en Passant
not letting life just pass on by
Powershell - Enumerate Delegate Rights for a mailbox
Tags:
Troubleshooting Outlook delegate permissions is a pain. I found the easiest way to get a user's delegates is to create a profile, open their mailbox and check each person.
That's why I created this script. Using the Quest Powershell addons for AD, it reads the delegate permissions for a specified mailbox, then looks up the display name for each delegate or mailbox they are a delegate for.
I'd like to clean up the results a little more, but for now this works nicely.
$entry = Read-Host "Display name of mailbox"
if ($entry -ne $null) {
$a= Get-QADUser $entry -ldapfilter '(mail=*)' -IncludedProperties displayname, publicdelegates, publicdelegatesbl
foreach ($user in $a) {
$user.displayname
"================================="
if ($user.publicdelegates -eq $null) {
Write-host "Has no delegates"
} else
{
Write-host "Delegates:"
$b = $user.publicdelegates;
foreach ($del in $b) {Get-QADUser $del | select-object displayname| sort-object displayname};
" "
}
if ($user.publicdelegatesbl -eq $null) {
Write-host "Is not a delegate"
} else
{
Write-Host 'Is a delegate for:'
$b = $user.publicdelegatesbl;
foreach ($del in $b) {Get-QADUser $del |select-object displayname| sort-object displayname};
" "
}
" "
}
}
if ($entry -ne $null) {
$a= Get-QADUser $entry -ldapfilter '(mail=*)' -IncludedProperties displayname, publicdelegates, publicdelegatesbl
foreach ($user in $a) {
$user.displayname
"================================="
if ($user.publicdelegates -eq $null) {
Write-host "Has no delegates"
} else
{
Write-host "Delegates:"
$b = $user.publicdelegates;
foreach ($del in $b) {Get-QADUser $del | select-object displayname| sort-object displayname};
" "
}
if ($user.publicdelegatesbl -eq $null) {
Write-host "Is not a delegate"
} else
{
Write-Host 'Is a delegate for:'
$b = $user.publicdelegatesbl;
foreach ($del in $b) {Get-QADUser $del |select-object displayname| sort-object displayname};
" "
}
" "
}
}
| Attachment | Size |
|---|---|
| EnumerateDelegates.ps1 | 848 bytes |
Comments
Great script... thanks a ton!
Great script... thanks a ton!
Perfect!
Thank you for the script. Our help desk came up to me today and asked about a possible delegate issue and showed me a VB script that we could use to retrieve the info without going into outlook.
I, myself, prefer PowerShell to VB, so I searched google for "PowerShell publicdelegates" and your script came up.
I did a little modification to it to pull a full user list from AD and dump all the details into an HTML page. Then copy that up to our web server and Bam! All set.
Here's the modified version in case anyone wants HTML output. The HTML is a bit plain for my taste, but it works. A little CSS modification and it'll get beautified too :)
$table = "<table border=`"1`"><tr><th>User Name</th><th width=`"250`">Delegates</th><th width=`"250`">Delegate For</th></tr>"
foreach ($entry in $adusers) {
if ($entry.displayname -ne $null) {
write-host $entry.displayname -fore cyan
$user= Get-QADUser $entry.displayname -ldapfilter '(mail=*)' -IncludedProperties displayname, publicdelegates, publicdelegatesbl
$table += "<tr><td>" + $user.displayname + "</td>"
if ($user.publicdelegates -eq $null) {
$table += "<td>None</td>"
} else
{
$delegates = $user.publicdelegates;
$dtemp = ""
$table += "<td>"
foreach ($del in $delegates) { if ($del -ne $dtemp) { $table += (Get-QADUser $del).displayname + "<br>" }; $dtemp = $del }
$table += "</td>"
}
if ($user.publicdelegatesbl -eq $null) {
$table += "<td>None</td>"
} else {
$delegated = $user.publicdelegatesbl;
$ddtemp = ""
$table += "<td>"
foreach ($deld in $delegated) { if ($deld -ne $ddtemp) { $table += (Get-QADUser $del).displayname + "<br>" }; $ddtemp = $deld }
$table += "</td>"
}
}
}
$table += "</table>"
Convertto-html -body $table | set-content ExchDelegates.html
copy .\ExchDelegates.html [WebServerShare] -force -confirm:$false
Thanks Again!!
-Skark166
List Who Has What Delegate Rights?
Is there a way to actually list who has access to what?
I.E. Sean McGilvray has access to Gales calendar with read rights
Thank you,
Sean McGilvray
Yes, but that requires MAPI
It is possible to dump the mailbox rights, but AFAIK those permissions can only be pulled via a script that attaches to the mailbox and pulls the details directly.
I had a script that worked fairly well last time. I'll link to it here if I find it again for you.
Can you write one that can
Can you write one that can actually add delegates to a mailbox without doing it in outlook
Not likely
You could start by adding the accounts to the publicdelegates field fairly easily, but you'd also need to create the Outlook rules to forward messages, and the folder level permissions to the Inbox/Calendar folders. Not an easy task.
Post new comment