Exchange: Mailbox Delegate Report using PowerShell

This article will demonstrate a couple of ways to pull the Mailbox Delegation Report easily from PowerShell. A lot of administrators and System engineers are asked for such reports almost every other day and we will be happy if we can help a few of them.

 Note:
We will discuss the scenarios of pulling the Mailbox Permission report in Exchange 2016, Exchange 2013 and Exchange 2010 and will also scope our reports to a particular Organizational Unit in AD

You can specify a single mailbox and retrieve the permissions assigned to it by using the Get-MailboxPermission cmdlet. Alternatively, you can use the Get-Mailbox cmdlet to retrieve all or a subset of mailboxes, and then pipe the results to the Get-MailboxPermission cmdlet. Instead of running this against all mailboxes in the Organization, it makes sense to filter it against a subset of mailboxes.

Example:

Get-Mailbox -RecipientType 'UserMailbox' -ResultSize Unlimited | Get-MailboxPermission

You could export the output to CSV and manipulate it using Excel to get just the permissions information you want, but another method is to filter the PowerShell output.

For example, to filter out all of the SELF permissions and the inherited permissions we can run this command:

Get-Mailbox
   -RecipientType 'UserMailbox' -ResultSize Unlimited 
   |
   Get-MailboxPermission
   |
   where
   {$_.user.tostring()
   -ne
   "NT AUTHORITY\SELF"
   -and
   $_.IsInherited
   -eq
   $false

The Identity field contains long strings because it includes the full directory path to the mailbox user, so it may get truncated on your screen. In that case, you could export the output to CSV file.

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='AccessRights';Expression={[string]::join(', ', $_.AccessRights)}}
   | Export-Csv -NoTypeInformation mailboxpermissions.csv

Now, let's think about pulling the same report for mailboxes in a particular OU. For example, we have a different subdomain for users in the UK, a different sub-domain for users in Australia, and we want a report which is based on the OU or AD Domain. We can achieve that by running the below command:
Get-Mailbox -RecipientType 'UserMailbox' -ResultSize unlimited -OrganizationalUnit "OU=UK,OU=Global,dc=gb,dc=ad,dc=maaz,dc=biz" | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.user.tostring()
  -notlike "S-1-5-21*" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation GBMailboxReport.csv

Also, please note, in case if the default scope of your Exchange shell is for a different domain, please run the below command to change the scope:
Set-AdServerSettings -ViewEntireForest $True