Exchange mailbox/folders permissions – dependency graph between users.

Following solution uses GraphViz application to visualize mailboxpermissions dependencies in the company.

Some time ago I published a scripts for reading mailbox permissions:

and mailbox folder permissions:

If some of you are wondering what GraphViz is, a quick look on google graphics and phrase “graphviz”, gives us an idea of how gorgeous graphs it can create:


All the GraphViz needs is to have properly formatted input file – that’s it!


The need of having such script showed up as one time I was standing in front of migrating users to Exchange Online. I started to wonder how shall I visualize in a simply way, who need to be migrated together…


It was not an easy task, going though a excel/csv file, or even creating lists were not satisfying for me, so I started to think about it more, even during meals…


And then I found GraphViz:

It was looking really good! So now just a matter of quick reading about it checking if it will apply…


…reviewing the idea…


…some calculations…


And after all that research the idea became clear…


As I mentioned at the beginning, input file can be done with one of the mailbox permissions / mailbox folder permissions reading scripts – links provided on the top (you might need to change delimiters a little bit as I guess in these files are “;” but go for adventure and modify something :))

The proper input should look like:


So it has columns named “Mailbox”, “User” and “AccessRights”

And now the script. In organization I was building script for – it appeared that we have so many permissions I almost shat brikcs when I saw the actual output (graph)…

Just take a look by yourself, here is just a very small piece of graph when I was checking dependencies of just one mailbox – mine:



Let’s go closer:



Imagine now that whole dependency graph contained like 10 more same chunks/pieces, 10 more, 10 fuck*ng times!

Well, I needed somehow to…


So the idea of migrating people together in chunks fell down and broke into pieces :] but at least we have that nice script.

  1. First thing is to get GraphViz application and install it:

Here you can find it:

After installation all you need to to read your mailbox permissions – you can choose to read it with scripts from links given at the beginning of that article.

     2. Next thing, is to set up 3 variables:


$GraphImageFile = “GraphImageFile.png” -> this is the name/path of your output file – actual graph

$GraphGraphVizFile = “GraphVizFile.gv” -> this is the name/path of the input file that will be passed to GraphViz to visualize your data, it will look similar to this one:


$CSVPermissionsFile = “Permissions.csv” –> and finally this is the input file for the script – so output from your script that reads permissions from mailboxes

    3. Having CSV we can start reading permissions, so here are some examples.

After running below:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz”


We will get:


Users mentioned in “Users” array will be marked on blue, nice arrows will show direction of permissions 🙂

After running:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz” -SingleUser $true


We will get:


And finally after running same but with “level” set to 1 we will get:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz” -Level 1


That will runthough the whole file ONLY ONE TIME, and what we will get would be something like:


So summing up – for me script does a good job when it comes to visualize data that would be actually really hard to see from a excel file.

It is just an easy script, please note that you can add here features like:

  • adding description to each “connection” saying to which folder permissions are given
  • reading mailboxes sizes and adding them to the graph so it can ease planing of migration of certain groups of people
  • remember – possibilities are endless:




Script can be found on TechNet and GitHub.



Script to check mailbox permissions

Recently I have written a script for getting mailbox permissions.

Script reads permissions and puts it in CSV. I have used a lot from Get-MailboxReport.ps1 script wrote by Paul Cunningham.

Data can be read from mailboxes individually, for specific mailbox server or all mailboxes:



At the end it gives CSV output like:


Script can be found on Technet – link >> TECHNET



ZABBIX – listing permissions

Today one of our security officer asked me to retrieve a list of users and permissions from our zabbix systems.

The problem occured while I was trying to associate users’ groups to hosts’ groups. There is in fact one subsite “permissions” under “Administration” -> “Users” after clicking on particular group link. But you cannot copy any information from there. Additionally if you have many groups that would be tidious task.

Instead of that I decided to retrieve the permissions from the database: here is the working sql command:

SELECT r.permission as "Permissions", as "User Group", as "Host Group" FROM zabbix.rights as r
join zabbix.usrgrp as g
on r.groupid = g.usrgrpid
join zabbix.groups as z
on z.groupid =

2 in the “permission” column means “read” access, 3 means “read/write” permissions.

Listing permissions for Sharepoint 2010 – including information about inheritable permissions lists/libraries and files

I am about to describe my struggling with SCCM 2007 to 2012 upgrade, but just before that I would like to share with you guys a script I was dreaming to have time to write to.

I am talking about script that is listing permissions for sharepoint and all libraries and files that don’t inherit permissions.

It was slightly a horrible nightmare for me to list permissions for the web application – there was a time, where users had power to grant permissions for folders and files. After a couple of years there was an idea from the managment – let’s take back those permissions and put everythign in User Rights Management system…

First thought:


Second – pretty much the same:


Finally I had some time and written a script that lets me to specify precisely on what file in what library who the hell has permissions 😀

Here it is:

$url = "http://<WEB_APPLICATION_NAME>"
$site = Get-SPWeb ($url)
$pliki = @()</span>

foreach ($web in $site.Site.AllWebs)

# if ($web.Url.StartsWith($url)) { # Uncomment for listing whe whole web application

if ($web.Url -match "http://<WEB_APPLICATION_NAME>/<SOME_FOLDER>") { #Uncomment to list just one particular site


$host.ui.RawUI.ForegroundColor = “Green”;
Write-Host ("PErmissions for website " + $web.Name + " ,Url: " + $web.Url)
$lists = $web.Lists
Write-Host "Website contains the content libraries:"
$host.ui.RawUI.ForegroundColor = “white”;
foreach ($list in $lists) {

# (START) Getting the files with non heritable permissions
foreach ($ll in $list.items){
if ($ll.HasUniqueRoleAssignments -match "True"){
$e = $ll.url
foreach ($upr_f in $ll.RoleAssignments){
$f = $
$g = $upr_f.RoleDefinitionBindings | foreach {$}
$paczka = "$e,$f,$g"
$pliki += $paczka
# (END) Getting the files with non heritable permissions

# (START) Getting the list/libraries with inheritable permissions

$l = $list.folders
foreach ($upr in $l){

#   if ($ -match "Systemy - admini"){ #Uncoment if you would like to list particular list/library, do not forget
#   to uncommenct the bracket below
$a= $upr.Url
$b = $upr.HasUniqueRoleAssignments

if ($b -eq "True"){
$host.ui.RawUI.ForegroundColor = “green”;
Write-Host "The list/library with unique permissions:"
$host.ui.RawUI.ForegroundColor = “yellow”;

foreach ($u in $upr.RoleAssignments){
$c = $
$d = $u.RoleDefinitionBindings | foreach {$}
Write-Host "$a, $c, $d"

if ($pliki) {
$host.ui.RawUI.ForegroundColor = “Green”;
Write-Host "Files with unique permissions"
$host.ui.RawUI.ForegroundColor = “yellow”;

$pliki = @()
$host.ui.RawUI.ForegroundColor = “Green”;
Write-host "#-------------"
$host.ui.RawUI.ForegroundColor = “white”;
#   } Bracket for "IF" specifying list/library

# (END) Getting the list/libraries with inheritable permissions