RecipientPermission

Question

Hi All I am using exchange 2016 hybrid environment. i.e i create users in onprem and migrate to online. i have exported list of users who has send As permissions to a shared mailbox using the below syntax.

Get-Mailbox -Identity ******@contoso.com  | Get-RecipientPermission | Where {$_.AccessRights -eq "SendAs"} | Select identity,name,displayname,alias,AccessRights,Trustee | Export-Csv -Path C:\temp\output.csv -NoTypeInformation

under the trustee i see few entries in the below format . How do i know these entries are for disabled users or are they are pointing to some mail enabled security group etc. is there a way to know which users or groups entries are these.

"S-1-5-21-1234567890-1234512345-0987654321-11223344" 
"S-1-5-21-1234567890-1234512345-0987654321-58963247"  
"S-1-5-21-1234567890-1234512345-0987654321-19732846"  
"S-1-5-21-1234567890-1234512345-0987654321-91374682"

Answer 1

The entries in the "Trustee" field are Security Identifiers (SIDs), which are unique identifiers for security principals such as users, groups, and computers. To identify the users or groups associated with these SIDs, follow the steps below:

First Step - Convert SID to User or Group:

Use the below PowerShell command to convert SIDs to human-readable information. Here's an example:

$sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1234567890-1234512345-0987654321-11223344") $user = $sid.Translate([System.Security.Principal.NTAccount]).Value Write-Output $user

Replace the SID in the code with the one you want to verify. Run this script for each SID to find the appropriate user or group.

Batch Conversion

You can also check multiple SIDs at once; you can use a loop:

$sids = @("S-1-5-21-1234567890-1234512345-0987654321-11223344", "S-1-5-21-1234567890-1234512345-0987654321-58963247", "S-1-5-21-1234567890-1234512345-0987654321-19732846", "S-1-5-21-1234567890-1234512345-0987654321-91374682") foreach ($sid in $sids) { $translatedUser = (New-Object System.Security.Principal.SecurityIdentifier($sid)).Translate([System.Security.Principal.NTAccount]).Value Write-Output "$sid : $translatedUser" }

Identify Disabled Users

If you specifically want to identify disabled users, you can check the status of the user account associated with the SID using the Get-User cmdlet:

$user = Get-User -Identity $translatedUser Write-Output "$sid : $translatedUser : Disabled: $($user.UserAccountControl -band 2)"

This will display whether the user is disabled or not. If a user or group is deleted or no longer exists in your environment, the translation might not work, and you might need to refer to backup or other records to identify them.

Answer 2

Hello @Glenn Maxwell ,

The entry you see is  a security identifier (SID). They are unique identifiers assigned to users, groups, computers, or other security objects when they are created in a Windows or Active Directory domain.To determine which users or groups these SIDs correspond to, you may could use Get-ADObject-Identity <SID> Replace <SID> with the SID you want to check. This command will return the object class of the security principal associated with the SID.

For more information ,you could refer https://woshub.com/convert-sid-to-username-and-vice-versa/#google_vignette (Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in [our documentation] to enable e-mail notifications if you want to receive the related email notification for this thread.