I am trying to use PowerShell to get lists of the mailboxes terminated users have access to and then remove that access. Everything works except for finding the mailboxes users that Well, I guess I don't know if removing the user from On-Behalf works yet, since I can't get the list.have Send On-Behalf access to.
I have some extra variables at the beginning from different things I tried. I am using PowerShell 7.2 and rrunning the script using Visual Studio Code.
#Connect to O365 Exchange session
#$OnlineExchSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential (Get-Credential) -Authentication Basic -AllowRedirection
#Import-PSSession $OnlineExchSession -DisableNameChecking -AllowClobber | Out-Null
#Prompt for user to be terminated
$TerminatedUser = Read-Host -Prompt 'Input the username of the employee being terminated. (Example: bsaget)'
$UserMailbox = "[email protected]"
$Mailbox = Get-Mailbox $TerminatedUser
$DN = $Mailbox.DistinguishedName
$Filter = "Members -like ""$DN"""
#Gather list of mailboxes the user is a member of
Write-Output " "
Write-Output "Full Permission for $TerminatedUser"
Write-Output "***************"
$FullPermission = Get-Mailbox | Get-MailboxPermission -User $TerminatedUser | Select-Object -ExpandProperty Identity
$FullPermission
#Gather list of mailboxes user has Send On-behalf permission to
Write-Output " "
Write-Output "Send On-behalf Permission for $TerminatedUser"
Write-Output "******************"
$OnBehalf = Get-Mailbox | where {$_.GrantSendOnBehalfTo -eq $TerminatedUser} | Select-Object -ExpandProperty Identity
$OnBehalf
#Gather list of mailboxes user has Send-As permission to
Write-Output " "
Write-Output "Send-As Permission for $TerminatedUser"
Write-Output "*************************"
$SendAs = Get-Mailbox | Get-RecipientPermission -Trustee $UserMailbox | Select-Object -ExpandProperty Identity
$SendAs
#Gather list of distribution groups user has permission to
Write-Output " "
Write-Output "Distribution Groups for $TerminatedUser"
Write-Output "*******************"
$DistributionGroups = Get-DistributionGroup -ResultSize Unlimited -Filter $Filter | Select-Object -ExpandProperty PrimarySmtpAddress
$DistributionGroups
#Remove Full Access for each mailbox
Write-Output " "
Write-Output "Removing Full Access Permission for $TerminatedUser"
forEach ($full in $FullPermission) {
Write-Output "Removing permission to $full"
Remove-MailboxPermission -Identity $full -User $TerminatedUser -AccessRights FullAccess -Confirm:$false #-WhatIf
}
#Remove SendAs for each mailbox
Write-Output " "
Write-Output "Removing SendAs Permission for $TerminatedUser"
forEach ($send in $SendAs) {
Write-Output "Removing permission to $send"
Remove-AdPermission -Identity $send -User $TerminatedUser -AccessRights SendAs #-WhatIf
}
#Remove Send On-Behalf for each mailbox
Write-Output " "
Write-Output "Removing Send On-Behalf Permission for $TerminatedUser"
forEach ($behalf in $OnBehalf) {
Write-Output "Removing permission to $behalf"
Set-Mailbox -Identity $behalf -GrantSendOnBehalfTo @{remove=$TerminatedUser} #-WhatIf
}
#Remove user from distribution lists
Write-Output " "
Write-Output "Removing distribution lists for $TerminatedUser"
forEach ($distro in $DistributionGroups) {
Write-Output "Removing permission to $distro"
Remove-DistributionGroupMember -Identity $distro -Member $TerminatedUser #-WhatIf
}
#Disconnect-ExchangeOnline
I don't get any errors with this code, but it doesn't return anything. I know the user I am testing has On-Behalf from running Get-Mailbox -Identity [email protected] | % {$_.GrantSendOnBehalfTo} | ft Name
CodePudding user response:
I have just made this simple script that removes full access, send as and SendOnBehalf permissions on shared mailboxes. Try it out and let me know what u think.
$TerminatedUser = "" #Enter PrimarySmtpAddress of terminated user
$TerminatedUserAlias = "" #Enter mailbox alias for terminated user
$SharedMailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox #Gets all shared mailboxes
foreach($Mailbox in $SharedMailboxes)
{
#Gets the different permissions on the mailbox for the Terminated User
$FullAccess = Get-MailboxPermission $Mailbox.Alias | ? {$_.User -match $TerminatedUser -and $_.AccessRights -eq "FullAccess"}
$SendAs = Get-RecipientPermission $Mailbox.Alias | ? {$_.Trustee -match $TerminatedUser -and $_.AccessRights -eq "SendAs"}
$SendOnBehalf = $Mailbox.GrantSendOnBehalfTo
#Removes Full Access permission for terminated user
if($FullAccess -ne $null)
{
Write-Host "Removing Full Access permissions for $TerminatedUser on $($Mailbox.Alias)" #You can export the mailbox and permission here to a file if you want. Only writing output to screen to demonstrate what will happen if you run this.
Remove-MailboxPermission -Identity $Mailbox.Alias -User $TerminatedUser -AccessRights "FullAccess" #Removes full access permission on shared mailbox for terminated user
}
else
{
Write-Host "No Full Access permissions for $TerminatedUser on $($Mailbox.Alias)" #Only writing output to screen to demonstrate what will happen if you run this.
}
#Removes Send As permission for the terminated user
if($SendAs -ne $null)
{
Write-Host "Removing Send As permission for $TerminatedUser on $($Mailbox.Alias)" #Only writing output to screen to demonstrate what will happen if you run this.
Remove-RecipientPermission -Identity $Mailbox.Alias -Trustee $TerminatedUser -AccessRights "SendAs"
}
else
{
Write-Host "No Send As permissions for $TerminatedUser on $($Mailbox.Alias)" #Only writing output to screen to demonstrate what will happen if you run this.
}
#Removes Send on behalf permisssion for the terminated user
if($SendOnBehalf -ne $null)
{
foreach($User in $SendOnBehalf)
{
if($User -eq $TerminatedUserAlias)
{
$SendOnBehalf.Remove($User)
Set-Mailbox -Identity $Mailbox.Alias -GrantSendOnBehalfTo $SendOnBehalf
}
}
}
}