Jaa


Set Outlook Folder Permissions using Powershell

When I was an Exchange Administrator, I was asked numerous times to "grant this person access to my folder and all of its subfolders". Prior to Exchange 2010 there was no simple way to assign MAPI permissions to all of these Outlook folders. Exchange 2010 has added the Add-MailboxFolderPermission cmdlet which allows an administrator to now complete this task from the Exchange Management Shell.

You may also notice that Exchange 2010 provided another cmdlet, Get-MailboxFolder. When I saw this I thought "Wow! I can run the Get-MailboxFolder and pipe the Add-MailboxFolderPermission and I'm done." Did you really think it would be that easy? The Get-MailboxFolder cmdlet only runs against the currently logged in user. Yes, you can't run this cmdlet against another mailbox. Take a look at the management role where this cmdlet is available.

 Get-ManagementRole -Cmdlet Get-MailboxFolder

Okay. Then how can we use the Add-MailboxFolderPermission to run against a root folder and all of its subfolders? Looking at all the parameters available for the cmdlet there is no recurse (wouldn't that be nice). I was able to accomplish this task in two steps:

1. Get a list of folders from the mailbox
2. Add the permission to the folder

The first thing we need to obtain is the list of folders that we will apply permissions. We can utilize the Get-MailboxFolderStatistics cmdlet for this purpose. The result we want is the FolderPath value that is returned in the format "/Folderpath".

 Get-MailboxFolderStatistics owner | Where { $_.FolderPath.Contains("FolderName") -eq $true }
 

Then we can use the Add-MailboxFolderPermission cmdlet to assign the permissions. The format for the folder name is "Mailbox:FolderPath" so we will need to modify the result from earlier to accomodate the expected value. The following example illustrates the example where Jane's manager John wants her to access his Clients folder and all of its subfolders.

 ForEach($f in (Get-MailboxFolderStatistics John | Where { $_.FolderPath.Contains("/Clients") -eq $True } ) ) {
 $fname = "John:" + $f.FolderPath.Replace("/","\");
 Add-MailboxFolderPermission $fname -User Jane -AccessRights Reviewer }
 

Conclusion
This is only an example of how you can accomplish this task. Use this with caution and always test prior to running against a production mailbox. The one known issue is the possible results when using the Get-MailboxFolderStatistics cmdlet. You need to adjust your where clause appropriately so that you don't get unwanted results

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    August 21, 2012
    Worked like a charm.  Thanks. I posted it on the 365 Community as well community.office365.com/.../236685.aspx Hope you dont mind.

  • Anonymous
    September 05, 2012
    Awesome.. Just be aware that Get-MailboxFolderStatistics replaces any "/" in a foldername with "?". This is not actually a question mark, it is [char]63743. To get your actual folder paths back you need to change:          $fname = "John:" + $f.FolderPath.Replace("/",""); to:          $fname = "John:" + $f.FolderPath.Replace("/","") | $_.Replace([char]63743,"/");

  • Anonymous
    February 14, 2013
    Thanks Jim for the script, helped me out a fair bit. Have made some changes though - hope that's ok. Guess in time someone could easily create a Mailbox Management script to add/remove/modify permissions. Who has time these days!! =| [System.Console]::ForegroundColor = [System.ConsoleColor]::White clear-host Write-Host "The user that is giving the permissions" $MailboxUser = Read-Host Write-Host "Who are you giving permission to" $GivingPerto = Read-Host write-host Please choose an option below: write-host write-host '1) Owner    - CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems' write-host '2) Editor   - CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems' write-host '3) Reviewer - ReadItems, FolderVisible' write-host '4) None     -  FolderVisible' write-host '5) Exit' -ForegroundColor Red write-host $opt = Read-Host "Select an option [1-5]" switch ($opt) { 1{ ForEach($f in (Get-MailboxFolderStatistics $MailboxUser | Where { $.FolderPath.Contains("/") -eq $True } ) ) { $fname = $MailboxUser + $f.FolderPath.Replace("/",":"); Add-MailboxFolderPermission $fname -User $GivingPerto -AccessRights Owner } } 2{ ForEach($f in (Get-MailboxFolderStatistics $MailboxUser | Where { $.FolderPath.Contains("/") -eq $True } ) ) { $fname = $MailboxUser + $f.FolderPath.Replace("/",":"); Add-MailboxFolderPermission $fname -User $GivingPerto -AccessRights Editor } } 3{ ForEach($f in (Get-MailboxFolderStatistics $MailboxUser | Where { $.FolderPath.Contains("/") -eq $True } ) ) { $fname = $MailboxUser + $f.FolderPath.Replace("/",":"); Add-MailboxFolderPermission $fname -User $GivingPerto -AccessRights Reviewer } } 4{ ForEach($f in (Get-MailboxFolderStatistics $MailboxUser | Where { $.FolderPath.Contains("/") -eq $True } ) ) { $fname = $MailboxUser + $f.FolderPath.Replace("/",":"); Add-MailboxFolderPermission $fname -User $GivingPerto -AccessRights None } } 5{ } }

  • Anonymous
    February 14, 2013
    Oppps code error; change $fname = $MailboxUser + $f.FolderPath.Replace to $fname = $MailboxUser + ":" + $f.FolderPath.Replace

  • Anonymous
    February 27, 2013
    will this work to remove the assigned read permission from all the folders? remove-MailboxFolderPermission $fname -User $GivingPerto -AccessRights Reviewer it did nto work for me..

  • Anonymous
    October 21, 2013
    The comment has been removed

  • Anonymous
    January 31, 2014
    With powershell 3.0 - you have to use this replacement to affect the hardcoded backslashes in folder paths "" (Similar to what BradS indicated above) Since Get-MailboxFolderStatistics replaces any "/" in a foldername with "?". This is not actually a question mark, it is [char]63743. To get your actual folder paths back you need to change: $fname = "John:" + $f.FolderPath.Replace("/",""); to: $fname = "John:" + $f.FolderPath.Replace("/","").Replace([char]63743,"/");

  • Anonymous
    February 20, 2014
    This is what I ended up using. Instead of making the script interactive, I just edit what I need and just paste it into the EMS. Big thanks to the original poster and the comments on here to work this out.

    Hope this helps.

    $Name = "SDAB"
    $User = "doej"
    $AccessRights = "Author"

    Foreach($Folder in (Get-MailboxFolderStatistics $Name)) {
    $FolderPath = $Folder.FolderPath.Replace("/","").Replace([char]63743,"/")
    $MailboxFolder = "$Name`:$FolderPath"
    #Add-MailboxFolderPermission "$MailboxFolder" -User "$user" -AccessRights "$AccessRights"
    get-MailboxFolderPermission "$MailboxFolder" | ft
    }

  • Anonymous
    February 20, 2014
    Of course, uncomment Add-MailboxFolderPermission and comment Get-MailboxFolderPermission when the right set of folders has been pulled

  • Anonymous
    June 17, 2014
    Can I use this script to somehow change the self permissions of a users conversation history folder so they CANNOT delete anything within that folder. Do not want to change any other permissions.

  • Anonymous
    July 02, 2014
    Works like a charm

  • Anonymous
    May 28, 2015
    Very useful

  • Anonymous
    February 08, 2016
    Clayton,
    Thank you for the code above.
    I see a small challenge with the code. When the run the above code, it's looping and never ending. Also, I see an error while it loops

    "An existing permission entry was found for user:
    + CategoryInfo : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], UserAlreadyExis...nEntryException
    + FullyQualifiedErrorId : 15E5C216,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

    Kindly let me know how to fix this.

    Thank You,
    Bala