Faster way to report Send As permissions on Prem

While doing reporting on Exchange certain things can be really time consuming. One of them is Send as permissions for mailboxes/recipients. This post is to give you an idea and a different approach on how to get send as permission in a faster way in your environment rather than using Get-Adpermission cmdlet.

Here is an example function that will run in a single domain environment that will report the send as permission much faster than Get-ADpermission command.

function Get-SendAsPermissionsfromAD
{
	Param
	(
		[Parameter(Mandatory = $false)] $Recipients
	)
	if (!$Recipients)
	{
		$Recipients = Get-Mailbox -ResultSize Unlimited
	}
	$Count = 0
	$TotalItems = $Recipients.Count
	import-module activedirectory
	$Domain = Get-Addomain | select -expand distinguishedname
	$Sendas = Get-ADObject -Properties rightsguid "CN=Send-As,CN=Extended-Rights,CN=Configuration,$($Domain)" | Select -expand RightsGuid
	$AllSendAsPermissions = @()
	foreach ($Recipient in $Recipients)
	{
		$Count++
		[int]$percentComplete = [int](($Count/$TotalItems * 100))
		Write-Progress -Activity "Checking Send-As Permissions" -PercentComplete "$percentComplete" -Status ("Processing Mailbox: $($Recipient.DisplayName) - $($Count) of $($TotalItems)")
		$SendasMemberValues = $Null
		$DistinguishedName = $Recipient.DistinguishedName
		$Permissions = (Get-Acl "ad:$($DistinguishedName)").access | where { ($_.IsInherited -eq $false) -and ($_.objecttype -eq $sendas) -and ($_.IdentityReference -notlike "NT AUTHORITY\SELF") -and ($_.AccessControlType -eq "Allow") } | Select -expand IdentityReference
		$Permissions = $Permissions | Select -expand Value
		if ($Permissions)
		{
			foreach ($Permission in $Permissions)
			{
				$Values = new-object psobject
				$Values | Add-Member -membertype noteproperty -name "Name" -Value $Recipient.Name
				$Values | Add-Member -membertype noteproperty -name "Permission" -Value $Permission
				$AllSendAsPermissions += $Values
			}
		}
	}
	$AllSendAsPermissions
}

To prove that it is much faster here is an example environment with more than 1000 mailboxes.
Lets first get all the mailboxes and than Get-Adpermission to report Send As permissions explicitly given to all mailboxes.

$elapsed = [System.Diagnostics.Stopwatch]::StartNew()
$StandardWay = Get-Mailbox -resultsize Unlimited | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)}
write-host "Total Elapsed Time: $($elapsed.Elapsed.ToString())"

And the result is: 1 Hour 5 minutes…
2

And now lets try the function and use Get-ACL command to get the same result:

$elapsed = [System.Diagnostics.Stopwatch]::StartNew()
$ADway = Get-SendAsPermissionsfromAD 
write-host "Total Elapsed Time: $($elapsed.Elapsed.ToString())"

And the result is: Just around 5 minutes…
1

Now lets break down the function to see what actually we are doing:

 

First we are getting the domain distinguishedname:

$Domain = Get-Addomain | select -expand distinguishedname

Getting the sendas objects RightsGuid for our domain:

$Sendas = Get-ADObject -Properties rightsguid "CN=Send-As,CN=Extended-Rights,CN=Configuration,$($Domain)" | Select -expand RightsGuid

Foreach mailbox collecting the permissions that matches the SendAs objects RightsGuid which are not inherited, not self and not denied.

$Permissions = (Get-Acl "ad:$($DistinguishedName)").access | where { ($_.IsInherited -eq $false) -and ($_.objecttype -eq $sendas) -and ($_.IdentityReference -notlike "NT AUTHORITY\SELF") -and ($_.AccessControlType -eq "Allow") } | Select -expand IdentityReference

That is it actually, the rest is just putting information in psobject, adding progress bar.

Feel free to customize it to your needs to report sendas permissions.

Notes:

  1. Get-SendAsPermissionsfromAD function requires Active Directory Module and Exchange Powershell session
  2. If you have multiple domains or forests you will need to customize the domain information

About Serkan Varoglu

Serkan Varoglu is a Turkish IT Pro living in Ireland. Serkan has over 10 years experience and hold certifications including MCITP (EMA 2010 and Enterprise Admin), MCSE, MCSA, MCTS, ITIL and was awarded the Microsoft MVP Award (Exchange Server).