I recently came across a situation where Send-as permissions for all Distribution group needs to be collected. The Exchange command Get-ADPermission was ran and it took forever to complete (more than a day, before the powershell session disconnected). Below was the code used..
Using Get-ADPermission
$Result = @()
$DLList = Get-DistributionGroup -RecipientTypeDetails MailUniversalSecuritygroup -resultsize unlimited|Select Alias,name,PrimaryEmailAddress
foreach($DL in $DLList)
{
$DLPerm = Get-ADPermission -Identity $DL.Name | where {($_.ExtendedRights -like "*Send-As*") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITYSELF")}|Select Identity,User
$Result += $DLPerm
$Result|select Identity,User|Export-Csv SendAs_report.csv -NoTypeInformation
To overcome the challenges, I put together a script which uses AD module and it was much faster to produce the output.
Rewritten Code, using ActiveDirectory Module
Start-Transcript -Path C:tempDLSend-asPerms.txt
Import-Module ActiveDirectory
Set-Location AD:
$MailDLs = Get-ADObject -Filter "(objectClass -eq 'group') -and (proxyAddresses -like '*')" -SearchScope Subtree -ResultPageSize 200000
Write-Host "Total $($MailDLs.Count) MailDLs found"
$i = 0
foreach($MailDL in $MailDLs){
$i++
$SendasEntries = $NULL
Write-Progress -Status "Processing $i / $($MailDLs.Count)" -PercentComplete ($i / @($MailDLs).Count) * 100
$SendasEntries = Get-ACL $MailDL.DistinguishedName | select -ExpandProperty Access | ?{($_.ActiveDirectoryRights -eq "ExtendedRight") -and ($_.objectType -eq "ab721a54-1e2f-11d0-9819-00aa0040529b") -and
($_.IsInherited -eq $false) -and $_.IdentityReference -ne "NT AUTHORITYSELF" }
if($NULL -eq $SendasEntries){
Write-Host "DL $($MailDL.Name) - Has no Sendas Entries"
}
foreach($SendasEntry in $SendasEntries){
Write-host "DL $($MailDL.Name) - $($SendasEntry.IdentityReference) has Sendas Perms"
}
}
Stop-Transcript
The re-written code uses Get-ACL cmdlet to collect the Send-as permissions and for over 100,000 DGs it took a little over 3 hours to generate the report
This way of collecting send-as permissions is much faster than using Get-ADPermission cmdlet on a remote PS Session. The GUID "ab721a54-1e2f-11d0-9819-00aa0040529b" used on the script is the Object GUID for Send as permission.
I haven't made proper comments or added code to create a formal report, this is just to demonstrate the better way to collect the Send-as Permission report. Hope you find it useful.