Quickly show the most important folder permissions in any mailbox
With several hundred shared mailboxes in a single Exchange organization, several times each day I am asked who has access to one of them or can I give Sally access or can I take Frank’s access away. The vast majority of the time, management doesn’t want to give Full Access permissions. Publishing Editor is the most common level of access requested. There are three common ways to do handle this:
- Give yourself access to the mailbox, then open the mailbox in Outlook and manually look at the folder permissions and make any necessary changes.
- Use ExFolders to open the mailbox database directly.
- Use PowerShell to view and change folder permissions.
Making folder permission changes in Outlook is extremely cumbersome. They pay you way too much for you to be wasting your time like that. ExFolders is pretty straightforward and saves a lot of time since it can force the permission change down through the folder hierarchy. PowerShell is a little obscure and still takes a lot of typing. As far as I know, there’s no way to force inheritance either. However, using PowerShell you can write a script that will make the process of viewing folder permissions and making changes much, much faster than any other method. I saved myself a lot of time when I made these three PS scripts:
- Get_Perms.ps1 – Lists the permissions on the most commonly used mailbox folders in any given mailbox.
- Add_Perms.ps1 – Gives Publishing Editor permissions on all folders in any given mailbox for a specified user.
- Remove_Perms.ps1 – Removes permissions on all folders in any given mailbox for a specified user.
Here’s the first script, Get_Perms.ps1. I’ll post the other two later.
# Filename: Get_Perms.ps1
# Version: 2014.06.03, Jay Carper, https://exchangetips.us
# Purpose: Gets the permissions for the root, inbox, calendar,
# and contacts folders of a given mailbox.
#
# Example:
# get_perms shared.mailbox
#
# Requires Exchange Management Shell
#
# Returns an error if no mailbox identity was supplied.
Param([string]$Identity = $(throw `
"No value entered for the shared mailbox identity."))
# Checks if the mailbox name is valid
if (Get-Mailbox $Identity -ea SilentlyContinue) {
Assigns the paths of the root, inbox, calendar, and contacts
folders to variables.
$root = $identity+":\"
$inbox = $identity+":\Inbox"
$calendar = $identity+":\Calendar"
$contacts = $identity+":\Contacts"
Write-Host " "
Displays the ACLs for the four mailbox folders.
Write-Host "Root Folder Permissions" -ForegroundColor Yellow
Write-Host "=======================" -ForegroundColor Yellow
Get-MailboxFolderPermission $root | ?{($_.User -notlike `
"Default") -and ($_.User -notlike "Anonymous")} | `
ft User, AccessRights
Write-Host "Inbox Permissions" -ForegroundColor Yellow
Write-Host "=================" -ForegroundColor Yellow
Get-MailboxFolderPermission $Inbox | ?{($_.User -notlike`
"Default") -and ($_.User -notlike "Anonymous")} | `
ft User, AccessRights
Write-Host "Built-In Calendar Folder Permissions" `
-ForegroundColor Yellow
Write-Host "====================================" `
-ForegroundColor Yellow
Get-MailboxFolderPermission $Calendar | ?{($_.User -notlike`
"Default") -and ($_.User -notlike "Anonymous")} | ft `
User, AccessRights
Write-Host "Built-In Contacts Folder Permissions" `
-ForegroundColor Yellow
Write-Host "====================================" `
-ForegroundColor Yellow
Get-MailboxFolderPermission $Contacts | ?{($_.User -notlike`
"Default") -and ($_.User -notlike "Anonymous")} | ft `
User, AccessRights
Write-Host " "
Write-Host " "
Write-Host "===END===" -ForegroundColor Yellow
}
# If the mailbox name is invalid, displays an error.
else {Write-Host "Mailbox $Identity not found" `
-ForegroundColor red}
|