Removing Orphaned Populated msExchangeDelegateLinkList and msExchangeDelegateLinkListBL Automapping Attributes

By Ace Fekay
Published 5/11/2017
Revamped 3/31/2018 – Added the option to selectively remove BLs without removing FullAccess permissions to the shared mailbox

Scope

How to remove a shared mailbox that keeps showing up in your Outlook profile that you’ve been removed as a delegate.

This shows how to remove the mailbox permissions and to re-add, and I just added how to simply just remove the backlinks WITHOUT removing FullAccess permissions. The users in this case, must re-add the mailbox in Outlook once it disappears from their profile.

Automapping

Automapping is an Autodiscover feature that was added to Exchange 2010 SP1 and newer, that allows Outlook to automatically add a delegated mailbox without additional tasks.

Autodiscover looks at the mailbox owner’s AD account for an attribute called the MSExchDelegateListLink attribute.

When you use the EAC or PowerShell to delegate permissions to a shared mailbox or to another user, Exchange will automatically set the Automapping feature to $True. In PowerShell you can disable this, but not in the EAC.

This feature populates the MSExchDelegateListLink attribute on the shared or delegated mailbox with the user accounts that will be Automapped, and vice-versa, it also populates the MSExchDelegateLinkListBL attribute on the user account. I look at this as the “back link” to the shared mailbox.

These two attributes are one of  nine (9) links and backlinks that exist. Here’s a list of all links and backlinks in AD and more specifics can be found at the following link:
http://www.neroblanco.co.uk/2015/07/links-and-backlinks-in-active-directory-for-exchange/

Outlook, Autodiscover, and those attributes

When Outlook fires up, and while running, part of what Autodiscover process performs is it will check these two attributes to determine if there are any shared mailboxes that must be automatically added to the Outlook profile. In some cases using a managed process for shared mailboxes, we may want this feature disabled so the shared mailbox does not get automatically added.

Orphaned Backlink is still populated and the mailbox still shows up in Outlook

If the user was previously delegated to a shared mailbox, then the delegated per,missions were removed, but for some reason, perhaps replication or corruption, or some other unforeseen factor (large environments fall under this category), the shared mailbox still shows up and you can’t get rid of it, and further, since you no longer have permissions, you can’t open it. This will cause the shared or delegated mailbox to still show up in Outlook. But you can clearly see in EAC or running a get-mailboxpermission that the user is no longer delegated.

Example of an account with the msExchDelegateLinkListBL still populated:

image

How to remove it?

First, establish your PowerShell session to Exchange OnPrem or your Office 365 tenant. If unsure how, see this:
http://blogs.msmvps.com/acefekay/2017/05/11/establishing-a-powershell-session-to-your-office-365-tenant-or-onprem-exchange/

Determine, if any, links or backlinks exist on the shared mailbox:

Get-ADUser “SharedMailboxDisplayName” -Properties msExchDelegateListLink | Select-object -ExpandProperty msExchDelegateListLink

If any show up, you’ll see their sAMAccountNames. If you don’t know who the sAMAccountNames are and you want to see their displayNames, run the following (this command works for DNs, too):

For one account:
get-aduser sAMAccountName -Properties displayName,mail  | ft Name, DisplayName, mail -A

For a list of accounts in a text file:
get-content c:\temp\names.txt | get-aduser -Properties displayName,mail  | ft Name, DisplayName, mail –A

 

Then remove the msexchDelegateLinkListBL orphaned backlink and FullAccess permissions to the shared mailbox

Note: I’m using the shared mailbox’s displayName. This will also work using the sAMAaccountName or the primary email address.

For one account:
Remove-MailboxPermission “SharedMailboxDisplayName” -user $_ –AccessRights FullAccess -Confirm:$false

For a list of accounts in a text file:
get-content c:\temp\ace\userIDs\users.txt | foreach {Remove-MailboxPermission “SharedMailboxDisplayName”  -user $_ –AccessRights FullAccess -Confirm:$false}

Then if needed, delegate the shared mailbox again & disabling Automapping

Delegate Ace to a shared mailbox:
Add-MailboxPermission “Shared Mailbox Name or email address” -User AceFekay@contoso.com -AccessRights FullAccess -AutoMapping:$false

To just remove the backlink WITHOUT removing permissions

Note, using this method, the shared mailbox will automatically disappear from the Outlook profile. As soon as it does, you must manually re-add the shared mailbox either under the user account properties, where the permissions are proxied through the user account, which is the same as if it were Automapped, or as a separate account, which provides better features including sent and deleted items go into the shared mailbox itself instead of the mailbox owner under an automapped account or added under the user account.

To remove all BLs all at once:

#########################################################
#Remove the MSExchDelegateListBL from an account

$userToClean = “I061859”
  $userDN = Get-ADUser $userToClean | select -ExpandProperty DistinguishedName
  $delegates = Get-ADUser $userToClean -Properties msExchDelegateListBL |  select -ExpandProperty msExchDelegateListBL
  Write-Host “======================================================”
  write-host “List of Delegated accounts that are backlinked:” $Delegates
  Write-Host “======================================================”
  foreach ($delegate in $delegates) {
  Set-ADUser $delegate -Remove @{msExchDelegateListLink = “$UserDN”}
  }
  Write-Host “======================================================”
  Write-Host “If the following get-aduser cmdlet searching for backlinds is empty, then all delegated backlinks have been removed”
  Get-ADUser $user -Properties msExchDelegateListBL |  select -ExpandProperty msExchDelegateListBL
  Write-Host “======================================================”

To remove specific BLs one at a time:

# 1. Find the list of users in a shared mailbox that have been backlinked.
#    Note, as said, this is only for removing users that have requested it, unless you are working on removing all, which use the above

$SharedMailboxOrUserDisplayName = “Shared Mailbox Display Name”
$SharedMailboxOrUser = (get-recipient “$SharedMailboxOrUserDisplayName”).name
Write-Host “======================================================”
Write-host “Shared Mailbox sAMAccountName:” $sharedMailboxorUser
Write-host “List of Users (or ‘Delegates’) that currently have Backlinks on Shared mailbox ‘$sharedMailboxorUser’ :”
Get-ADUser $SharedMailboxOrUser  -Properties msExchDelegateListLink | Select-object -ExpandProperty msExchDelegateListLink | get-aduser -Properties displayName,mail  | ft Name,DisplayName,mail -A
write-host “======================================================”

# 2. Then enter the user account name from the above list that you want to remove, and then find the user’s DN:
  $UserToClean = “User sAMAccountName”
  $userToCleanDisplayName = (get-recipient $UserToClean).displayName
  $userDN = Get-ADUser $UserToClean | select -ExpandProperty DistinguishedName
  Write-Host “The DN of ‘$userToCleanDisplayName’ ($UserToClean) that you want to clean is: ” $userDN
  Write-Host “======================================================”
  write-host “List of Backlink DNs that you want to remove from $UsertoClean :”
  Write-Host
  Get-ADUser  $UserToClean -Properties msExchDelegateListbl |  select -ExpandProperty msExchDelegateListBL

  Write-Host  “======================================================”

# 3. Remove the MSExchDelegateListBL from my account or an account that was migrated to the cloud that previously had a MSExchDelegateListBL
#    Just have to run this, the BL gets removed after you run it
#    This does not remove any AccessRights to the Mailbox, it just removes the automapping

Set-ADUser  $UserToClean -Remove @{msExchDelegateListLink = (Copy and Paste the Backlink DN of the specific shared mailbox from the previous list that you want to remove) }

# 4. Then check to see if it worked:
   Get-ADUser  $UserToClean -Properties msExchDelegateListBL |  select -ExpandProperty msExchDelegateListBL
   Get-ADUser  $UserToClean -Properties msExchDelegateListLink |  select -ExpandProperty msExchDelegateListBL

==========================================================

Summary

I hope this helps!

Published 5/18/2017

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


 

Exchange or Office 365 Mailbox Dumpster Report

By Ace Fekay
Published 2/21/2018

Intro

This is another quick script to enumerate what’s in the dumpster, that I’ve created to help my day to day tasks. I hope you find it helpful.

Scope

This script enumerates an Exchange or Office 365 Dumpster, Purges, and Versions folders.

Note:

  • Dumpster and Deletions Report provides Size Values for the mailbox
  • Deleted items’, ‘Recover Deleted Items’ (Dumpster), and ‘Purges’ values.
    Does not apply to Mailusers” -ForegroundColor cyan
    *** If Lit Hold is present, Recover and Purges will be larger and must be ignored.) ***

The ‘Recoverable Items’ folder contains the following subfolders

  1. Recoverable Items: This is the total amount combined in Deletions, Calendar Logging, Purges, and Versions.
  2. Calendar Logging:  For Calendar diagnostic purposes

  3. Deletions
    : Recover Deleted Items or the ‘Dumpster'”
         This subfolder contains all items deleted from the Deleted Items folder.
  4. Versions:          If In-Place Hold or Litigation Hold is enabled:
    This subfolder contains the original and modified copies of the deleted items.”
  5. Purges:            If either Litigation Hold or single item recovery is enabled:”
    This subfolder contains all items that are hard deleted.

Script

I did not make this into a function, although it can easily be converted. To run it, for the $RecipientName variable, just enter the username, email address, displayName, or their sAMAccountName, and fire away.

“======================================================”
$RecipientName = “user’s email address, DisplayName, or sAMAccountName”
$RecipientDisplayName = (get-recipient $RecipientName).displayname

Optional (for reporting purposed):

$RecipientNetBIOSName = (get-recipient $RecipientName).name
$RecipientPrimAlias = (get-recipient $RecipientName).PrimarySmtpAddress

“======================================================” -ForegroundColor Cyan                   
  write-host “Dumpster and Deletions Report for ‘$RecipientDisplayName’ ($RecipientName) (Does not apply to Mailusers or Contacts):” “$(get-date)” -ForegroundColor Yellow
     Write-host “======================================================”
Write-host “Dumpster and Deletions Report provides Size Values for the mailbox ‘Deleted items’, ‘Recover Deleted Items’ (Dumpster), and ‘Purges’ values.”  -ForegroundColor Cyan
     Write-Host “Does not apply to Mailusers” -ForegroundColor cyan
     Write-Host “*** If Lit Hold is present, Recover and Purges will be larger and must be ignored.) ***”  -ForegroundColor Red
     Write-Host “***”
     Write-host “The ‘Recoverable Items’ folder contains the following subfolders:” -ForegroundColor Yellow
     Write-Host ”   Recoverable Items: This is the total amount combined in Deletions, Calendar Logging, Purges, and Versions.”
     Write-Host ”   Calendar Logging:  For Calendar diagnostic purposes”
     Write-Host ”   Deletions:         Recover Deleted Items or the ‘Dumpster'”
     Write-host ”                      This subfolder contains all items deleted from the Deleted Items folder. “
     Write-Host ”   Versions:          If In-Place Hold or Litigation Hold is enabled:”
     Write-Host ”                      This subfolder contains the original and modified copies of the deleted items.”
     Write-Host ”   Purges:            If either Litigation Hold or single item recovery is enabled:”
     Write-host ”                      This subfolder contains all items that are hard deleted.”
     Write-host “======================================================” -ForegroundColor Cyan
Get-MailboxFolderStatistics $RecipientName -FolderScope RecoverableItems | ft Name,FolderAndSubfolderSize, @{name=”LitigationHoldEnabled”;expression={(Get-mailbox $RecipientName).LitigationHoldEnabled}} –a
##########################################################

Report Output

(Watch the word-wrap):

=================================================================================================
Dumpster and Deletions Report for ‘User DisplayName’ (SAP Legal Operations) (Does not apply to Mailusers): 03/27/2018 11:22:01
=================================================================================================
Dumpster and Deletions Report provides Size Values for the mailbox ‘Deleted items’, ‘Recover Deleted Items’ (Dumpster), and ‘Purges’ values.
Does not apply to Mailusers
*** If Lit Hold is present, Recover and Purges will be larger and must be ignored.) ***
***
The ‘Recoverable Items’ folder contains the following subfolders:
    Recoverable Items: This is the total amount combined in Deletions, Calendar Logging, Purges, and Versions.
    Calendar Logging:  For Calendar diagnostic purposes
    Deletions:         Recover Deleted Items or the ‘Dumpster’
                       This subfolder contains all items deleted from the Deleted Items folder.
    Versions:          If In-Place Hold or Litigation Hold is enabled:
                       This subfolder contains the original and modified copies of the deleted items.
    Purges:            If either Litigation Hold or single item recovery is enabled:
                       This subfolder contains all items that are hard deleted.
=================================================================================================

Name              FolderAndSubfolderSize     LitigationHoldEnabled
—-              ———————-     ———————
Recoverable Items 1.32 MB (1,383,783 bytes)                  False
Calendar Logging  0 B (0 bytes)                              False
Deletions         1.196 MB (1,253,945 bytes)                 False
Purges            126.8 KB (129,838 bytes)                   False
Versions          0 B (0 bytes)                              False

Clear on the picture for a full view:

image

Summary

I hope this helps!

Published 3/27/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


 

What DNS Zone type should I use, a Stub, Conditional Forwarder, a Forwarder, or a Secondary Zone?? What’s the Difference??

By Ace Fekay
Originally Published 2012
Updated 3/20/2018

Intro

Ace again. DNS is a basic, yet important requirement that many still having problems wrapping their head around it.

Besides design, a huge part of DNS is understanding the differences between the zone types. Many have asked, when do I use a Stub zone, a Conditional Forwarder, or a Forwarder? Or better, what’s the difference?

I thought to put this simple comparison together compiled from past posts in the TechNet Forum.

Partner Organization DNS Resolution: What should I use, a Stub, Conditional Forwarder or Forwarder?

Secondary Zone

Secondary zones are read only copies “copied,” or “zone transferred” from a Master zone. This makes the zone data available locally (as read only, of course), instead of querying a DNS server across a WAN link. However, in many cases Secondaries are not used due to many limitations and security concerns, such as exposing all DNS zone data that a partner may not want to divulge.

In addition, Secondaries can’t be AD integrated, and the zone data is stored in a text file. So you would have to manually create a copy on all of your DNS servers.

Stub Zone

Organizations own their own AD zones. When business partners need to resolve data at a partner’s organization, there are a few options to support this requirement. Years ago, prior to Stub or Conditional Forwarders, there weren’t many options to handle this other than to use Secondary Zones and keep copies of each others zones via zone transfers.  While the solution worked well in regards to name resolution, it was not the best security-wise, due to trust level between partners, because zone data is fully exposed at the partner. This became a security concern because the partner is able to see all of their business partner’s records. When the zone was transferred to partners, who knows what they were doing with the information. If the information was made public, attackers would have a field day with all of the IPs for the networked devices.

When stub zones were made available, it became a solution to overcome this security issue. What is also beneficial about Stubs, is you can AD integrate them instead of manually creating a Stub on each individual DC. This way the zone will be available domain or forest-wide, depending on replication scope.

However, some may say due to the fact that the SOA records are included in the zone file, it may be a concern that the SOA and NS data is exposed. In such high security concerns, the better solution would be to use a Conditional forwarder.

Conditional Forwarder

This option is heavily used, and many look at them as the best regarding security concerns with zone data exposure, because no data is exposed. This option has worked very well in many environments.

With Conditional Forwarders, no information is being transerred and shared. The only thing you would need to know is one or more of your business partner’s DNS server IPs to configure it, and they don’t have to be the SOA, rather any DNS server that hosts the zone or that has a reference to the zone.

However, it does require open communication and let each other know when their DNS server IPs may change, because you must manually set them.

Windows 2003 introduced Conditional Forwarders, but it did not have the option to make it AD Integrated. If you have 10 DNS servers, you must create the Conditional Forwarder on each server manually. The AD integrated option was added to Windows 2008 or newer DNS servers, so you don’t have to manually create them on each DNS server. THis way the Conditional Forwarder will be available domain or forest-wide.

Parent-Child DNS Zone Delegation

Delegation can be used in a situation where a child domain host their own DNS zone.  Therefore in the forest root domain, you would create a delegation zone with the IPs of the DNS servers in the child domain.  This is normally performed when the child zone have their own administrators. It’s also useful they do not have access to “see” all of the forest root DNS records.

Summary

I hope this helps! If you have any questions, and I’m sure you do, please feel free to reach out to me.

Major revision – Published 3/20/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


 

Get-Rules

By Ace Fekay
Published 2/21/2018

Intro

This is another quick script I created to help my day to day tasks. I hope you find it helpful.

Like I said before, I’m far from being an expert, but I continue to read up on it, research, and ask lots of questions. The more you work at something, the more you get something out of it. Ever play pool?

Scope

This script will enumerate the Inbox rules for a mailbox. You will have four options:

  1. List of rules without a description using FT
  2. List of rules with a description using FT
  3. Rules listed individually using FL
  4. Rules sent to a CSV file named based on the user account entered

Get-Rule Script

Copy and paste the following into notepad, and save it as Get-UserList.ps1, and run it to load the function.

#################################\\\\\\\\\\\\\\\\////////////////#################################
# This script will:
# 1. Read a console entry for a user accounts, whether a sAMAccountName, alias, or email address
# 2. Provide a list of rules without descriptions
# 3. Provide a list of rules with descriptions
#
#    .SYNOPSIS
#    Lists a User’s Mailbox InboxRules
#
#    .DESCRIPTION
#    Enumerate Inbox rules with and without a description
#
#    .PARAMETER User
#    Specific user you want to search for.
#
#    .PARAMETER Description
#    You want the rules listed out individually with a description
#
#    .PARAMETER NoDescription
#    You want the rules listed out in table format without a description
#
#    .PARAMETER NoDescription
#    You want the rules listed out in table format without a description
#
#################################\\\\\\\\\\\\\\\\////////////////#################################
# Variables

$RecipientName = “I823135”
$RecipientDisplayName = (get-recipient $RecipientName).displayname
$RecipientNetBIOSName = (get-recipient $RecipientName).name
$RecipientPrimAlias = (get-recipient $RecipientName).PrimarySmtpAddress

# Script

Function Get-Rules {
[CmdletBinding()]
Param (
[Parameter(Position=0,Mandatory=$true)]
[string]$RecipientName,

[Parameter(Mandatory=$false)]
[switch]$Description,

[Parameter(Mandatory=$false)]
[switch]$NoDescription,

[Parameter(Mandatory=$false)]
[switch]$IndividualList,

[Parameter(Mandatory=$false)]
[switch]$CSVFile
)

$RecipientDisplayName = (get-recipient $RecipientName).displayname
$RecipientNetBIOSName = (get-recipient $RecipientName).name
$RecipientPrimAlias = (get-recipient $RecipientName).PrimarySmtpAddress

#If -Description was selected – Inboxrules to Console Screen:
If ($NoDescription) {
Write-Host “=================================================================================================” -ForegroundColor Cyan
Write-Host “You’ve selected to List the Inbox Rules to the Console Without a Description” -ForegroundColor Magenta
write-host “INBOX Rules for Mailbox ‘$RecipientDisplayName’ ($Recipientname):”  “$(get-date)” -ForegroundColor Yellow
Write-Host “=================================================================================================” -ForegroundColor Cyan
Get-InboxRule -mailbox $RecipientName -IncludeHidden | ft @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,forward*,RedirectTo,movetofolder,inerror,errortype -Wrap -a
Write-Host “=================================================================================================” -ForegroundColor Cyan
}

#If -NoDescription was selected – Inboxrules to Console Screen :
If ($Description) {
Write-Host “You’ve selected to List the Inbox Rules to the Console With a Description” -ForegroundColor Magenta
write-host “INBOX Rules for Mailbox ‘$RecipientDisplayName’ ($Recipientname):”  “$(get-date)” -ForegroundColor Yellow
Write-Host “=================================================================================================” -ForegroundColor Cyan
Get-InboxRule -mailbox $RecipientName -IncludeHidden | ft name,enabled,priority,ruleidentity,RedirectTo,movetofolder,inerror,errortype,description    -Wrap
#    Get-InboxRule -Mailbox $RecipientName -IncludeHidden | ft -AutoSize
#    (Get-InboxRule -Mailbox $RecipientName -IncludeHidden | ft -AutoSize).count
# FL –      Get-InboxRule -mailbox $RecipientName -IncludeHidden | fl @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,forward*,RedirectTo,movetofolder,inerror,errortype,description
# Select –  Get-InboxRule -mailbox $RecipientName -IncludeHidden | select  @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,forward*,RedirectTo,movetofolder,inerror,errortype,description
Write-Host “=================================================================================================” -ForegroundColor Cyan
$TotalRulesCount = ((Get-InboxRule -mailbox $RecipientName -IncludeHidden | measure-object).count)
Write-Host “Total Number of rules for $Recipientname is” $TotalRulesCount -ForegroundColor Magenta
Write-Host “=================================================================================================” -ForegroundColor Cyan
}
#################################\\\\\\\\\\\\\\\\////////////////#################################

#If -IndividualList is selected
If ($IndividualList) {
Write-Host “You’ve selected to list each InboxRule individually” -ForegroundColor Magenta
write-host “INBOX Rules for Mailbox ‘$RecipientDisplayName’ ($Recipientname):”  “$(get-date)” -ForegroundColor Yellow
Write-Host “=================================================================================================” -ForegroundColor Cyan
Get-InboxRule -mailbox $RecipientName -IncludeHidden | fl @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,forward*,RedirectTo,movetofolder,inerror,errortype,description
Write-Host “=================================================================================================” -ForegroundColor Cyan
$TotalRulesCount = ((Get-InboxRule -mailbox $RecipientName -IncludeHidden | measure-object).count)
Write-Host “Total Number of rules for $Recipientname is” $TotalRulesCount -ForegroundColor Magenta
Write-Host “=================================================================================================” -ForegroundColor Cyan
}
#################################\\\\\\\\\\\\\\\\////////////////#################################

 

If ($CSVFile) {
#####################################################################################
#Inboxrules to CSV file
Write-Host “=================================================================================================” -ForegroundColor Cyan
Write-Host “You’ve selected to send the Inbox Rules to a CSV file.” -ForegroundColor Magenta
Write-host
Write-Host “Rules list was sent to a CSV file located at ***C:\temp\InboxRules-for-$RecipientName.csv***” -ForegroundColor Yellow
$TotalRulesCount = ((Get-InboxRule -mailbox $RecipientName -IncludeHidden | measure-object).count)
Write-Host
Write-Host “Total Number of rules for $Recipientname is” $TotalRulesCount -ForegroundColor Magenta
#Write-Host “=================================================================================================” -ForegroundColor Cyan
Get-InboxRule -mailbox $RecipientName -IncludeHidden | select @{name=”DisplayName”;expression={(get-recipient $RecipientName).displayname}}, name,enabled,priority,ruleidentity,description | export-csv “C:\temp\InboxRules-for-$RecipientName.csv”
Write-Host “=================================================================================================” -ForegroundColor Cyan
} }

 

How to run it

Create a list in notepad, save it as a txt file in c:\temp, or anywhere else and reference that in the script, then run:

get-Rules aceman –description –nodescription –individuallist –csv

Summary

I hope this helps!

Published 2/21/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Mobility

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


Listing SendAs and SendOnBehalf Permissions

By Ace Fekay
Published 3/20/2018

Intro

Ace here again.

There are a number of tools that you can use in your day to day AD and Exchange management. This includes Office 365 Hybrid, but we’ll assume that you are performing one way sync to the cloud, and only replicating MSOL attributes back to on premises, so you can manage them locally, for the most part.

This is about getting SendAs and SendOnBehalf rights on a mailbox

SendAs

(Watch word-wrap)

Write-Host “*****************************************************************”
$Mailbox = Ace.Fekay@MSOLUser.com
$MailboxDisplayName = (get-recipient $Mailbox).displayName
Write-Host “///////////////////////////////—-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\”
Write-Host “*****************************************************************”
Write-host “The following is a list of who has SendAs permissions for ‘$MailboxDisplayName’ :”
Write-Host “*****************************************************************”
Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT user, @{name=”User’s DisplayName”;expression={(Get-recipient $_.User).Displayname}}, extendedRights -AutoSize
$MailboxCount = @(Get-recipient $Mailbox | Get-ADPermission  | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)}).count
Write-Host “Total number of users that can SendAs on contact ‘$MailboxDisplayName’ is” $MailboxCount
Write-Host “*****************************************************************”

Write-Host “\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\—-///////////////////////////////”
Write-Host “*****************************************************************”

SendOnBehalf

(Watch word-wrap)

Write-Host “*****************************************************************”
$Mailbox =
$MailboxDisplayName = (get-recipient $Mailbox).displayName
Write-host “The following is a list of who has SendOnBehalf permissions for ‘$MailboxDisplayName’ :”
Write-Host “*****************************************************************”
# – property not found – $sendonbehalfList = (get-recipient $Mailbox | select -ExpandProperty GrantsendOnBehalfto | foreach { Get-Mailbox $_ | select displayname, name})
$sendonbehalfList = (get-mailbox $Mailbox | select -ExpandProperty GrantsendOnBehalfto | foreach { Get-Mailbox $_ | select displayname, name})
#Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “Grant*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT user, @{name=”User’s DisplayName”;expression={(Get-User $_.User).Displayname}}, extendedRights -AutoSize
Write-Host “And the list of who have SendOnBehalf on ‘$MailboxDisplayName’ is:” $SendonBehalfList  
Write-Host “*****************************************************************”

Example output:

*****************************************************************
///////////////////////////////—-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
*****************************************************************
The following is a list of who has SendAs permissions for ‘Fekay, Ace’ :
*****************************************************************
User            User’s DisplayName                           ExtendedRights
—-            ——————                                          ————–
Contoso\AFekay-Admin Fekay, Ace (Admin Only) {Send-As}    

Total number of users that can SendAs on contact ‘Fekay, Ace’ is 1
*****************************************************************
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\—-///////////////////////////////
*****************************************************************

Summary

I hope this helps!

Published 3/20/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs (I may be moving the following site): http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.