Remove all send-as permissions a user has in the exchange organization

Send-As allows a user to send emails as someone else. A feature that comes in handy under many circumstances, such as an assistant sending Christmas greetings instead of her boss.

Adding Send-As permissions to a user is usually a straight forward task in Exchange. But finding all the Send-As permissions a user has on all the mailboxes in the organization is a different story.

In this article we will discuss how to find all the Send-As permissions a user has on all the mailboxes in the environment. And then removing all these permissions. Of course PowerShell will come in handy to achieve these goals. (And by PowerShell I mean the Exchange Management Shell, EMS)

The first step will be to find the permissions the user has on all the mailboxes.

$SendAsPermissions = Get-Mailbox | Get-ADPermission | Where-Object {($_.ExtendedRights -like “Send-As”) -and ($_.User –Like “Contoso\Kim.Akers”)}

In this command we used the Get-Mailbox without any parameters to get all the mailboxes then piped them to the Get-ADPermission cmdlet that returns all the permissions on a mailbox then we piped all the information to the Where-Object cmdlet in order to filter the output by the Send-As permissions where the user is Kim Akers who is the user that we querying the information about. Finally we created a variable $SendAsPermissions to store the data.

Running this command WILL take a long time to complete in a larger environment, so you may want to prepare yourself to wait for a while before it’s done.

You may want to run a command that shows you what permissions where found,

$SendAsPermissions | FL Identity, User, ExtendedRights

And the output should be something like that,

Identity : Contoso.local/Users/Don Hall
User : CONTOSO\Kim.Akers
ExtendedRights : {Send-As}
.
Identity : Contoso.local/Users/Delilah Edward
User : CONTOSO\Kim.Akers
ExtendedRights : {Send-As}

As you see, the results shows that Kim Akers has Send-As permissions on two users, Don Hall and Delilah Edward.

Now the next step is to remove the permissions and stop Kim Akers from being able to send as Don or Delilah.

$SendAsPermissions | Remove-ADPermission -Confirm:$False

In this command we piped the data in our variable into the Remove-ADPermission cmdlet that removed the permissions applied, the Confirm switch makes sure we don’t have to confirm the removal of each and every entry.

There will be no output if everything runs smoothly! So you may want to run the first command again (and expect no output too!) to check the successfulness of removal or check them manually from the EMC.

You may notice that there was no technical need for the second step, but knowing what you are deleting is usually a good idea.

This concludes our article, credit goes to Rajith Jose Enchiparambil for his article as it gave me the idea for this one.

About these ads