by butsch
8. June 2016 19:34
List or change Inboxrules employee have > Automatic E-Mail forwards to private or external E-Mail systems.
Problem:
In Exchange 2010 users are able to forward E-Mail themself to an external private account. This is a problem because of compliance and if you don't have a DLP (Data Lost Prevention).
There are ways to prevent this (With a Mail Control Rule > Transport rule) or with a DRAC permission set. However then also some technical accounts which HAVE to mailcopy external may get targeted. See below at end for a solution or at least a direction to go.
You do not see those in Exchange 2010/2013/2016 Web console or GUI. However you can see those with Powershell.
This is what we talk about in Exchange2010 GUI.
Here is how to find out which users in the Organization have such a forward or Redirect active.
Powershell command:
Forwards
foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ForwardTo} | fl MailboxOwnerID,Name,ForwardTo >> d:\edv\exchange_Forward.txt }
Delegates
foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ReDirectTo} | fl MailboxOwnerID,Name,RedirectTo >> d:\edv\exchange_Redirect.txt }
Another query which does not catch all
Get-Mailbox | Where {$_.ForwardingAddress -ne $null} | Select Name, ForwardingAddress, DeliverToMailboxAndForward
Prevent with RBAC from (Sike Fogarty - BPOS Support)
Source: https://blogs.technet.microsoft.com/lystavlen/2012/04/10/how-to-prevent-internal-users-from-autoforwaring-mails-to-external-recipients/
New-ManagementRole -Name "Disable-Auto-Forward" -Parent MyBaseOptions
Set-ManagementRoleEntry "Disable-Auto-ForwardSet-Mailbox" -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress –RemoveParameter
Set-ManagementRoleEntry "Disable-Auto-ForwardNew-Inboxrule" -Parameters ForwardAsAttachmentTo,ForwardTo,RedirectTo –RemoveParameter
Sign into the EAC click on Permissions > User Roles > Click on the Plus sign to add an additional Role Assignment Policy naming it whatever you want and under MyBaseOptions you will see the Disable-Auto-Forward option that you will want to place a check mark in. Save the Role Assignment Policy.
Assign the Role Assignment Policy to the user(s) desired.
How to change or remove the INBOX Forwarder user created:
List the user if you know the name (See above if you don't)
Get-InboxRule -Mailbox user-alias |fl Name,Identity,ForwardTo,ForwardAsAttachmentTo
Example:
Get-InboxRule -Mailbox m.butsch |fl Name,Identity,ForwardTo,ForwardAsAttachmentTo
Remove the Inbox rule you want:
Remove-InboxRule -Mailbox user-alias -Identity "NAME_YOU_SEE_ABOVE_WITH_OTHER_QUERY"
Remove-InboxRule -Mailbox m.butsch -Identity "Send to NSA automatic"