In Exchange 2010 and above, permissions are granted based on role group membership or the assignment of assignment policies to end users (i.e. Role Based Access Control, or RBAC for short). Although using role groups and assignment policies makes it easy to grant permissions to large numbers of users, you may not be aware of who is a member of a role group, or who has been assigned an assignment policy.
This is where the GetEffectiveUsers switch on the Get-ManagementRoleAssignment cmdlet is useful. The GetEffectiveUsers switch is used with the Get-ManagementRoleAssignment cmdlet when the Role parameter is used. By specifying this switch with a particular role, the Get-ManagementRoleAssignment cmdlet examines all of the role assignees assigned to the role, such as role groups, assignment policies, and USGs (Universal Security Groups), and lists the members of each.
A simple way to dump all the RBAC permissions with necessary fields to a CSV file which can then be used to evaluate who has permissions where in the environment:
Get-managementroleassignment –geteffectiveusers | where {$_.enabled -eq $true} | select-object Role, RoleAssigneeName, RoleAssigneeType, RoleAssignmentDelegationtype, User, CustomeRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, Identity | export-csv c:\RBACeffective.csv
We can filter the generated CSV file to get the current information about the role assignments in the organization and use it to determine specific information as needed.
As an example, following is a screenshot where I have filtered to check all the roles assigned to a specific account:
Hope you found this helpful!
Written by Mohammed Abdul Rafey. Posted by Frank Battiston, MSPFE Editor