How To Quickly Figure Out Who Can Do What in a Microsoft Exchange Organization

How To Quickly Figure Out Who Can Do What in a Microsoft Exchange Organization

  • Comments 6
  • Likes


Summary: This article was contributed by Mohammed Abdul Rafey, a Premier Field Engineer based in Bangalore, India.  He shows us how to take advantage of scripting to quickly zero in on who has the ability to do what in an Exchange organization.

Exchange 2013In Exchange 2010 and above, permissions are granted based on role group membership or the assignment of assignment policies to end users (i.e. Role Based Access Control, or RBAC for short). Although using role groups and assignment policies makes it easy to grant permissions to large numbers of users, you may not be aware of who is a member of a role group, or who has been assigned an assignment policy.

Leveraging the GetEffectiveUsers switch

This is where the GetEffectiveUsers switch on the Get-ManagementRoleAssignment cmdlet is useful. The GetEffectiveUsers switch is used with the Get-ManagementRoleAssignment cmdlet when the Role parameter is used. By specifying this switch with a particular role, the Get-ManagementRoleAssignment cmdlet examines all of the role assignees assigned to the role, such as role groups, assignment policies, and USGs (Universal Security Groups), and lists the members of each.

Cmdlet to dump all RBAC permissions

A simple way to dump all the RBAC permissions with necessary fields to a CSV file which can then be used to evaluate who has permissions where in the environment:

Get-managementroleassignment –geteffectiveusers | where {$_.enabled -eq $true} | select-object Role, RoleAssigneeName, RoleAssigneeType, RoleAssignmentDelegationtype, User, CustomeRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, Identity | export-csv c:\RBACeffective.csv

We can filter the generated CSV file to get the current information about the role assignments in the organization and use it to determine specific information as needed.

Output

As an example, following is a screenshot where I have filtered to check all the roles assigned to a specific account:

clip_image002

Hope you found this helpful!


Written by Mohammed Abdul Rafey.  Posted by Frank Battiston, MSPFE Editor

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • I am unable to get this working. is there any step missing ?

  • Think there might be a smart dash as the first dash above - try retyping it rather than copy/paste?

  • @Bryan: Should work - Please ensure you are copying the command in a notepad and removing word-wrap before attempting to run it Exchange Management Shell. Also, ensure that you have permissions to write in the output folder that you are using to place the csv file.

    Is it possible to share the exact error/failure you are getting?

  • This is amazing command! helps a lot! thanks a lot Mohammed!

  • Fantastic script. this should be included in the product.