Enumerating Sharing Permissions via EWS Managed API in PowerShell

Posted on by

The following PowerShell script enumerates the sharing DACLS on the Inbox and Calendar of the user under whom the script is running.  I’ve not yet attempted to enumerate the permissions for a different user. I included the “$perms[$i].UserID | fl *” line to illustrate why I use an IF-THEN construct.  The default permission throws an odd wrinkle into the mix.


#---------------------------------- ews_get_perms.ps1 ------------------------
$dllpath = "C:\Program Files\Microsoft\Exchange\Web Services\1.0\Microsoft.Exchange.WebServices.dll"
[void][Reflection.Assembly]::LoadFile($dllpath)

$service = new-object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1)
$uri=[system.URI] " https://YOUR.EWS.FQDN/ews/exchange.asmx"
$service.Url = $uri

$inbox= [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)

$perms = $inbox.permissions

"`nPermissions on Inbox:"

for ($i=0;$i -le ($perms.Count - 1);$i++) {
if ($perms[$i].UserId.DisplayName -eq $null) {$user=$perms[$i].UserId.StandardUser}
Else {$user=$perms[$i].UserId.DisplayName}
$perms[$i].UserID |fl *
"User : $user"
"CanCreateItems : $($perms[$i].CanCreateItems)"
"CanCreateSubFolder : $($perms[$i].CanCreateSubFolders)"
"IsFolderOwner : $($perms[$i].IsFolderOwner)"
"IsFolderVisible : $($perms[$i].IsFolderVisible)"
"IsFolderContact : $($perms[$i].IsFolderContact)"
"EditItems : $($perms[$i].EditItems)"
"DeleteItems : $($perms[$i].DeleteItems)"
"ReadItems : $($perms[$i].ReadItems)"
"PermissionLevel : $($perms[$i].PermissionLevel)"
"DisplayPermissionLevel : $($perms[$i].DisplayPermissionLevel)"
"-----------------------------------------------"
}

$cal=[Microsoft.Exchange.WebServices.Data.Folder]::Bind($service,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Calendar)

$perms = $cal.permissions

"`nPermissions on Calendar:"

for ($i=0;$i -le ($perms.Count - 1);$i++) {
if ($perms[$i].UserId.DisplayName -eq $null) {$user=$perms[$i].UserId.StandardUser}
Else {$user=$perms[$i].UserId.DisplayName}
$perms[$i].UserID | fl *
"User : $user"
"CanCreateItems : $($perms[$i].CanCreateItems)"
"CanCreateSubFolder : $($perms[$i].CanCreateSubFolders)"
"IsFolderOwner : $($perms[$i].IsFolderOwner)"
"IsFolderVisible : $($perms[$i].IsFolderVisible)"
"IsFolderContact : $($perms[$i].IsFolderContact)"
"EditItems : $($perms[$i].EditItems)"
"DeleteItems : $($perms[$i].DeleteItems)"
"ReadItems : $($perms[$i].ReadItems)"
"PermissionLevel : $($perms[$i].PermissionLevel)"
"DisplayPermissionLevel : $($perms[$i].DisplayPermissionLevel)"
"-----------------------------------------------"

Leave a Reply