Reporting on Exchange Mailbox Calendar Accesses with CSV output RRS feed

  • Question

  • Greetings

    I have searched high and low for an answer or example to solve this, but I fail. 
    Hopefully you wise folks can help us.

    We have a need to generate a simple report of all exchange mailboxes within a specific OU where users, other than the mailbox owner, have access to calendars and what type of access.  This request came from management and they are insistent that it be delivered and be accurate.  HR is involved, so I can only imagine the circumstances.

    Basically the output we seek is a CSV report with the following:

    mailbox, user, accesses

    We have a working script, but it has thrown us a subtle problem. 
    The user information delivered by our current script is the display name of the user. 
    We would like the DN or CN or SamID of the user to ensure we have the exact user account.

    Here is the script we have so far:

    Get-Mailbox -ResultSize Unlimited -OrganizationalUnit "our.domain/MAILPROV/OurOU" | foreach {Get-MailboxFolderPermission -Identity "$($_.alias):\Calendar" | where {$_.User -notlike "Anonymous" -and $_.User -notlike "Default"}} | select Identity,User,@{name='AccessRights';expression={$_.AccessRights -join ','}} | export-csv 'c:\script_output\allmbxcalaccesses.csv' –notype

    It looks correct, but we would prefer to have the user represented as a DN, CN, or SamID so we can guarantee exactly which account is involved.  If we have an orphaned situation, the dead SID is expected and acceptable so we can fix those situations.

    Any constructive guidance is very much appreciated.

    Thank you for all that you guys do.  The amount of information I get from this forum has been tremendous for me and my team over the years and we hope to be able to contribute something to the effort someday when we get more savvy at this scripting stuff.


    - AQ

    • Moved by Bill_Stewart Tuesday, December 11, 2018 8:39 PM Abandoned
    Thursday, April 12, 2018 5:03 PM

All replies

  • I assume from your question, you want to know who has rights, not whose mailbox the rights are set against, right?  If so, you should be able to run "Get-User" with the SID to get a returned account.  In your loop, you could put take the User parameter of the permissions and do this work, then use that in your Select statement to output the domain\name or SID (if not available) into your CSV.  I'll add that I recommend using a different character than a comma as your delimiter for the AccessRights field - after all, you're putting the data into a CSV, and having extra commas in a CSV can only mess things up.

    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Thursday, April 12, 2018 8:08 PM
  • Thanks for the input Will.

    What we are seeing is the output is not giving us a SID.  It is giving us just the display name of each user represented.

    The only time we see a SID is when the script can't connect the user object represented in the calendar permissions to an existing user account in the domain, thus a dead SID.  Which we kinda expected dead SIDS and have started to clean them up.

    What we simply want the output to do is give us the DN, CN, or SamID instead of the darned display name.

    BTW, the output of the script is CSV with quoted fields, so it works well enough for further processing/parsing.

    I'll try to gen up an example output (replacing names of the innocent) to give you all a rough idea of what the raw output looks like (if you have not tried the script yourselves). 

    It is at the end of my day here at work, gotta commute!!  Will try to post something tomorrow AM.


    - AQ

    Thursday, April 12, 2018 8:31 PM
  • Ah, so it's giving the display name and you want the DN.  You use the same logic I gave for the previous. only instead of pulling the user information using the SID, you pull the information using the display name.  It works the same way.

    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Monday, June 4, 2018 6:06 PM