Script Repository

Get members of Exchange Online shared mailbox

February 06, 2020 Views: 4001
Exchange Microsoft 365 (Office 365)

The script retrieves members of an Exchange Online shared mailbox, i.e. people who can monitor the mailbox and send mail from it, and saves them to a certain multi-valued attribute that supports the DN syntax, for example, See Also (LDAP name seeAlso) or Secretary (LDAP name secreatary). This can be used to display shared mailbox members to users.

To use the script with Adaxes, you can, for example, create a Scheduled Task that runs the script on a regular basis to keep lists of shared mailbox members in line with changes in your AD.

See also: Manage shared mailbox members.

Parameter:

  • $membersAttribute - specifies the LDAP display name of the attribute that is used to store the mailbox members.
Edit Remove
PowerShell
$membersAttribute = "seeAlso" # TODO: modify me

function UpdateUser($property, $value)
{
    $Context.TargetObject.Put($property, $value)
    $Context.TargetObject.SetInfo()
}

if (($Context.TargetObject.RecipientType -ne "ADM_EXCHANGERECIPIENTTYPE_MAILBOXENABLED") -or 
    ($Context.TargetObject.RecipientLocation -ne "ADM_EXCHANGERECIPIENTLOCATION_OFFICE365"))
{
    $Context.LogMessage("The user must be mailbox-enabled and located in Office365", "Warning")
    return
}

# Get Exchange properties
$mailboxParams = $Context.TargetObject.GetMailParameters()

# Get Send As permissions
$sendAs = $mailboxParams.SendAs

# Get Full Access permissions
$fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights("ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS")

if ($sendAs.Count -eq 0)
{
    UpdateUser $membersAttribute $NULL
    return
}
elseif ($fullAccess.Length -eq 0)
{
    UpdateUser $membersAttribute $NULL
    return
}

# Get SIDs of objects that have Send As permissions
$objectSids = New-Object "System.Collections.Generic.HashSet[System.String]"
for ($i = 0; $i -lt $sendAs.Count; $i++)
{
    $objectId = $sendAs.GetItem($i, [ref]"ADS_PROPERTY_NONE")
    $sid = $objectId.ObjectSid
    
    if ([System.String]::IsNullOrEmpty($sid))
    {
        continue
    }
    elseIf ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($sid))
    {
        continue
    }
    
    [void]$objectSids.Add($sid)
}

# Get SIDs of objects that have Full Access permissions
$sharedMailboxMembers = @()
foreach ($objectId in $fullAccess)
{
    $sid = $objectId.ObjectSid
    if ([System.String]::IsNullOrEmpty($sid))
    {
        continue
    }
    elseif ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($sid))
    {
        continue
    }
    
    # Check whether the object has Send As permissions
    if (-not($objectSids.Contains($sid)))
    {
        continue
    }
    
    # Get object DN
    try
    {
        # Bind to object
        $object = $Context.BindToObject("Adaxes://<SID=$sid>")
    }
    catch
    {
        continue
    }
    
    $objectDN = $object.Get("distinguishedName")
    $sharedMailboxMembers += $objectDN
}

# Update the shared mailbox
UpdateUser $membersAttribute $sharedMailboxMembers
Comments 0
Leave a comment
Related Scripts

Got questions?

Support Questions & Answers