Ilse Van Criekinge's Weblog

Addicted to Microsoft Unified Communications

Exchange 2010: And then there is the long awaited cmdlet Add-MailboxFolderPermission

Exchange 2010: And then there is the long awaited cmdlet Add-MailboxFolderPermission

  • Comments 9
  • Likes

So many new features have been included in Exchange 2010, that it would indeed take me more than days to talk about all of these, but there are so many very nice features that you should keep in mind when thinking about Exchange 2010, and one is these is the new built-in cmdlet "Add-MailboxFolderPermission".

What's this: Add-MailboxFolderPermission

Looking at the description posted on TechNet this cmdlet enables you to "manage folder-level permissions for all folders within a user's mailbox",  meaning you can use this cmdlet to delegate any of the following roles to any mailbox folder for any mailbox-enabled user in your organization, given you have sufficient permissions :-)

(Source = Add-MailboxFolderPermission)

  • ReadItems   The user has the right to read items within the specified folder.
  • CreateItems   The user has the right to create items within the specified folder.
  • EditOwnedItems   The user has the right to edit the items that the user owns in the specified folder.
  • DeleteOwnedItems   The user has the right to delete items that the user owns in the specified folder.
  • EditAllItems   The user has the right to edit all items in the specified folder.
  • DeleteAllItems   The user has the right to delete all items in the specified folder.
  • CreateSubfolders   The user has the right to create subfolders in the specified folder.
  • FolderOwner   The user is the owner of the specified folder. The user has the right to view and move the folder and create subfolders. The user can't read items, edit items, delete items, or create items.
  • FolderContact   The user is the contact for the specified public folder.
  • FolderVisible   The user can view the specified folder, but can't read or edit items within the specified public folder.

The AccessRights parameter also specifies the permissions for the user with the following roles, which are a combination of the rights listed previously:

  • None   FolderVisible
  • Owner   CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingEditor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • Editor   CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingAuthor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • Author   CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • NonEditingAuthor   CreateItems, ReadItems, FolderVisible
  • Reviewer   ReadItems, FolderVisible
  • Contributor   CreateItems, FolderVisible

The following roles apply specifically to calendar folders:

  • AvailabilityOnly   View only availability data
  • LimitedDetails   View availability data with subject and location

The permissions you need in order to be able to do so, are any of the followin built-in management roles (as stated here), there is no need to have been granted full mailbox access prior to being able to change those folder permissions (!): Organization Management, Recipient Management, Help Desk.

Let's have a look at an example. Here are the permission settings for my test mailbox Ilse, and as you can see, these are the default settings, without previous changes:

Can we get this information using the power of the (Remote) Exchange Management Shell? Yes, by using the cmdlet Get-MailboxFolderPermission, as can be seen in the example below, when running Get-MailboxFolderPermission ilsevancriekinge@exchange.local:\Calendar

And then we can run the following cmdlet to add User7 with the permission of Editor:

Add-MailboxFolderPermission -Identity ilsevancriekinge@exchange.local :\Calendar -User user7@exchange.local -AccessRights editor

And when checking with Microsoft Office Outlook, it's clear the permissions have been set:

-Ilse

Comments
  • Thank you for the tutorial. I do have two questions.

    First of all I'm running an international business, hence my users do not have a "Calendar" folder, but an "Agenda" (Dutch) or "Kalendar" (German) or ... How to deal with that (without me tracking which language every user is using)?

    Secondly, can I change the standard permission level of Default to "LimitedDetails" such that new mailbox automatically get there Calendar details shared with subject and location?

    Thank in advance for your feedback.

  • This may be coming in too late but, the answer to your question is to use :\Agenda or :\Kalendar inplace of :\Calendar and the rest of the Add-MailboxFolderPermission/Get-MailboxFolderPermission/Remove-MailboxFolderPermission is pretty much thesame.

  • Is there a way to capture all folders, not specify Inbox or Calendar?

  • Get-MailboxFolderStatistics <mailbox> | %{Get-MailboxFolderPermission ("<mailbox>:{0}" -f $_.FolderId

    )}

    Also solves the 'problem' of different folder names due to chosen language.

  • Function Set-Reviewer-On-Mailbox($mailboxsmtp, $reviewersmtp, $remove = $false){

    # Need Exchange tools.

    if ( (Get-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue) -eq $null )

    {

    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010

    }

    Write-host "Getting folders for $mailboxsmtp"

    $stats = Get-MailboxFolderStatistics $mailboxsmtp

    Write-Host Got $stats.count folders

    foreach ($folder in $stats){

    $ident = $mailboxsmtp + ":" + $folder.FolderID

    if (-not $remove){

    Write-host Adding Reviewer Permission for $reviewersmtp on folder path $folder.folderPath

    Add-MailboxFolderPermission -Identity $ident -AccessRights Reviewer -User $reviewersmtp  | Out-Null

    }

    else {

    Write-host Removing Reviewer Permission for $reviewersmtp on folder path $folder.folderPath

    Remove-MailboxFolderPermission -Identity $ident -User $reviewersmtp -Confirm:$false | Out-Null

    }

    $counter++

    }

    }

  • Ruud put me on the right track.  Use SMTP addresses for the first 2 params.  The mailbox you want to give access out to, then the reviewer's smtp address.  Sending in the $true param at the end will Remove any rights.  (This is also useful to revoke or if there are already some other rights that were delegated before you ever got there.)

    # give sam reviewer rights to joe's mailbox

    Set-Reviewer-On-Mailbox joe@company.com sam@company.com

    # revoke sam's reviewer rights to joe's mailbox

    Set-Reviewer-On-Mailbox joe@company.com sam@company.com $true

  • How do I remove Exchange mailbox folder permissions for ALL folders (recursively) without specifying anything? We are using Exchaneg 2010 SP1.

    I tried using following with no luck:

    Get-MailboxFolderStatistics <smtp> | %{Get-MailboxFolderPermission ("smtp:{0}" -f $_.FolderId)}| Remove-MailboxFolderPermission -User <smtp>

  • Use these commands to set calendar or remove calendar permissions on multiple mailboxes.

    get-content C:\temp\Calendar.txt | ForEach-Object {Add-MailboxFolderPermission $_":\Calendar" -User testuser@Contoso.com -AccessRights Reviewer}

    get-content C:\temp\Calendar.txt | ForEach-Object {Remove-MailboxFolderPermission $_":\Calendar" -User testuser@Contoso.com -AccessRights Reviewer}

  • I wonder why this was so much easier in previous versions of Exchange... all this required shell stuff and no GUI makes lazy admins sad.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment