Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights

Question

how can i create a report which gives me the details from an exchange mailbox as described in the subject?

I would like to have a Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights

thank you

Comments

Hello,

For us to suggest a solution, please, specify the following:

• Are mailboxes located in Exchange on-premises or Exchange Online?
• What types of mailboxes should be included into the report?
• What exactly should be present in the columns for the OU and rights?
• What version of Adaxes are you using? For information on how to check that, have a look at the following help article: https://www.adaxes.com/help/CheckServiceVersion.

A live example of the report and any additional details will be very helpful.

---

Hello, thank you for your answer!

• Exchange is hosted on-premise

• Every Type of Mailboxes (User, Shared, Distributed)

• In the Columns it should present the following:

  • Parent OU of the Usermailbox
  • Send As (every User who has Send As Rights)
  • Send on Behalf (every User who has Send on Behalf Rights)
  • Full Rights on the Mailbox (every User who has full rights to the Mailbox)

• Product Version: 3.14.18710.0

A possible Output could be like:

Thank you for your help!

---

Hello,

Thank you for all the provided details. Please, clarify one more point. There can be multiple trustees that have Send As/Send on Behalf/Full Access rights on a mailbox. Unfortunately, there is no possibility to have multiline values in report columns. As a solution, usernames in the columns can be specified in a single line separated by commas. Does this approach meet your needs?

---

Hey, thank you for your fast reply!

it would be ok to get users seperated by commas!

thank you very much

Answer 1

Hello,

Thank you for the confirmation. To create the report:

1. Launch Adaxes Administration console.
2. In the Console Tree, right-click your service node.
3. In the context menu, navigate to New and click Report.
4. Specify a report name.
5. Select Script and click Next.
6. Click New.
7. Click Next twice and then click Finish.
8. Click Next twice.
9. Add the ParentDN and Logon Name columns to the Default columns list.
10. In the Report-specific columns section, click Add.
11. Specify the display name for the custom column that will contain usernames of accounts that have Send As permissions on the mailbox.
12. Click Next.
13. Select Template.
14. In the field below, specify a default column value (e.g. empty). The value is only required to create the custom column and will never be present in the report.
15. Click Finish.
16. Repeat steps 10-15 for the custom columns that will display Send on Behalf and Full Access permissions.
17. Click Next.
18. Paste the below script into the corresponding field. In the script:
    • $sendAsColumnID - Specifies the identifier of the custom column that will contain usernames of accounts that have Send As permissions on the mailbox. To get the identifier of a custom column:
      1. On the Columns step, in the Report-specific columns section, right-click the column you need.
      2. In the context menu, navigate to Copy and then click Column ID.
      3. The identifier will be copied to the clipboard.
    • $sendOnBehalfOfColumnID - Specifies the identifier of the custom column that will contain usernames of accounts that have Send on Behalf permissions on the mailbox.
    • $fullAccessColumnID - Specifies the identifier of the custom column that will contain usernames of accounts that have Full Access permissions on the mailbox.

$sendAsColumnID = "{dd288413-e52e-496f-b419-fb77012d2259}" # TODO: modify me
$sendOnBehalfOfColumnID = "{b8393021-85d0-45e0-bde4-6ec2fe4d8f79}" # TODO: modify me
$fullAccessColumnID = "{3176bc12-9853-4add-982f-212728ecd0e6}" # TODO: modify me

# Search filter
$filter = "(&(sAMAccountType=805306368)(mailNickname=*)(msExchHomeServerName=*))"
$Context.DirectorySearcher.AppendFilter($filter)

try
{
    # Execute search
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()

    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $sendAsObjectNames = New-Object System.Collections.ArrayList
        $sendOnBehalfOfObjectNames = New-Object System.Collections.ArrayList
        $fullAccessObjectNames = New-Object System.Collections.ArrayList

        # Get users that have permissions to user mailbox
        $object = $Context.BindToObjectBySearchResultEx($searchResult, $True)
        try
        {
            $mailboxParams = $object.GetMailParameters()
        }
        catch
        {
            continue
        }

        # Get Send As trustees
        for ($i = 0; $i -lt $mailboxParams.SendAs.Count; $i++)
        {
            $trustee = $mailboxParams.SendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if ([System.String]::IsNullOrEmpty($trustee.ObjectSid) -or [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $trustee.SearchResult)
            {
                continue
            }

            $trusteeName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($trustee.SearchResult.AdsPath, "None")
            $sendAsObjectNames.Add($trusteeName)
        }

        # Get Send on Behalf Of
        for ($i = 0; $i -lt $mailboxParams.GrantSendOnBehalfTo.Count; $i++)
        {
            $object = $mailboxParams.GrantSendOnBehalfTo.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            $objectName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($object.SearchResult.AdsPath, "None")
            $sendOnBehalfOfObjectNames.Add($objectName)
        }


        # Get Full Access trustees
        $mailboxPermissions = $mailboxParams.MailboxRights.GetPermissions()
        foreach ($mailboxPermission in $mailboxPermissions)
        {
            if (!($mailboxPermission.AllowedRights -band [Softerra.Adaxes.Interop.Adsi.Exchange.ADM_EXCHANGE_MAILBOX_RIGHTS_ENUM]::ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS) -or
                $mailboxPermission.InheritedAllowedRights -band [Softerra.Adaxes.Interop.Adsi.Exchange.ADM_EXCHANGE_MAILBOX_RIGHTS_ENUM]::ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS)
            {
                continue
            }

            $trustee = $mailboxPermission.Trustee
            if (!([System.String]::IsNullOrEmpty($trustee.ObjectSid)) -and 
                [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $trustee.SearchResult)
            {
                continue
            }

            $trusteeName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($trustee.SearchResult.AdsPath, "None")
            $fullAccessObjectNames.Add($trusteeName)

        }

        $customColumns = @{
            $sendAsColumnID = [System.String]::Join(", ", $sendAsObjectNames.ToArray());
            $sendOnBehalfOfColumnID = [System.String]::Join(", ", $sendOnBehalfOfObjectNames.ToArray());
            $fullAccessColumnID = [System.String]::Join(", ", $fullAccessObjectNames.ToArray());
        }
        $Context.Items.Add($searchResult, $customColumns, $NULL)
    }
}
finally
{
    # Close the remote session and release resources
    if ($searchIterator) { $searchIterator.Dispose() }
}

19. Click Next and finish creating the report.

Comments

Thank you for the reply!

do i have to copy the complete code in the script box?

do i have to copy the search filter into the script?

thank you

---

Hello,

Sorry for the confusion, there were some issues with displaying the script. We fixed the issue. Please, copy the script from the instructions above.

---

perfect! now it works as expected! thank you for the great work and help!

---

got one error when i call the report

how can i fix that? thank you very much

---

Hello,

The thing is that not all mailboxes have the permissions part. Also, in specific exchange versions specific rights are also absent. The easiest way to work around the issue would be to predefine the types of mailboxes that will be included into the report. Alternatively, we can update the script so that it does not include mailboxes for which retrieving either permissions fails into the report.

---

the report stops at the first null-valued-expression

how can i predefine the included mailboxes?

would it be easier to to handle such mailboxes in the script? i think an update would be better for the script!

would you be so kind and do that for me? thank you very much

---

Hello,

Thank you for specifying. We updated the script accordingly. Find it below. In the script, we added the $recipientTypeDetails variable that specifies types of mailboxes that should be included into the report. The variable should be set to an array of corresponding Recipient Type Details property values. For example, 1 references a User mailbox. For details about the property values, have a look at the following post on Microsoft forums: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon-mso_o365b/recipient-type-values/7c2620e5-9870-48ba-b5c2-7772c739c651.

$sendAsColumnID = "{dd288413-e52e-496f-b419-fb77012d2259}" # TODO: modify me
$sendOnBehalfOfColumnID = "{b8393021-85d0-45e0-bde4-6ec2fe4d8f79}" # TODO: modify me
$fullAccessColumnID = "{3176bc12-9853-4add-982f-212728ecd0e6}" # TODO: modify me
$recipientTypeDetails = @(1, 4) # TODO: modify me

# Search filter
$filter = "(&(sAMAccountType=805306368)(|"
foreach ($type in $recipientTypeDetails)
{
    $filter += "(msExchRecipientTypeDetails=$type)"
}
$filter += "))"
$Context.DirectorySearcher.AppendFilter($filter)

try
{
    # Execute search
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()

    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $sendAsObjectNames = New-Object System.Collections.ArrayList
        $sendOnBehalfOfObjectNames = New-Object System.Collections.ArrayList
        $fullAccessObjectNames = New-Object System.Collections.ArrayList

        # Get users that have permissions to user mailbox
        $object = $Context.BindToObjectBySearchResultEx($searchResult, $True)
        try
        {
            $mailboxParams = $object.GetMailParameters()
        }
        catch
        {
            continue
        }

        # Get Send As trustees
        for ($i = 0; $i -lt $mailboxParams.SendAs.Count; $i++)
        {
            $trustee = $mailboxParams.SendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if ([System.String]::IsNullOrEmpty($trustee.ObjectSid) -or [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee.ObjectSid))
            {
                continue
            }

            if ($NULL -eq $trustee.SearchResult)
            {
                continue
            }

            $trusteeName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($trustee.SearchResult.AdsPath, "None")
            $sendAsObjectNames.Add($trusteeName)
        }

        # Get Send on Behalf Of
        for ($i = 0; $i -lt $mailboxParams.GrantSendOnBehalfTo.Count; $i++)
        {
            $object = $mailboxParams.GrantSendOnBehalfTo.GetItem($i, [ref]"ADS_PROPERTY_NONE")
            if ($NULL -eq $object.SearchResult)
            {
                continue
            }

            $objectName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($object.SearchResult.AdsPath, "None")
            $sendOnBehalfOfObjectNames.Add($objectName)
        }


        # Get Full Access trustees
        if ($NULL -ne $mailboxParams.MailboxRights)
        {
            $mailboxPermissions = $mailboxParams.MailboxRights.GetPermissions()
            foreach ($mailboxPermission in $mailboxPermissions)
            {
                if (!($mailboxPermission.AllowedRights -band [Softerra.Adaxes.Interop.Adsi.Exchange.ADM_EXCHANGE_MAILBOX_RIGHTS_ENUM]::ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS) -or
                    $mailboxPermission.InheritedAllowedRights -band [Softerra.Adaxes.Interop.Adsi.Exchange.ADM_EXCHANGE_MAILBOX_RIGHTS_ENUM]::ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS)
                {
                    continue
                }

                $trustee = $mailboxPermission.Trustee
                if (!([System.String]::IsNullOrEmpty($trustee.ObjectSid)) -and 
                    [Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($trustee.ObjectSid))
                {
                    continue
                }

                if ($NULL -eq $trustee.SearchResult)
                {
                    continue
                }

                $trusteeName = [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName($trustee.SearchResult.AdsPath, "None")
                $fullAccessObjectNames.Add($trusteeName)

            }
        }


        $customColumns = @{
            $sendAsColumnID = [System.String]::Join(", ", $sendAsObjectNames.ToArray());
            $sendOnBehalfOfColumnID = [System.String]::Join(", ", $sendOnBehalfOfObjectNames.ToArray());
            $fullAccessColumnID = [System.String]::Join(", ", $fullAccessObjectNames.ToArray());
        }
        $Context.Items.Add($searchResult, $customColumns, $NULL)
    }
}
finally
{
    # Close the remote session and release resources
    if ($searchIterator) { $searchIterator.Dispose() }
}

---

Thank you very much! That was what i wanted! grat job!!