Remove permission from every folder in a mailbox with one command


Here’s the third promised script for managing shared mailbox folder permissions. This one gets a list of all folders in a mailbox (SharedMailbox) and then removes all permissions for the specified user (John.Doe).

Remove_Perms SharedMailbox John.Doe

If a deleted account has permissions to a mailbox folder, it will still be listed in the ACL. If you run Get_Perms against that mailbox, you’ll see something like this:

[PS] C:\Windows\system32>Get_Perms.ps1 SharedMailbox
Root Folder Permissions

User                                       AccessRights
----                                       ------------
John Doe                                   {PublishingEditor}
NT User:S-1-5-21-11111-111111-111111-1111  {PublishingEditor}


You can’t call that deleted account by username, alias, or primary SMTP address. Remove_Perms.ps1 will check to see if the username exists or if the username begins with “NT User”. So you can just mark/copy that SID and paste it into the command line with quotes like this:

Remove_Perms SharedMailbox “NT User:S-1-5-21-………-……….-……….-…..”

Removing those outdated ACL entries will keep it clean and easy to read in the future.

# Filename: Remove_Perms.ps1
# Version: 2014.06.03; Jay Carper,
# Purpose: Removes permissions to all folders in a mailbox for 
# the given user name.
# Example:
# remove_perms SharedMailbox UserName
# Requires Exchange Management Shell
# Return an error if a mailbox and username are not entered.

    [string]$Identity = $(throw `
        "No value entered for the shared mailbox identity."),
    [String]$User = $(throw `
        "No value entered for the user identity.")

# Run if the mailbox name is valid.
if (Get-Mailbox $Identity -ea SilentlyContinue) {
    # Run if the username is valid or if it is formatted 
    # like a valid entry for a deleted or moved user account.
    if ((Get-Mailbox $User -ea SilentlyContinue) -or `
        ($User -like "NT User*")) {
        Write-Host " "        

        # Remove permissions on the mailbox root.
        $Root = $Identity+":\"
        Remove-MailboxFolderPermission $Root -User $User `

        # Remove permissions from all other applicable mailbox 
        # folders. Skips folders that could cause problems.
        $MBFolders = (Get-MailboxFolderStatistics $Identity | `
            ?{($_.FolderPath -ne "/Top of Information Store") `
            -and ($_.FolderPath -ne "/Recoverable Items") `
            -and ($_.FolderPath -ne "/Deletions") -and `
            ($_.FolderPath -ne "/Purges") -and `
            ($_.FolderPath -ne "/Versions")})

        ForEach($Path in $MBFolders) {
            $Folder = $Identity + ":" + `
            Remove-MailboxFolderPermission $Folder -User $User `

        Write-Host `
            "Removed permissions for $User on mailbox $Identity." `
            -ForegroundColor Yellow
        Write-Host " "
        Write-Host "If $User didnt have permissions to a folder"`
            -ForegroundColor Yellow
        Write-Host "you might see errors." `
            -ForegroundColor Yellow
        Write-Host "Those errors are safe to ignore." `
            -ForegroundColor Yellow

    # Display an error if the username isn't valid.
    else {
        Write-Host "Username $User not found." `
            -ForegroundColor Red

# Display an error if the mailbox name isn't valid.
else {
    Write-Host "Mailbox $Identity not found." `
        -ForegroundColor Red

Edited to correct funky formatting caused by WordPress conversion.

One response to “Remove permission from every folder in a mailbox with one command”

  1. EM says:

    Get-MailboxFolderStatistics is a tricky one because if someone has a ‘/’ in their folder name, then it errors.

    Very common for someone to have a folder like ‘Reports June / July’

    How would you deal with that?

Leave a Reply

Your email address will not be published. Required fields are marked *