4. Specify a report name.
  5. Select Script and click Next. image.png
  6. Click New.
  7. Click Next twice and then click Finish.
  8. Click Next twice.
  9. Add the ParentDN and Logon Name columns to the Default columns list.
  10. In the Report-specific columns section, click Add. image.png
  11. Specify the display name for the custom column that will contain usernames of accounts that have Send As permissions on the mailbox. image.png
  12. Click Next.
  13. Select Template.
  14. In the field below, specify a default column value (e.g. empty). The value is only required to create the custom column and will never be present in the report. image.png
  15. Click Finish.
  16. Repeat steps 10-15 for the custom columns that will display Send on Behalf and Full Access permissions.
  17. Click Next.
  18. Paste the below script into the corresponding field. In the script:
    • $sendAsColumnID - Specifies the identifier of the custom column that will contain usernames of accounts that have Send As permissions on the mailbox. To get the identifier of a custom column:
      1. On the Columns step, in the Report-specific columns section, right-click the column you need.
      2. In the context menu, navigate to Copy and then click Column ID. image.png
      3. The identifier will be copied to the clipboard.
    • $sendOnBehalfOfColumnID - Specifies the identifier of the custom column that will contain usernames of accounts that have Send on Behalf permissions on the mailbox.
    • $fullAccessColumnID - Specifies the identifier of the custom column that will contain usernames of accounts that have Full Access permissions on the mailbox.
$sendAsColumnID = "{dd288413-e52e-496f-b419-fb77012d2259}" # TODO: modify me
$sendOnBehalfOfColumnID = "{b8393021-85d0-45e0-bde4-6ec2fe4d8f79}" # TODO: modify me
$fullAccessColumnID = "{3176bc12-9853-4add-982f-212728ecd0e6}" # TODO: modify me

# Search filter
$filter = "(&(sAMAccountType=805306368)(mailNickname=*)(msExchHomeServerName=*))"
$Context.DirectorySearcher.AppendFilter($filter)

try
{
    # Execute search
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()

    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $sendAsObjectNames = New-Object System.Collections.ArrayList
        $sendOnBehalfOfObjectNames = New-Object System.Collections.ArrayList
        $fullAccessObjectNames = New-Object System.Collections.ArrayList

        # Get users that have permissions to user mailbox
        $object = $Context.BindToObjectBySearchResultEx($searchResult, $True)
        try
        {
            $mailboxParams = $object.GetMailParameters()
        }
        catch
        {
            continue
        }

        # Get Send As trustees
        for ($i = 0; $i -lt $mailboxParams.SendAs.Count; $i++)
        {
            $trustee = $mailboxParams.SendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if ([System.String]::IsNullOrEmpty($trustee.ObjectSid) -or [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $trustee.SearchResult)
            {
                continue
            }

            $trusteeName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($trustee.SearchResult.AdsPath, "None")
            $sendAsObjectNames.Add($trusteeName)
        }

        # Get Send on Behalf Of
        for ($i = 0; $i -lt $mailboxParams.GrantSendOnBehalfTo.Count; $i++)
        {
            $object = $mailboxParams.GrantSendOnBehalfTo.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            $objectName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($object.SearchResult.AdsPath, "None")
            $sendOnBehalfOfObjectNames.Add($objectName)
        }


        # Get Full Access trustees
        $mailboxPermissions = $mailboxParams.MailboxRights.GetPermissions()
        foreach ($mailboxPermission in $mailboxPermissions)
        {
            if (!($mailboxPermission.AllowedRights -band [Softerra.Adaxes.Interop.Adsi.Exchange.ADM_EXCHANGE_MAILBOX_RIGHTS_ENUM]::ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS) -or
                $mailboxPermission.InheritedAllowedRights -band [Softerra.Adaxes.Interop.Adsi.Exchange.ADM_EXCHANGE_MAILBOX_RIGHTS_ENUM]::ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS)
            {
                continue
            }

            $trustee = $mailboxPermission.Trustee
            if (!([System.String]::IsNullOrEmpty($trustee.ObjectSid)) -and 
                [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $trustee.SearchResult)
            {
                continue
            }

            $trusteeName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($trustee.SearchResult.AdsPath, "None")
            $fullAccessObjectNames.Add($trusteeName)

        }

        $customColumns = @{
            $sendAsColumnID = [System.String]::Join(", ", $sendAsObjectNames.ToArray());
            $sendOnBehalfOfColumnID = [System.String]::Join(", ", $sendOnBehalfOfObjectNames.ToArray());
            $fullAccessColumnID = [System.String]::Join(", ", $fullAccessObjectNames.ToArray());
        }
        $Context.Items.Add($searchResult, $customColumns, $NULL)
    }
}
finally
{
    # Close the remote session and release resources
    if ($searchIterator) { $searchIterator.Dispose() }
}
  1. Click Next and finish creating the report.
0

Thank you for the reply!

do i have to copy the complete code in the script box?

image.png

do i have to copy the search filter into the script?

image.png

thank you

0

Hello,

Sorry for the confusion, there were some issues with displaying the script. We fixed the issue. Please, copy the script from the instructions above.

0

perfect! now it works as expected! thank you for the great work and help!

0

got one error when i call the report

image.png

how can i fix that? thank you very much

0

Hello,

The thing is that not all mailboxes have the permissions part. Also, in specific exchange versions specific rights are also absent. The easiest way to work around the issue would be to predefine the types of mailboxes that will be included into the report. Alternatively, we can update the script so that it does not include mailboxes for which retrieving either permissions fails into the report.

0

the report stops at the first null-valued-expression

how can i predefine the included mailboxes?

would it be easier to to handle such mailboxes in the script? i think an update would be better for the script!

would you be so kind and do that for me? thank you very much

0

Hello,

Thank you for specifying. We updated the script accordingly. Find it below. In the script, we added the $recipientTypeDetails variable that specifies types of mailboxes that should be included into the report. The variable should be set to an array of corresponding Recipient Type Details property values. For example, 1 references a User mailbox. For details about the property values, have a look at the following post on Microsoft forums: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon-mso_o365b/recipient-type-values/7c2620e5-9870-48ba-b5c2-7772c739c651.

$sendAsColumnID = "{dd288413-e52e-496f-b419-fb77012d2259}" # TODO: modify me
$sendOnBehalfOfColumnID = "{b8393021-85d0-45e0-bde4-6ec2fe4d8f79}" # TODO: modify me
$fullAccessColumnID = "{3176bc12-9853-4add-982f-212728ecd0e6}" # TODO: modify me
$recipientTypeDetails = @(1, 4) # TODO: modify me

# Search filter
$filter = "(&(sAMAccountType=805306368)(|"
foreach ($type in $recipientTypeDetails)
{
    $filter += "(msExchRecipientTypeDetails=$type)"
}
$filter += "))"
$Context.DirectorySearcher.AppendFilter($filter)

try
{
    # Execute search
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()

    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $sendAsObjectNames = New-Object System.Collections.ArrayList
        $sendOnBehalfOfObjectNames = New-Object System.Collections.ArrayList
        $fullAccessObjectNames = New-Object System.Collections.ArrayList

        # Get users that have permissions to user mailbox
        $object = $Context.BindToObjectBySearchResultEx($searchResult, $True)
        try
        {
            $mailboxParams = $object.GetMailParameters()
        }
        catch
        {
            continue
        }

        # Get Send As trustees
        for ($i = 0; $i -lt $mailboxParams.SendAs.Count; $i++)
        {
            $trustee = $mailboxParams.SendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if ([System.String]::IsNullOrEmpty($trustee.ObjectSid) -or [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $trustee.SearchResult)
            {
                continue
            }

            $trusteeName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($trustee.SearchResult.AdsPath, "None")
            $sendAsObjectNames.Add($trusteeName)
        }

        # Get Send on Behalf Of
        for ($i = 0; $i -lt $mailboxParams.GrantSendOnBehalfTo.Count; $i++)
        {
            $object = $mailboxParams.GrantSendOnBehalfTo.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            $objectName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($object.SearchResult.AdsPath, "None")
            $sendOnBehalfOfObjectNames.Add($objectName)
        }


        # Get Full Access trustees
        if ($NULL -ne $mailboxParams.MailboxRights)
        {
            $mailboxPermissions = $mailboxParams.MailboxRights.GetPermissions()
            foreach ($mailboxPermission in $mailboxPermissions)
            {
                if (!($mailboxPermission.AllowedRights -band [Softerra.Adaxes.Interop.Adsi.Exchange.ADM_EXCHANGE_MAILBOX_RIGHTS_ENUM]::ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS) -or
                    $mailboxPermission.InheritedAllowedRights -band [Softerra.Adaxes.Interop.Adsi.Exchange.ADM_EXCHANGE_MAILBOX_RIGHTS_ENUM]::ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS)
                {
                    continue
                }

                $trustee = $mailboxPermission.Trustee
                if (!([System.String]::IsNullOrEmpty($trustee.ObjectSid)) -and 
                    [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee.ObjectSid))
                {
                    continue
                }

                if ($NULL -eq $trustee.SearchResult)
                {
                    continue
                }

                $trusteeName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($trustee.SearchResult.AdsPath, "None")
                $fullAccessObjectNames.Add($trusteeName)

            }
        }


        $customColumns = @{
            $sendAsColumnID = [System.String]::Join(", ", $sendAsObjectNames.ToArray());
            $sendOnBehalfOfColumnID = [System.String]::Join(", ", $sendOnBehalfOfObjectNames.ToArray());
            $fullAccessColumnID = [System.String]::Join(", ", $fullAccessObjectNames.ToArray());
        }
        $Context.Items.Add($searchResult, $customColumns, $NULL)
    }
}
finally
{
    # Close the remote session and release resources
    if ($searchIterator) { $searchIterator.Dispose() }
}
0

Thank you very much! That was what i wanted! grat job!!

Related questions

0 votes
1 answer

Hallo Everyone I've seen the Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights: https://www.adaxes.com/questions/ ... . Example: User: Peter.Steinmann Identity: Which Mailboxes AccessRights: FullAccess Kind regards,

asked Jul 6, 2022 by Sandberg94 (340 points)
0 votes
1 answer

Hello, we have a forest with two trees that hold one domain each. There is a default tree-root trust (transitive, two-way) between the top domains. Since both trees are ... to also use "Everywhere" in the Look-In box? Thank you for your suggestions! HarryNew

asked May 21, 2019 by HarryNew (270 points)
0 votes
1 answer

Using the built in 'Deprovision' Custom Command, I would like the person that is trying to Deprovision a user (Help Desk member) be asked who (from a list of existing active ... to leave the question 'blank', which means that no one gets access to the mailbox.

asked Apr 22, 2020 by RayBilyk (240 points)
0 votes
1 answer

Hi Team I need some assitance with creating a report to pull from exchange online all user mailboxes that have automatic replies enabled. I have been attempting to use ... Where-Object { $_.AutoReplyState -ne "Disabled" } | Select Identity, StartTime, EndTime

asked Aug 25, 2021 by Richard_NRL (90 points)
0 votes
1 answer

Hi team, we see sometimes the following behavior: Changing a user mailbox to shared, is just moving on-prem mailbox of this user to shared. Online mailbox seems not to ... . What will happen with online mailbox? Will Adaxes generate a remote mailbox at all?

asked Oct 13, 2023 by wintec01 (1.5k points)
3,588 questions
3,277 answers
8,303 comments
548,090 users