Thanks Michael, I'd forgotten about that one but checked and we do have that option disabled in our default owa policy. Thanks to John too for posting the scripts, looks like we're in the clear.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith Sent: Thursday, June 15, 2017 10:29 AM To: exchange@lists.myitforum.com Subject: [Exchange] RE: Reporting on who has rules Also be aware that, by default, via OWA Options, people can set their ForwardingSmtpAddress. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Miller Bonnie L. Sent: Thursday, June 15, 2017 11:59 AM To: exchange@lists.myitforum.com<mailto:exchange@lists.myitforum.com> Subject: [Exchange] RE: Reporting on who has rules Thanks so much John, I'll give this a go! From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Senter, John Sent: Thursday, June 15, 2017 8:33 AM To: exchange@lists.myitforum.com<mailto:exchange@lists.myitforum.com> Subject: [Exchange] RE: Reporting on who has rules === Find forward rules === $mydata = @() foreach ($i in (Get-Mailbox -ResultSize unlimited)) { $Result = Get-InboxRule -Mailbox $i.DistinguishedName | where {($_.ForwardTo) -and ($_.ForwardTo -like "*smtp:*")} $mydata += ($Result | select-object -property @{Name="UserName";Expression={(get-user -Identity $_.MailboxOwnerID).displayname}}, @{Name="Rule Enabled";Expression={$_.Enabled}}, @{Name="Rule Name";Expression={$_.Name}}, @{Name="Forward To";Expression={$_.ForwardTo}}, @{Name="Description";Expression={$_.Description}}) } $mydata | export-csv e:\Scripts\FwdRuleOutput.csv -NoTypeInformation -Force ===Find redirect rules === $mydata = @() foreach ($i in (Get-Mailbox -ResultSize unlimited)) { $Result = Get-InboxRule -Mailbox $i.DistinguishedName | where {($_.ReDirectTo) -and ($_.ReDirectTo -like "*smtp:*")} $mydata += ($Result | select-object -property @{Name="UserName";Expression={(get-user -Identity $_.MailboxOwnerID).displayname}}, @{Name="Rule Enabled";Expression={$_.Enabled}}, @{Name="Rule Name";Expression={$_.Name}}, @{Name="Redirect To";Expression={$_.ReDirectTo}}, @{Name="Description";Expression={$_.Description}}) } $mydata | export-csv e:\Scripts\RedirRuleOutput.csv -NoTypeInformation -Force ===Remove Inbox Rules=== Remove-InboxRule -Mailbox <e-mail address> -identity "<The full rule name>" -force -confirm:$false From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Miller Bonnie L. Sent: Thursday, June 15, 2017 11:16 AM To: exchange@lists.myitforum.com<mailto:exchange@lists.myitforum.com> Subject: [Exchange] Reporting on who has rules Exchange 2013, I've been asked to create a report on who has mailbox rules enabled that might do a redirect to an external e-mail account (due to a targeted phishing attack, to make sure something isn't in place that we don't know about). I've never had to do anything like this before, anyone know the best way to go about this or what to search on to get started? -Bonnie
