Useful when Get-MailboxPermissions is showing numeric rights. This script parses the msExchMailboxSecurityDescriptor and adds a Rights member which shows which valid rights are set and which invalid ones are set.

Get-MailboxPermissionsDetailed.ps1

# Example:
# .\Get-MailboxPermissionsDetailed.ps1 -Alias bilong | ft SecurityIdentifier,AceQualifier,AccessMask,Rights

[CmdletBinding()]
param (
    [Parameter()]
    [string]
    $Alias
)

$mailboxRights = @{
    0x1 = "FullAccess"
    0x2 = "SendAs"
    0x4 = "ExternalAccount"
    0x10000 = "DeleteItem"
    0x20000 = "ReadPermission"
    0x40000 = "ChangePermission"
    0x80000 = "ChangeOwner"
}

$validRights = ($mailboxRights.Keys | Measure-Object -Sum).Sum
$invalidRights = -bnot [uint32]$validRights

function GetRightsStringFromAccessMask($accessMask) {
    $rights = @()
    $mailboxRights.GetEnumerator() | ForEach-Object {
        if ($accessMask -band $_.Key) {
            $rights += $_.Value
        }
    }

    $unknownBits = $accessMask -band $invalidRights
    if ($unknownBits) {
        $rights += "Unknown rights: 0x$($unknownBits.ToString("X"))"
    }
    return $rights -join ", "
}

$searcher = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().FindGlobalCatalog().GetDirectorySearcher()
$searcher.Filter = "(mailnickname=$Alias)"
$user = $searcher.FindOne()
$mbxSd = $user.Properties["msExchMailboxSecurityDescriptor"][0]
$sd = New-Object System.Security.AccessControl.RawSecurityDescriptor([byte[]]$mbxSd, 0)
$sd.DiscretionaryAcl | ForEach-Object {
    $rightsString = GetRightsStringFromAccessMask($_.AccessMask)
    $_ | Add-Member -MemberType NoteProperty -Name Rights -Value $rightsString -Force
    $_
}