다음을 통해 공유

Faster method to collect Send-as permissions

  • 아티클

I recently came across a situation where Send-as permissions for all Distribution group needs to be collected. The Exchange command Get-ADPermission was ran and it took forever to complete (more than a day, before the powershell session disconnected). Below was the code used..

Using Get-ADPermission

 
$Result = @()
$DLList = Get-DistributionGroup -RecipientTypeDetails MailUniversalSecuritygroup -resultsize unlimited|Select Alias,name,PrimaryEmailAddress
foreach($DL in $DLList)
{
     $DLPerm = Get-ADPermission -Identity $DL.Name | where {($_.ExtendedRights -like "*Send-As*") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF")}|Select Identity,User
     $Result += $DLPerm

$Result|select Identity,User|Export-Csv SendAs_report.csv -NoTypeInformation

To overcome the challenges, I put together a script which uses AD module and it was much faster to produce the output.

Rewritten Code, using ActiveDirectory Module

 
Start-Transcript -Path C:\temp\DLSend-asPerms.txt
Import-Module ActiveDirectory
Set-Location AD:
$MailDLs = Get-ADObject -Filter "(objectClass -eq 'group') -and (proxyAddresses -like '*')" -SearchScope Subtree -ResultPageSize 200000
Write-Host "Total $($MailDLs.Count) MailDLs found"

$i = 0

foreach($MailDL in $MailDLs){
     $i++
     $SendasEntries = $NULL
     Write-Progress -Status "Processing $i / $($MailDLs.Count)" -PercentComplete ($i / @($MailDLs).Count) * 100
     $SendasEntries = Get-ACL $MailDL.DistinguishedName | select -ExpandProperty Access | ?{($_.ActiveDirectoryRights -eq "ExtendedRight") -and ($_.objectType -eq "ab721a54-1e2f-11d0-9819-00aa0040529b") -and          
                      ($_.IsInherited -eq $false) -and $_.IdentityReference -ne "NT AUTHORITY\SELF" }
     if($NULL -eq $SendasEntries){
          Write-Host "DL $($MailDL.Name) - Has no Sendas Entries"
     }
    foreach($SendasEntry in $SendasEntries){
          Write-host "DL $($MailDL.Name) - $($SendasEntry.IdentityReference) has Sendas Perms"
    }
}
Stop-Transcript

 

The re-written code uses Get-ACL cmdlet to collect the Send-as permissions and for over 100,000 DGs it took a little over 3 hours to generate the report

This way of collecting send-as permissions is much faster than using Get-ADPermission cmdlet on a remote PS Session. The GUID "ab721a54-1e2f-11d0-9819-00aa0040529b" used on the script is the Object GUID for Send as permission.
I haven't made proper comments or added code to create a formal report, this is just to demonstrate the better way to collect the Send-as Permission report. Hope you find it useful.

Comments

  • Anonymous
    December 10, 2017
    great stuff as alwaysthanks
  • Anonymous
    December 22, 2017
    Thank you!Great!