Remove permission from every folder in a mailbox with one command
Here’s the third promised script for managing shared mailbox folder permissions. This one gets a list of all folders in a mailbox (SharedMailbox) and then removes all permissions for the specified user (John.Doe).
Remove_Perms SharedMailbox John.Doe
If a deleted account has permissions to a mailbox folder, it will still be listed in the ACL. If you run Get_Perms against that mailbox, you’ll see something like this:
| [PS] C:\Windows\system32>Get_Perms.ps1 SharedMailbox Root Folder Permissions ======================= User AccessRights
---- ------------
John Doe {PublishingEditor}
NT User:S-1-5-21-11111-111111-111111-1111 {PublishingEditor}
|
You can’t call that deleted account by username, alias, or primary SMTP address. Remove_Perms.ps1 will check to see if the username exists or if the username begins with “NT User”. So you can just mark/copy that SID and paste it into the command line with quotes like this:
Remove_Perms SharedMailbox “NT User:S-1-5-21-………-……….-……….-…..”
Removing those outdated ACL entries will keep it clean and easy to read in the future.
# Filename: Remove_Perms.ps1
# Version: 2014.06.03; Jay Carper, https://exchangetips.us
# Purpose: Removes permissions to all folders in a mailbox for
# the given user name.
#
# Example:
# remove_perms SharedMailbox UserName
#
# Requires Exchange Management Shell
#
# Return an error if a mailbox and username are not entered.
Param(
[string]$Identity = $(throw `
"No value entered for the shared mailbox identity."),
[String]$User = $(throw `
"No value entered for the user identity.")
)
# Run if the mailbox name is valid.
if (Get-Mailbox $Identity -ea SilentlyContinue) {
# Run if the username is valid or if it is formatted
# like a valid entry for a deleted or moved user account.
if ((Get-Mailbox $User -ea SilentlyContinue) -or `
($User -like "NT User*")) {
Write-Host " "
# Remove permissions on the mailbox root.
$Root = $Identity+":\"
Remove-MailboxFolderPermission $Root -User $User `
-Confirm:$False
# Remove permissions from all other applicable mailbox
# folders. Skips folders that could cause problems.
$MBFolders = (Get-MailboxFolderStatistics $Identity | `
?{($_.FolderPath -ne "/Top of Information Store") `
-and ($_.FolderPath -ne "/Recoverable Items") `
-and ($_.FolderPath -ne "/Deletions") -and `
($_.FolderPath -ne "/Purges") -and `
($_.FolderPath -ne "/Versions")})
ForEach($Path in $MBFolders) {
$Folder = $Identity + ":" + `
$Path.FolderPath.Replace("/","\")
Remove-MailboxFolderPermission $Folder -User $User `
-Confirm:$False
}
Write-Host `
"Removed permissions for $User on mailbox $Identity." `
-ForegroundColor Yellow
Write-Host " "
Write-Host "If $User didnt have permissions to a folder"`
-ForegroundColor Yellow
Write-Host "you might see errors." `
-ForegroundColor Yellow
Write-Host "Those errors are safe to ignore." `
-ForegroundColor Yellow
}
# Display an error if the username isn't valid.
else {
Write-Host "Username $User not found." `
-ForegroundColor Red
}
}
# Display an error if the mailbox name isn't valid.
else {
Write-Host "Mailbox $Identity not found." `
-ForegroundColor Red
}
|
Edited to correct funky formatting caused by WordPress conversion.
Get-MailboxFolderStatistics is a tricky one because if someone has a ‘/’ in their folder name, then it errors.
Very common for someone to have a folder like ‘Reports June / July’
How would you deal with that?