In case someone is looking for a script that works with mailbox permissions like this, here's a small example of what I came up with to help someone check that all mailboxes have the SELF right in the permissions:
#Script to check mailboxes for fullaccess rights for NT AUTHORITY\SELF#Written by jtedoff@microsoft.com 4/21/2012
$logfile = "c:\selfrightstest.log"if (test-path $logfile) {remove-item $logfile}
function WriteLog{ PARAM($msg) END { Add-Content -Path $logfile -encoding ASCII -value $msg }}
#Modify the next line to narrow the scope of the Get-Mailbox results#For example, set it to -> $mailboxes = Get-Mailbox -server <servername> -resultsize unlimited <- to only check mailboxes on a particular server
$mailboxes = Get-ExchangeServer | ?{$_.ServerRole -like "*mailbox*"} | Get-Mailbox -resultsize unlimited
WriteLog "Checking for FullAccess rights for NT AUTHORITY\SELF"
$mailboxes | foreach { $perms = get-mailboxpermission $_.identity | ?{$_.user -like "NT AUTHORITY\SELF" -and $_.accessrights -like "*fullaccess*"} if ($perms) { Write-Host "Mailbox for $_" -nonewline Write-Host " OK" -foregroundcolor green
} else { $erruser = $_.Identity Write-Host "FullAccess right for NT AUTHORITY\SELF not detected on the mailbox for " -foregroundcolor red -nonewline Write-Host $_.Identity -foregroundcolor red -backgroundcolor white WriteLog "FullAccess right for NT AUTHORITY\SELF not detected on the mailbox for $erruser" } }
Here's an output example where one user doesn't in fact have SELF rights over their mailbox: