I think this script might be helpful for administrators in organizations where sharing of mailbox folders is extensive.  I’ve tested it both in remote PowerShell for Exchange Online, and in Exchange Management Shell for Exchange 2013 SP1.  There are others like it out there, but I like this one for its singularity of purpose . . . just running a read-only “Get” for an entire mailbox’s folder permissions.

The impetus to write it came when one of my customers asked to check some mailboxes to see if a particular user had access to some folders in them.  You may already be aware that in Exchange Management Shell it’s not really possible to run Get-MailboxFolder beyond the scope of the presently logged on user.  So as wonderful as it would be, it’s not possible to feed the output of Get-MailboxFolder to Get-MailboxFolderPermission for other users in the organization.

Nevertheless I knew from other examples that PowerShell would make it possible to take the output of another cmdlet, Get-MailboxFolderStatistics, and reshape it for piping into Get-MailboxFolderPermission.  So I set about writing a script that would take a single user mailbox’s alias as input, enumerate all the folders visible in the mailbox, then run Get-MailboxFolderPermission against that output.

The following is the result of that effort.  I wrote it to display the folders and permissions on screen, and then also write the data to a text file.  I recommend use either as is or modify it for your own purposes as you see fit.

#############################################################################
#
# This script runs Get-MailboxFolderPermission for a valid mailbox specified
# by the user.  It displays the folder-level permissions on screen and also
# dumps them to a text file.
#
# Created by jtedoff@microsoft.com
# Last modified 5/24/2014
#
#############################################################################

# This function collects a mailbox from the user. It checks that the mailbox exists and that the input results in only one mailbox.

Function GetMailbox
{
$mb = Read-Host "Alias of mailbox to retrieve folder permissions?"

$check = Get-Mailbox -Identity $mb -erroraction silentlycontinue
If ($check){
 $chk = $check.count
 If ($chk -and $chk -gt 1){
  Write-Host ""
  Write-Host "Please specify only one mailbox" -ForeGroundColor Yellow
  Write-Host ""
  GetMailbox
  }
  Else {
  Enumerate
  }
 }
 Else {
 Write-Host ""
 Write-Host "This is not a valid mailbox alias, please retry" -ForeGroundColor Red
 Write-Host ""
 GetMailbox
 }
}

# This function runs Get-MailboxFolderStatistics for the mailbox found in GetMailbox. It then takes the output and reformats it for a foreach loop that runs Get-MailboxFolderPermission for each folder path found

Function Enumerate
{
 Write-Host ""
 Write-Host "Analyzing mailbox" $check -ForeGroundColor Green
 Write-Host ""

$file = (".\" + $check.alias + "-" + $check.DisplayName + ".txt")

$mbfs = Get-MailboxFolderStatistics -Identity $check.Identity

$flist = $mbfs.folderpath

$flist | foreach {$chg = $_ -replace "/" , "\"
 $pchg = ($check.alias + ":" + $chg)
 $go = Get-MailboxFolderPermission -Identity $pchg -erroraction silentlycontinue
 If ($go) {
  Write-Host ""  
  Write-Host "Folder permission for" $pchg -ForegroundColor Green
  $pchg | Out-File $file -append
  $go
  $go | Out-File $File -append
 }
 Else {}
 }

}

# After the functions are defined the script calls the first one

GetMailbox

http://blogs.technet.com/b/exchange/archive/2012/06/04/everything-you-need-to-know-about-exchange-backups-part-1.aspx

http://blogs.technet.com/b/exchange/archive/2012/06/14/everything-you-need-to-know-about-exchange-backups-part-2.aspx

http://blogs.technet.com/b/exchange/archive/2012/07/09/everything-you-need-to-know-about-exchange-backups-part-3.aspx

In case someone is looking for a script that works with mailbox permissions like this, here's a small example of what I came up with to help someone check that all mailboxes have the SELF right in the permissions:

#Script to check mailboxes for fullaccess rights for NT AUTHORITY\SELF
#Written by jtedoff@microsoft.com 4/21/2012

$logfile = "c:\selfrightstest.log"
if (test-path $logfile) {remove-item $logfile}

function WriteLog
{
 PARAM($msg)
 END
 {
 Add-Content -Path $logfile -encoding ASCII -value $msg
 }
}

#Modify the next line to narrow the scope of the Get-Mailbox results
#For example, set it to -> $mailboxes = Get-Mailbox -server <servername> -resultsize unlimited <- to only check mailboxes on a particular server

$mailboxes = Get-ExchangeServer | ?{$_.ServerRole -like "*mailbox*"} | Get-Mailbox -resultsize unlimited

WriteLog "Checking for FullAccess rights for NT AUTHORITY\SELF"

$mailboxes | foreach {
 $perms = get-mailboxpermission $_.identity | ?{$_.user -like "NT AUTHORITY\SELF" -and $_.accessrights -like "*fullaccess*"}
 if ($perms) {
  Write-Host "Mailbox for $_" -nonewline
  Write-Host " OK" -foregroundcolor green

   }
 else { $erruser = $_.Identity
  Write-Host "FullAccess right for NT AUTHORITY\SELF not detected on the mailbox for " -foregroundcolor red -nonewline
  Write-Host $_.Identity -foregroundcolor red -backgroundcolor white
  WriteLog "FullAccess right for NT AUTHORITY\SELF not detected on the mailbox for $erruser"
  }
 }

Here's an output example where one user doesn't in fact have SELF rights over their mailbox:

http://blogs.technet.com/b/exchange/archive/2012/01/23/recurring-meeting-requests-with-conflicting-instances-2-the-power-of-delegates.aspx

http://blogs.technet.com/b/exchange/archive/2011/02/07/3411956.aspx