PowerShell, cleanup full access permissions on Microsoft Exchange mailboxes

Periodically, it has been necessary to cleanup mailbox permissions across a Microsoft Exchange server or Exchange organization. Sometimes other IT administrators, myself included, have forgotten to remove self-applied permissions in the heat of providing employee support.  Two tasks that have helped, an inventory of existing full access and selective bulk removal.

A. Inventory all the mailboxes with accounts with full permissions.

This will provide an export in CSV format to sort against for review.

1. Launch Exchange Management Shell as administrator with appropriate Exchange Organizational or Exchanger Server permissions.

2. Create localized folder for exports (i.e. C:\garzafx\).

3.  Export all full mailbox permissions to mailbox to Excel CSV file as follows:

Get-Mailbox -Server “myemailserver” | Get-MailboxPermission | export-csv c:\garzafx\

NOTE: If you haven’t already created your own folder for exports on your system, please do so to avoid any inadvertent errors.

B. Selective account removal

Now that you have your variables to search against, you can create a get-contents script or just keep it simple with the following:

4. Get-Mailbox | Remove-MailboxPermission -AccessRights FullAccess -user “weyland\ellen.ripley”

IMPORTANT: For Send-As permissions will have to had employed Get-AdPermission


More Information On Exchange: http://www.msexchange.org/

More on PowerShell: http://blogs.technet.com/b/heyscriptingguy/

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s