Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Exchange 2007 calendar, contact permissions and Get-MailboxPermission

349 views

Skip to first unread message

spacemancw

unread,

Jul 10, 2008, 12:03:30 PM7/10/08

I have a Disaster Recovery replica of my exchange 2007 server built.
Basically it is just a copy of production in a seperate place. Has the
same hostname, same domain name etc.

Production box goes down, we bring up the DR box.

Anyway my issue is on the production box. We test the DR box
periodically. We export permissions on mailboxes and public folders
from production and have them ready to import to DR.
To make things complicated, PFDAVADMIN fails to connect to production,
so I have to have an alternative way to export permissions.

I use this command : Get-mailbox -resultsize:unlimited | Get-
MailboxPermission | fl >D:\priv.txt

One of the users, sjones, says she should have access to another
user's calendar and contacts in DR, we'll call him John Doe.

When I run Get-mailbox -resultsize:unlimited | Get-MailboxPermission |
fl
I see that sjones only has rights to Catherine Smith and John Smith
but not John Doe. Below is a snippet of the output with the only two
mentions of sjones.

Another engineer has confirmed that from her outlook in production,
she has access to "calendar, contacts and a few folders in his
mailbox"

Am I exporting the correct permissions here? Is there another command
I need to use to export these permissions? I see Get-
MailboxCalendarSettings. Not sure how that applies.

Basically I want to export all user mailbox, contacts, tasks and
calendar permissions using this method.

I seem to be able to successfully do the public folders with:
get-publicfolder \ -recurse -resultsize:unlimited | Get-
PublicFolderClientPermission |fl > D:\pub.txt

*** Results snippet from Get-mailbox -resultsize:unlimited | Get-
MailboxPermission | fl ***
AccessRights : {FullAccess, DeleteItem}
Deny : False
InheritanceType : All
User : MYDOMAIN\sjones
Identity : mydomain.local/users/Catherine Smith
IsInherited : False
IsValid : True
ObjectState : Unchanged

AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : MYDOMAIN\sjone
Identity : mydomain.local/users/John Smith
IsInherited : False
IsValid : True
ObjectState : Unchanged

Jamestechman

unread,

Jul 10, 2008, 5:05:22 PM7/10/08

No directly way to get mapi permissions from shell; must use API. Here
is a sample. If you're looking for a method to export and quickly
import there is no quick easy method other then scripting it. The
script below will get mapi permissions using CDO; however looks like
he may have an updated one using native 2007 EWS. Ping him for it.

Reverse Permissions Audit Scripts Part 2
http://gsexdev.blogspot.com/2005/06/reverse-permissions-audit-scripts-part.html

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com

0 new messages