[On-prem Exchange] FullAccess & SendAs Script - specific requirement (User in OU)

Copper Contributor

Hi all,


I'm looking for a script using Exchange 2019 that gives me a report of full access mailboxes where all the "users" (accessors) are in a specific OU (e.g. Leavers OU) .

Purpose: when a user leaves the organisation, their AD account is disabled and placed into the "Leavers" OU. Over the years no one has really managed the permissions for these accounts (e.g. what mailboxes they have Full Access or Send As permissions on). As we have years of SID accounts, I want to take an active approach where every month I have a report in my inbox with all mailboxes/AD accounts in the Leavers OU which have FA/SA permissions on other mailboxes so we can manually investigate/remove these permissions.
The "identity" is the mailbox being accessed (this is any mailbox in the whole organisation), but the "User" who is accessing "identity" must be from my specific "Leavers OU". e.g. script will be something like where "User" OU = LeaversOU.domain.com
I know its easier to get get-mailboxpermission or get-adpermission where Identity is in specific OU but having difficulty getting a script where the OU of the "USER" is in a specific OU.
I'd like the script to export to the results to a CSV (I'll later schedule it).
The CSV/report should give 3 columns; Identity (mailbox being accessed), User (the user accessing the mailbox), AccessRights (the Full access)
So far... this is what i've tried but to no luck, played around with variables but not getting what I want  - i think I need to combine multiple cmdlets. e.g. get-mailbox or get-recipient and then capture all mailboxes where they're in the Leavers OU.. and then use the reserved output of that to look for any "users" in get-mailboxpermissions. 
$OUToExport = "domain.net/Users/Leavers"
$CSVPath = "C:\Path\to\output.csv"
$Mailboxes = Get-Mailbox -ResultSize Unlimited -Organizationalunit "domain.net/UK/Users"
$FilteredPermissions = foreach ($Mailbox in $Mailboxes) {
    $Permissions = Get-ADPermission -Identity $Mailbox.DistinguishedName -User "$OUToExport*" -ErrorAction SilentlyContinue |
        Where-Object { $_.ExtendedRights -like "Send-As" }
    if ($Permissions) {
        $Permissions | Select-Object @{Name = "Mailbox"; Expression = { $Mailbox.Identity }}, User
$FilteredPermissions | Export-Csv -Path $CSVPath -NoTypeInformation



I think the problem with my script is that get-mailboxpermissions doesn't like the where-object -like "*"  cmd.


Couldn't find anything close online either, hence why I tried creating my script but no luck.


thanks in advance!


0 Replies