Jul 23 2012

Print this Post

Remove all send-as permissions a user has in the exchange organization

Send-As allows a user to send emails as someone else. A feature that comes in handy under many circumstances, such as an assistant sending Christmas greetings instead of her boss.

Adding Send-As permissions to a user is usually a straight forward task in Exchange. But finding all the Send-As permissions a user has on all the mailboxes in the organization is a different story.

In this article we will discuss how to find all the Send-As permissions a user has on all the mailboxes in the environment. And then removing all these permissions. Of course PowerShell will come in handy to achieve these goals. (And by PowerShell I mean the Exchange Management Shell, EMS)

The first step will be to find the permissions the user has on all the mailboxes.

[code language=”powershell”]
$SendAsPermissions = Get-Mailbox | Get-ADPermission | Where-Object {($_.ExtendedRights -like "Send-As") -and ($_.User –Like "ContosoKim.Akers")}

In this command we used the

[code language=”powershell”] Get-Mailbox[/code]

without any parameters to get all the mailboxes then piped them to the

[code language=”powershell”]Get-ADPermission[/code]

cmdlet that returns all the permissions on a mailbox then we piped all the information to the

[code language=”powershell”]Where-Object[/code]

cmdlet in order to filter the output by the Send-As permissions where the user is Kim Akers who is the user that we querying the information about. Finally we created a variable

[code language=”powershell”]$SendAsPermissions[/code]

to store the data.

Running this command WILL take a long time to complete in a larger environment, so you may want to prepare yourself to wait for a while before it’s done.

You may want to run a command that shows you what permissions where found,

[code language=”powershell”]
$SendAsPermissions | FL Identity, User, ExtendedRights

And the output should be something like that,

[code language=”powershell”]
Identity : Contoso.local/Users/Don Hall
User : CONTOSOKim.Akers
ExtendedRights : {Send-As}

Identity : Contoso.local/Users/Delilah Edward
User : CONTOSOKim.Akers
ExtendedRights : {Send-As}

As you see, the results shows that Kim Akers has Send-As permissions on two users, Don Hall and Delilah Edward.

Now the next step is to remove the permissions and stop Kim Akers from being able to send as Don or Delilah.
[code language=”powershell”]
$SendAsPermissions | Remove-ADPermission -Confirm:$False
In this command we piped the data in our variable into the [code language=”powershell”]Remove-ADPermission[/code] cmdlet that removed the permissions applied, the [code language=”powershell”]Confirm[/code] switch makes sure we don’t have to confirm the removal of each and every entry.

There will be no output if everything runs smoothly! So you may want to run the first command again (and expect no output too!) to check the successfulness of removal or check them manually from the EMC.

You may notice that there was no technical need for the second step, but knowing what you are deleting is usually a good idea.

This concludes our article, credit goes to Rajith Jose Enchiparambil for his article as it gave me the idea for this one.

About the author

Walid AlMoselhy

Permanent link to this article: http://almoselhy.azurewebsites.net/2012/07/remove-all-send-as-permissions-a-user-has-in-the-exchange-organization/


  1. Manish

    Great info, I found the text needed some etdniig for the Exchange Management Shell. I used the following text and it worked perfect!Get-ReceiveConnector “scanner“| Add-ADPermission -User“NTAUTHORITY\ANONYMOUS LOGON”-ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

  2. Celeste

    looking forward to another great article. good luck to the author! all the best!http://www.divulgaemail.com

Leave a Reply

Your email address will not be published. Required fields are marked *