In some environments, and depending on the user training, Exchange admins may run into a shared mailbox in which there are limitless folders and subfolders. Instead of the users administrating the permissions and access to their shared mailboxes and the folders, the administrators are usually the ones that will perform these tasks.
It is tedious adding a new user to the folders, so Microsofth has given us some hammers we can use to force the square user in the round mailbox and have it fit just right. Using Powershell, we have crafted a hammer for use on Exchange 2010, which may also be applicable Exchange 2013.
The following hammer uses a shotgun style approach of applying the permissions to every folder and subfolder. The mailbox folder permissions are similar to advanced NTFS permissions, for a more detailed guide scroll below the hammer.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
<# Add-MailboxPermissionAllFolders By A Tech With a Hammer https://www.techwithahammer.com/2014/12/05/ Created: February 27, 2014 Last Update: December 23, 2014 To do Add in the synopsis so this utility is a little more useful and less #> Function Add-MailboxPermissionAllFolders() { param( # The mailbox which we will be assigning permissions on [Parameter(Mandatory=$true,position=0)] [string]$Mailbox, # The users which will be provided access [parameter(Mandatory=$true,position=1)] [string[]]$Users, # Access rights to be provided, more than one can be provided [parameter(Mandatory=$true,position=2)] notepad [string[]]$AccessRights, # Clear the permissions before applying # Really, you should leave this default, it's there just because [parameter(Mandatory=$false,position=3)] [boolean]$ClearPermissions=$true ) # Verify the mailbox Try { Get-Mailbox $Mailbox -ErrorAction stop | out-null } Catch [System.Exception] { Throw "Unable to add permissions to the imaginary mailbox $mailbox." Exit 1 } # Verify the user mailboxes foreach ($user in $Users) { try { Get-Mailbox $User -ErrorAction stop | out-null } Catch [System.Exception] { Throw "Imaginary people like 'me' can't have permissions on something real, go home you're drunk" Exit 2 } } # Enumerate the mailboxes Write-Progress -Activity "Mailbox Folder Permissions $Mailbox" -Status "$Mailbox" -PercentComplete 0 $Folders = (Get-MailboxFolderStatistics $Mailbox) $FolderPermissions = $null # Final results variable $FolderPermissionResults = @() # Begin For ($FolderNumber = 0; $FolderNumber -lt $Folders.Count; $FolderNumber++) { $Folder = $Folders[$FolderNumber] $FolderPath = $Folder.FolderPath.Replace("/","\").Replace([char]63743,"/") $MailboxFolder = "$Mailbox`:$FolderPath" if ((Get-MailboxFolderPermission "$MailboxFolder" -ErrorAction SilentlyContinue) -ne $null) { Write-Progress -Activity "Setting Mailbox Folder Permissions" -Status "$MailboxFolder" -PercentComplete ($FolderNumber / ($Folders.Count) *100) ForEach ($User in $Users) { $PercentComplete = ($FolderNumber / ($Folders.Count) *100) if ($ClearPermissions) { Write-Progress -Activity "Setting Mailbox Folder Permissions" -Status "Clearing permissions - $User - $MailboxFolder" -PercentComplete $PercentComplete Remove-MailboxFolderPermission "$MailboxFolder" -User $user -Confirm:$false -ErrorAction SilentlyContinue | Out-Null } Write-Progress -Activity "Setting Mailbox Folder Permissions" -Status "Adding permissions - $User - $MailboxFolder" -PercentComplete $PercentComplete Add-MailboxFolderPermission "$MailboxFolder" -User $user -AccessRights $AccessRights | Out-Null $FolderPermission = Get-MailboxFolderPermission "$MailboxFolder" -User $user $FolderPermissionResults += New-Object PSObject -Property @{ "FolderName" = $FolderPermission.FolderName "User" = $FolderPermission.User "AccessRights" = $FolderPermission.AccessRights } } } } Return $FolderPermissionResults } |
The access rights that can be given can be found on Microsoft TechNet by clicking on http://technet.microsoft.com/en-us/library/dd298062(v=exchg.141).aspx or you can review the access levels needed below, which are a copy and paste from the link above
The AccessRights parameter specifies the permissions for the user with the following access rights:
The AccessRights parameter also specifies the permissions for the user with the following roles, which are a combination of the rights listed previously: