Adaxes

View Mailbox Access for a User

0 votes

Hello

Is there any way using Adaxes you can select a particular user and see all the other Exchange mailboxes they have access to?
I know this is tricky in Exchange and needs a Powershell command to achieve it.

Thank you

Carole.

by (700 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello Carole,

Yes, you are right, this can be done with the help of a PowerShell script. For example, you can use a script that would output the mailboxes a user has access to into the Execution Log. Also, you can create a Custom Command that would execute the script on users.

However, we have a concern related to performance here. The thing is that getting all mailboxes a user has access to requires fetching the delegates of all mailboxes, and then iterating through the mailboxes and delegates to find the necessary ones. If you have many users in your AD, it can take quite a while, especially, if these are Exchange Online mailboxes. How many users do you have in your AD? Are the mailboxes located on premises or in Exchange Online?

0

I see your point. We've got around 3000 mailboxes which are on premise.

Thanks

Carole.

by (700 points)
0

Hello Carole,

OK, we've asked our script guys to write a script that will do the job and test it on around 4000 mailboxes to see how fast it completes. We'll update this topic as soon as they come up with some results.

by (216k points)
0

Hello Carole,

We've tested the required functionality in our environment, and it is very slow even on 1000 mailboxes. The script returns mailboxes a user has Full Access to in around 8-10 minutes. Given 3000 mailboxes and a real-life environment where many users are connecting to DCs and Exchange Servers all the time, that will be even worse.

We can suggest a workaround with a Scheduled Task that will run, say, once or a couple of times a day. The task will store mailboxes a user has Full Access to in a certain attribute of the user account. Thus, when viewing properties of a user, it will be possible to see the mailboxes the user has Full Access to by simply checking the attribute. As for the attribute you can use, it can be a certain multivalued attribute that can store DN values, for example, See Also. When viewing such an attribute in the Web Interface, users will be able to simply click on an entry to view the properties of the mailbox it represents.

The advantage of this method is that users won't have to wait to view the output. The disadvantage is that it won't be real time. The attribute will store the delegation by the time when the Scheduled Task was run on a particular mailbox.

If you are OK with such a solution, we can provide you the details on how to implement it.

by (216k points)
0

Depending on what you are trying to achieve, Exchange might populate this information for you already: MsExchDelegateListBL

It comes with some heavy limitation (full controll only, require per user delegation, ...) but it would be the fastest way to get that info.

https://ibenna.wordpress.com/tag/msexchdelegatelistbl/

by (750 points)
0

Thanks for both your replies.

With the way we work MsExchDelegateListBL would be a good option. I've looked at the AD properties in the Adaxes console for users who I know have access to other mailboxes and the information seems to be correct. I've added this attribute into the web console for the helpdesk and although the heading displays the values do not. Do I need to do another step?

Thanks again

Carole.

by (700 points)

Related questions

0 votes
1 answer
Can we script granting a manager access to a user's mailbox?

We are developing a process to mange mailboxes for terminated users. At the time of termination we would like to: convert the mailbox to a shared mailbox. Send an approval ... would run script to grant the manger access to the mailbox. Can this be done?

asked Oct 27, 2023 by mightycabal (1.0k points)
0 votes
1 answer
Trying to create a report to show the delegate access on selected mailbox

I've got the following script so far using the SDK but running into an error: You cannot call a method on a null-valued expression. At line:1 char:1 + ... .BindToObjectByDN("$object.SearchResult.AdsPath.DN") $Context.Items.Add($item, $columnValues) } } } }

asked May 19, 2021 by richarddewis (260 points)
0 votes
1 answer
Local password self service reset for Windows breaks access to private keys of user certificates

Hi there, we are already successfully using the password self service via webinterface for our ad domain users. In addition to this are we in the testing phase of the password ... has the same problem and maybe can report how they solved it. Thanks in advance.

asked Oct 27, 2021 by khess (20 points)
0 votes
1 answer
What are the access rights needed in O365 / Azure for the Adaxes tenant user?

I have been searching your site, but could not find a list of access rights needed. --- Morten A. Steien

asked Feb 23, 2021 by Morten A. Steien (300 points)
0 votes
1 answer
Remove users mailboxrights for a shared mailbox, if removed from certain group

I'd like some help with a script to revoke a users rights to a shared mailbox upon being removed from a security group. I already have the reverse, a script that adds users to a shared mailbox, if they are a member of a group, now I just need the reverse.

asked Mar 20 by dominik.stawny (160 points)
3,348 questions
3,049 answers
7,791 comments
545,058 users