It uses Get-Mailbox to get all the mailboxes in your org and then it uses the EWS Managed API to connect to each mailbox and query the delegates. It then produces a CSV file that looks like
If you want to understand how it works have a read of the How To Series posts and hopefully you should be able to work out how to customize it if you need to for your own environment. The Script as posted uses EWS Impersonation
If you want to customize which mailboxes it reports on then just change the Get-Mailbox line
Get-Mailbox -ResultSize Unlimited | ForEach-Object{
eg if you want to limit to only checking one server you could use
Get-Mailbox -ResultSize Unlimited -Server servernameblah | ForEach-Object{
You could do similar with other filter properties such as Database or OU
I've posted a downloadable copy of the script here the script itself look like
- ## EWS Managed API Connect Module Script written by Glen Scales
- ## Requires the EWS Managed API and Powershell V2.0 or greator
- $rptArray = New-Object System.Collections.ArrayList
- ## Load Managed API dll
- Add-Type -Path "C:\Program Files\Microsoft\Exchange\Web Services\1.1\Microsoft.Exchange.WebServices.dll"
- ## Set Exchange Version
- $ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1
- ## Create Exchange Service Object
- $service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($ExchangeVersion)
- ## Set Credentials to use two options are availible Option1 to use explict credentials or Option 2 use the Default (logged On) credentials
- #Credentials Option 1 using UPN for the windows Account
- $psCred = Get-Credential
- $creds = New-Object System.Net.NetworkCredential($psCred.UserName.ToString(),$psCred.GetNetworkCredential().password.ToString())
- $service.Credentials = $creds
- #Credentials Option 2
- #service.UseDefaultCredentials = $true
- ## Choose to ignore any SSL Warning issues caused by Self Signed Certificates
- [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
- function CovertBitValue($String){
- $numItempattern = '(?=\().*(?=bytes)'
- $matchedItemsNumber = [regex]::matches($String, $numItempattern)
- $Mb = [INT64]$matchedItemsNumber[0].Value.Replace("(","").Replace(",","")
- return [math]::round($Mb/1048576,0)
- }
- Get-Mailbox -ResultSize Unlimited | ForEach-Object{
- $MailboxName = $_.PrimarySMTPAddress.ToString()
- "Processing Mailbox : " + $MailboxName
- if($service.url -eq $null){
- ## Set the URL of the CAS (Client Access Server) to use two options are availbe to use Autodiscover to find the CAS URL or Hardcode the CAS to use
- #CAS URL Option 1 Autodiscover
- $service.AutodiscoverUrl($MailboxName,{$true})
- "Using CAS Server : " + $Service.url
- #CAS URL Option 2 Hardcoded
- #$uri=[system.URI] "https://casservername/ews/exchange.asmx"
- #$service.Url = $uri
- }
- $service.ImpersonatedUserId = new-object Microsoft.Exchange.WebServices.Data.ImpersonatedUserId([Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress, $MailboxName)
- $delegates = $service.getdelegates($MailboxName,$true)
- foreach($Delegate in $delegates.DelegateUserResponses){
- $rptObj = "" | select Delegate,Mailbox,Inbox,Calendar,Contacts,Tasks,Notes,Journal,MeetingMessages,ViewPrivateItems
- $rptObj.Mailbox = $MailboxName
- $rptObj.Delegate = $Delegate.DelegateUser.UserId.PrimarySmtpAddress
- $rptObj.Inbox = $Delegate.DelegateUser.Permissions.InboxFolderPermissionLevel
- $rptObj.Calendar = $Delegate.DelegateUser.Permissions.CalendarFolderPermissionLevel
- $rptObj.Contacts = $Delegate.DelegateUser.Permissions.ContactsFolderPermissionLevel
- $rptObj.Tasks = $Delegate.DelegateUser.Permissions.TasksFolderPermissionLevel
- $rptObj.Notes = $Delegate.DelegateUser.Permissions.NotesFolderPermissionLevel
- $rptObj.Journal = $Delegate.DelegateUser.Permissions.JournalFolderPermissionLevel
- $rptObj.ViewPrivateItems = $Delegate.DelegateUser.ViewPrivateItems
- $rptObj.MeetingMessages = $Delegate.DelegateUser.ReceiveCopiesOfMeetingMessages
- [Void]$rptArray.Add($rptObj)
- }
- }
- $rptArray | Sort-Object Delegate | Export-Csv -Path c:\temp\ReverseDelegateReport.csv -NoTypeInformation
3 comments:
Hi Glen. Pretty impressed with your skill level here in scripts and ideas. I am having trouble making this script work. Is there any special permissions one needs to run this? I had to change the path that points to the Microsoft.Exchange.WebServices.dll file, and each time its reporting an error as below. I dont have full domain admin rights unfortunately only Local Account Operators but also belong to the Organization Management group as well.
I added the lines below to get around lack of permissions but to no avail.
#$WarningPreference='silentlycontinue'
#$ErrorActionPreference = 'SilentlyContinue'
The error received is as below.
Processing Mailbox : user@domain.com
Using CAS Server : https://server.domain.com/EWS/Exchange.asmx
ForEach-Object : Exception calling "GetDelegates" with "3" argument(s): "The account does not have permission to impers
onate the requested user."
At C:\admin\scripts\delegateews.ps1:40 char:77
+ Get-Mailbox user@domain.com -ResultSize Unlimited | ForEach-Object <<<< {
+ CategoryInfo : NotSpecified: (:) [ForEach-Object], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException,Microsoft.PowerShell.Commands.ForEachObjectCommand
Can you please assist?
Thanks
Michael.
The script requires the user your using to have impersonation rights granted through RBAC see http://msdn.microsoft.com/en-us/library/bb204095(v=exchg.140).aspx
Cheers
Glen
Hi Glen
I am trying to get this to work on my server and I am getting 2 errors at the end.
Unexpected token 'in' in expression or statement.
+ CategoryInfo :
+ FullyQualifiedErrorId : UnexpectedToken
Otherwise the script runs clean. I do not get any output either.
I am using the 2.0 version of the EWS API so I changed the line in the script to reflect that.
I am not great at scripting so perhaps I am not executing this right.
As far as I can see there is no other script or packaged report out there that does this type of report and would very much like to make this work.
If you can please let me know if you can help me.
Frank
Post a Comment