Extract Permission Dump Exchange Onpremise

Sharing a quickly written powershell solution to extract the permissions dump from Exchange onpremise enviornment.

This dump will than be used by project management team to create migration sets for Exchange online migration.

Following is done by the script.

Extract Full access permissions
Extract Send as permissions
Extract delegates information using pubdelegates attribute of Active Directory.
Report on mailbox type
Extracts employee id.
extracts primary smtp address
Shows the progress of the script after execution.
format the information in CSV columns that can be delimited further.
exclude service accounts & known accounts from full as/send as permission.

Script uses exchange mangement & quest AD shell.

Download & extract the script from below link.

https://gallery.technet.microsoft.com/scriptcenter/Extract-Permission-Dump-31809149

Config folder has a file name excludeaccounts.txt where you can define the accounts that you want to exclude from the permission dump.

Logs folder will contain transcript log which you can activate by removing hash inside the script.

Report folder contains the output report (permission dump) after script execution is completed.

In this script there is nothing to update except the employeeid part that can may or may not be applicable to your environment.

I have taken example of extensionattribute10 which is used by one of the company to store employeeid.

Just open exchange shell & execute the script.

Report will be like:

<#     
    .NOTES 
    =========================================================================== 
     Created on:       7/27/2017 8:55 AM 
     Created by:       Vikas Sukhija(http://SysCloudPro.com) 
     Organization:      
     Filename:         ExtractPermissionsMBX.ps1 
    =========================================================================== 
    .DESCRIPTION 
        This script will extract send ad, full access & delegate dump from 
                Exchange enviornment, this can be handy in creating groups for EOL Migration. 
#> 
######################Add Modules############################## 
If ((Get-PSSnapin | where {$_.Name -match "Microsoft.Exchange.Management.PowerShell.E2010"}) -eq $null) 
{ 
    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 
} 
 
If ((Get-PSSnapin | where { $_.Name -match "Quest.ActiveRoles.ADManagement" }) -eq $null) 
{ 
    Add-PSSnapin Quest.ActiveRoles.ADManagement 
} 
 
################################ADD Funstions################## 
function Write-Log 
{ 
    [CmdletBinding()] 
    param 
    ( 
        [Parameter(Mandatory = $true)] 
        [array]$Name, 
        [Parameter(Mandatory = $true)] 
        [string]$Ext, 
        [Parameter(Mandatory = $true)] 
        [string]$folder 
    ) 
     
    $log = @() 
    $date1 = get-date -format d 
    $date1 = $date1.ToString().Replace("/", "-") 
    $time = get-date -format t 
     
    $time = $time.ToString().Replace(":", "-") 
    $time = $time.ToString().Replace(" ", "") 
     
    foreach ($n in $name) 
    { 
         
        $log += (Get-Location).Path + "\" + $folder + "\" + $n + "_" + $date1 + "_" + $time + "_.$Ext" 
    } 
    return $log 
} 
#########################Add logs/variables####################### 
$excludeacc = (Get-Content .\config\excludeaccounts.txt) 
$log = Write-Log -Name extractperm -folder logs -Ext log 
$report = Write-Log -Name extractpermissions -folder report -Ext csv 
$collection = @() 
$count = 0 
 
#Start-Transcript -Path $log 
Write-Host "Fetching all mailboxes" -ForegroundColor Magenta 
$allmbx = get-mailbox -resultsize unlimited 
$countAll = $allmbx.count 
Write-Host "fetched all mailboxes .....count $countAll" -ForegroundColor Green 
 
$allmbx | ForEach-Object { 
    $pub=@() 
    $count = $count + 1 
    $mcoll = "" | select Alias, Samaccountname, PrimarySMTPAddress, Employeeid,MBXType,fullaccess, sendasaccess, delegate 
    $alias = $_.alias 
    $sam = $_.samaccountname 
    $email = $_.primarysmtpaddress 
    $mbxtype = $_.recipienttypedetails 
    Write-Host "Processing........$sam..........$count of $countAll" -ForegroundColor Green 
    $qaduser = get-qaduser -samaccountname $sam -IncludedProperties publicdelegates,extensionattribute10 
    $empid = $qaduser.extensionattribute10 
    $pubdelegates = $qaduser.publicdelegates 
    if($pubdelegates){ 
    $pubdelegates | ForEach-Object{ 
            $delegate = (get-qaduser $_).Samaccountname 
            $pub += $delegate 
        } 
    } 
    $fullaccessp = Get-MailboxPermission -Identity $sam | where{ $_.AccessRights -like "*fullaccess*" } | select -ExpandProperty user 
    $senasp = get-mailbox $sam | get-ADPermission | where { $_.ExtendedRights -like "*Send-As*" } | select -ExpandProperty user 
    $full = compare $fullaccessp $excludeacc | where{ $_.SideIndicator -eq '<='} | select -ExpandProperty InputObject 
    $send = compare $senasp $excludeacc | where{ $_.SideIndicator -eq '<=' } | select -ExpandProperty InputObject 
    $mcoll.Alias = $alias 
    $mcoll.Samaccountname = $sam 
    $mcoll.PrimarySMTPAddress = $email 
    $mcoll.Employeeid = $empid 
    $mcoll.MBXtype = $mbxtype 
    $mcoll.delegate = $pub 
    $mcoll.fullaccess = $full 
    $mcoll.sendasaccess = $send 
     
    $collection += $mcoll 
} 
 
$collection | select Alias, Samaccountname, PrimarySMTPAddress,Employeeid,MBXType, @{ Name = "fullaccess"; Expression = { $_.fullaccess } }, @{ Name = "sendasaccess"; Expression = { $_.sendasaccess} }, @{ Name = "delegate"; Expression = { $_.delegate} } |Export-Csv $report -NoTypeInformation 
#Stop-Transcript