Jaa


Exchange 2010: And then there is the long awaited cmdlet Add-MailboxFolderPermission

So many new features have been included in Exchange 2010, that it would indeed take me more than days to talk about all of these, but there are so many very nice features that you should keep in mind when thinking about Exchange 2010, and one is these is the new built-in cmdlet "Add-MailboxFolderPermission".

What's this: Add-MailboxFolderPermission

Looking at the description posted on TechNet this cmdlet enables you to "manage folder-level permissions for all folders within a user's mailbox",  meaning you can use this cmdlet to delegate any of the following roles to any mailbox folder for any mailbox-enabled user in your organization, given you have sufficient permissions :-)

(Source = Add-MailboxFolderPermission)

  • ReadItems   The user has the right to read items within the specified folder.
  • CreateItems   The user has the right to create items within the specified folder.
  • EditOwnedItems   The user has the right to edit the items that the user owns in the specified folder.
  • DeleteOwnedItems   The user has the right to delete items that the user owns in the specified folder.
  • EditAllItems   The user has the right to edit all items in the specified folder.
  • DeleteAllItems   The user has the right to delete all items in the specified folder.
  • CreateSubfolders   The user has the right to create subfolders in the specified folder.
  • FolderOwner   The user is the owner of the specified folder. The user has the right to view and move the folder and create subfolders. The user can't read items, edit items, delete items, or create items.
  • FolderContact   The user is the contact for the specified public folder.
  • FolderVisible   The user can view the specified folder, but can't read or edit items within the specified public folder.

The AccessRights parameter also specifies the permissions for the user with the following roles, which are a combination of the rights listed previously:

  • None   FolderVisible
  • Owner   CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingEditor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • Editor   CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingAuthor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • Author   CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • NonEditingAuthor   CreateItems, ReadItems, FolderVisible
  • Reviewer   ReadItems, FolderVisible
  • Contributor   CreateItems, FolderVisible

The following roles apply specifically to calendar folders:

  • AvailabilityOnly   View only availability data
  • LimitedDetails   View availability data with subject and location

The permissions you need in order to be able to do so, are any of the followin built-in management roles (as stated here), there is no need to have been granted full mailbox access prior to being able to change those folder permissions (!): Organization Management, Recipient Management, Help Desk.

Let's have a look at an example. Here are the permission settings for my test mailbox Ilse, and as you can see, these are the default settings, without previous changes:

Can we get this information using the power of the (Remote) Exchange Management Shell? Yes, by using the cmdlet Get-MailboxFolderPermission, as can be seen in the example below, when running Get-MailboxFolderPermission <ilsevancriekinge@exchange.local:\Calendar>

And then we can run the following cmdlet to add User7 with the permission of Editor:

Add-MailboxFolderPermission -Identity ilsevancriekinge@exchange.local :\Calendar -User user7@exchange.local -AccessRights editor

And when checking with Microsoft Office Outlook, it's clear the permissions have been set:

-Ilse

Comments

  • Anonymous
    January 01, 2003
    Use these commands to set calendar or remove calendar permissions on multiple mailboxes. get-content C:tempCalendar.txt | ForEach-Object {Add-MailboxFolderPermission $":Calendar" -User testuser@Contoso.com -AccessRights Reviewer} get-content C:tempCalendar.txt | ForEach-Object {Remove-MailboxFolderPermission $":Calendar" -User testuser@Contoso.com -AccessRights Reviewer}

  • Anonymous
    August 02, 2010
    Thank you for the tutorial. I do have two questions. First of all I'm running an international business, hence my users do not have a "Calendar" folder, but an "Agenda" (Dutch) or "Kalendar" (German) or ... How to deal with that (without me tracking which language every user is using)? Secondly, can I change the standard permission level of Default to "LimitedDetails" such that new mailbox automatically get there Calendar details shared with subject and location? Thank in advance for your feedback.

  • Anonymous
    December 13, 2010
    This may be coming in too late but, the answer to your question is to use :Agenda or :Kalendar inplace of :Calendar and the rest of the Add-MailboxFolderPermission/Get-MailboxFolderPermission/Remove-MailboxFolderPermission is pretty much thesame.

  • Anonymous
    April 28, 2011
    Is there a way to capture all folders, not specify Inbox or Calendar?

  • Anonymous
    July 28, 2011
    Get-MailboxFolderStatistics <mailbox> | %{Get-MailboxFolderPermission ("<mailbox>:{0}" -f $_.FolderId )} Also solves the 'problem' of different folder names due to chosen language.

  • Anonymous
    October 27, 2011
    Function Set-Reviewer-On-Mailbox($mailboxsmtp, $reviewersmtp, $remove = $false){

    Need Exchange tools.

    if ( (Get-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue) -eq $null ) { Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 } Write-host "Getting folders for $mailboxsmtp" $stats = Get-MailboxFolderStatistics $mailboxsmtp Write-Host Got $stats.count folders foreach ($folder in $stats){ $ident = $mailboxsmtp + ":" + $folder.FolderID if (-not $remove){ Write-host Adding Reviewer Permission for $reviewersmtp on folder path $folder.folderPath Add-MailboxFolderPermission -Identity $ident -AccessRights Reviewer -User $reviewersmtp  | Out-Null } else { Write-host Removing Reviewer Permission for $reviewersmtp on folder path $folder.folderPath Remove-MailboxFolderPermission -Identity $ident -User $reviewersmtp -Confirm:$false | Out-Null } $counter++ } }

  • Anonymous
    October 27, 2011
    Ruud put me on the right track.  Use SMTP addresses for the first 2 params.  The mailbox you want to give access out to, then the reviewer's smtp address.  Sending in the $true param at the end will Remove any rights.  (This is also useful to revoke or if there are already some other rights that were delegated before you ever got there.)

give sam reviewer rights to joe's mailbox

Set-Reviewer-On-Mailbox joe@company.com sam@company.com

revoke sam's reviewer rights to joe's mailbox

Set-Reviewer-On-Mailbox joe@company.com sam@company.com $true

  • Anonymous
    January 10, 2012
    How do I remove Exchange mailbox folder permissions for ALL folders (recursively) without specifying anything? We are using Exchaneg 2010 SP1. I tried using following with no luck: Get-MailboxFolderStatistics <smtp> | %{Get-MailboxFolderPermission ("smtp:{0}" -f $_.FolderId)}| Remove-MailboxFolderPermission -User <smtp>

  • Anonymous
    February 21, 2014
    I wonder why this was so much easier in previous versions of Exchange... all this required shell stuff and no GUI makes lazy admins sad.

  • Anonymous
    December 02, 2014
    For those who are in an international environment, you can use

    get-mailbox $mailboxName | Get-MailboxFolderStatistics | where-object {$_.FolderType -eq 'Calendar'} | Set-MailboxFolderPermission -user default -AccessRights reviewer

  • Anonymous
    December 04, 2014
    How do you create custom -AccessRights, meaning specific ACL? I need to only allow users to read full details but no other permissions.

  • Anonymous
    December 22, 2014
    The comment has been removed

  • Anonymous
    December 22, 2014
    The comment has been removed

  • Anonymous
    October 21, 2015
    I know this is really late, but can I point out how awfully stupid it is that Get-MailboxPermission doesn't list anyone who has access to a subfolder?

  • Anonymous
    December 03, 2015
    The comment has been removed