Click on the Category button to get more articles regarding that product.
List or change Inboxrules employee have > Automatic E-Mail forwards to private or external E-Mail systems.
Problem:
In Exchange, users are able to forward E-Mail themself to an external private account. This is a problem because of compliance and if you don’t have a DLP (Data Lost Prevention).
There are ways to prevent this (With a Mail Control Rule > Transport rule) or with a DRAC permission set. However then also some technical accounts which HAVE to mail copy external may get targeted. See below at end for a solution or at least a direction to go.
You do not see those in Exchange 2010/2013/2016 Web console or GUI. However you can see those with PowerShell.
Here is how to find out which users in the Organization have such a forward or Redirect active.
Powershell command:
Forwards
foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ForwardTo} | fl MailboxOwnerID,Name,ForwardTo >> d:\edv\exchange_Forward.txt }
Delegates
foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ReDirectTo} | fl MailboxOwnerID,Name,RedirectTo >> d:\edv\exchange_Redirect.txt }
Another query which does not catch all
Get-Mailbox | Where {$_.ForwardingAddress -ne $null} | Select Name, ForwardingAddress, DeliverToMailboxAndForward
Prevent with RBAC from (Sike Fogarty – BPOS Support)
Source: https://blogs.technet.microsoft.com/lystavlen/2012/04/10/how-to-prevent-internal-users-from-autoforwaring-mails-to-external-recipients/
-
New-ManagementRole -Name “Disable-Auto-Forward” -Parent MyBaseOptions
Set-ManagementRoleEntry “Disable-Auto-ForwardSet-Mailbox” -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress –RemoveParameter
Set-ManagementRoleEntry “Disable-Auto-ForwardNew-Inboxrule” -Parameters ForwardAsAttachmentTo,ForwardTo,RedirectTo –RemoveParameter
Sign into the EAC click on Permissions > User Roles > Click on the Plus sign to add an additional Role Assignment Policy naming it whatever you want and under MyBaseOptions you will see the Disable-Auto-Forward option that you will want to place a check mark in. Save the Role Assignment Policy.
Assign the Role Assignment Policy to the user(s) desired.
How to change or remove the INBOX Forwarder user created:
List the user if you know the name (See above if you don’t)
Get-InboxRule -Mailbox user-alias |fl Name,Identity,ForwardTo,ForwardAsAttachmentTo
Example:
Get-InboxRule -Mailbox m.butsch |fl Name,Identity,ForwardTo,ForwardAsAttachmentTo
Remove the Inbox rule you want:
Remove-InboxRule -Mailbox user-alias -Identity “NAME_YOU_SEE_ABOVE_WITH_OTHER_QUERY”
Remove-InboxRule -Mailbox m.butsch -Identity “Send to NSA automatic”