How To Quickly Figure Out Who Can Do What in a Microsoft Exchange Organization

In Exchange 2010 and above, permissions are granted based on role group membership or the assignment of assignment policies to end users (i.e. Role Based Access Control, or RBAC for short). Although using role groups and assignment policies makes it easy to grant permissions to large numbers of users, you may not be aware of who is a member of a role group, or who has been assigned an assignment policy.

Leveraging the GetEffectiveUsers switch

This is where the GetEffectiveUsers switch on the Get-ManagementRoleAssignment cmdlet is useful. The GetEffectiveUsers switch is used with the Get-ManagementRoleAssignment cmdlet when the Role parameter is used. By specifying this switch with a particular role, the Get-ManagementRoleAssignment cmdlet examines all of the role assignees assigned to the role, such as role groups, assignment policies, and USGs (Universal Security Groups), and lists the members of each.

Cmdlet to dump all RBAC permissions

A simple way to dump all the RBAC permissions with necessary fields to a CSV file which can then be used to evaluate who has permissions where in the environment:

Get-managementroleassignment –geteffectiveusers | where {$_.enabled -eq $true} | select-object Role, RoleAssigneeName, RoleAssigneeType, RoleAssignmentDelegationtype, User, CustomeRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, Identity | export-csv c:\RBACeffective.csv

We can filter the generated CSV file to get the current information about the role assignments in the organization and use it to determine specific information as needed.

Output

As an example, following is a screenshot where I have filtered to check all the roles assigned to a specific account:

Hope you found this helpful!