Listing SendAs and SendOnBehalf Permissions

By Ace Fekay
Published 3/20/2018

Intro

Ace here again.

There are a number of tools that you can use in your day to day AD and Exchange management. This includes Office 365 Hybrid, but we’ll assume that you are performing one way sync to the cloud, and only replicating MSOL attributes back to on premises, so you can manage them locally, for the most part.

This is about getting SendAs and SendOnBehalf rights on a mailbox

SendAs

(Watch word-wrap)

Write-Host “*****************************************************************”
$Mailbox = Ace.Fekay@MSOLUser.com
$MailboxDisplayName = (get-recipient $Mailbox).displayName
Write-Host “///////////////////////////////—-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\”
Write-Host “*****************************************************************”
Write-host “The following is a list of who has SendAs permissions for ‘$MailboxDisplayName’ :”
Write-Host “*****************************************************************”
Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT user, @{name=”User’s DisplayName”;expression={(Get-recipient $_.User).Displayname}}, extendedRights -AutoSize
$MailboxCount = @(Get-recipient $Mailbox | Get-ADPermission  | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)}).count
Write-Host “Total number of users that can SendAs on contact ‘$MailboxDisplayName’ is” $MailboxCount
Write-Host “*****************************************************************”

Write-Host “\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\—-///////////////////////////////”
Write-Host “*****************************************************************”

SendOnBehalf

(Watch word-wrap)

Write-Host “*****************************************************************”
$Mailbox =
$MailboxDisplayName = (get-recipient $Mailbox).displayName
Write-host “The following is a list of who has SendOnBehalf permissions for ‘$MailboxDisplayName’ :”
Write-Host “*****************************************************************”
# – property not found – $sendonbehalfList = (get-recipient $Mailbox | select -ExpandProperty GrantsendOnBehalfto | foreach { Get-Mailbox $_ | select displayname, name})
$sendonbehalfList = (get-mailbox $Mailbox | select -ExpandProperty GrantsendOnBehalfto | foreach { Get-Mailbox $_ | select displayname, name})
#Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “Grant*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT user, @{name=”User’s DisplayName”;expression={(Get-User $_.User).Displayname}}, extendedRights -AutoSize
Write-Host “And the list of who have SendOnBehalf on ‘$MailboxDisplayName’ is:” $SendonBehalfList  
Write-Host “*****************************************************************”

Example output:

*****************************************************************
///////////////////////////////—-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
*****************************************************************
The following is a list of who has SendAs permissions for ‘Fekay, Ace’ :
*****************************************************************
User            User’s DisplayName                           ExtendedRights
—-            ——————                                          ————–
Contoso\AFekay-Admin Fekay, Ace (Admin Only) {Send-As}    

Total number of users that can SendAs on contact ‘Fekay, Ace’ is 1
*****************************************************************
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\—-///////////////////////////////
*****************************************************************

Summary

I hope this helps!

Published 3/20/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs (I may be moving the following site): http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.