Managing mailbox folder permissions

Exchange 2010 introduced a new set of cmdlets that can be used to manage the permissions on the folders inside a mailbox. When it comes to managing recipients, one of the most common tasks that administrators and support personnel perform on a regular basis is updating the permissions on the calendar of a mailbox. In most corporate environments, calendars are shared among employees, and often, special rights need to be delegated to other users that will allow them to add, remove, update, or change the items on a calendar. In this recipe, we'll cover the basics of how to manage mailbox folder permissions from within the shell, but we will focus specifically on calendar permissions, since that is a common scenario. Keep in mind that the cmdlets used in this recipe can be used with any folder within a mailbox.

How to do it...

Let's see how to manage folder permissions of a mailbox using the following steps:

To allow users to view the calendar for a specific mailbox, use the following command:

Set-MailboxFolderPermission -Identity dave:\Calendar `
-User Default `
-AccessRights Reviewer

How it works...

In this example, we're giving the Default user the ability to read all items in the calendar of the specified mailbox by assigning the Reviewer access right. This would give every user in the organization the ability to view the calendar items for this mailbox. There are four cmdlets in total that can be used to manage the mailbox folder permissions:

• Add-MailboxFolderPermission
• Get-MailboxFolderPermission
• Remove-MailboxFolderPermission
• Set-MailboxFolderPermission

The Add and Set-MailboxFolderPermission cmdlets both provide an -AccessRights parameter that is used to set the appropriate permissions on the folder specified in the command. In the previous example, instead of assigning the Reviewer role, we could have assigned the Editor role to the Default user, giving all users the ability to completely manage the items in the calendar. The possible values that can be used with the -AccessRights parameter are as follows:

• ReadItems: The user assigned with this right can read items within the designated folder.
• CreateItems: The user assigned with this right can create items within the designated folder.
• EditOwnedItems: The user assigned with this right can edit the items that the user owns in the designated folder.
• DeleteOwnedItems: The user assigned with this right can delete items that the user owns in the designated folder.
• EditAllItems: The user assigned with this right can edit all the items in the designated folder.
• DeleteAllItems: The user assigned with this right can delete all the items in the designated folder.
• CreateSubfolders: The user assigned with this right can create subfolders in the designated folder.
• FolderOwner: The user assigned with this right has the right to view and move the folder and create subfolders. The user cannot read items, edit items, delete items, or create items.
• FolderContact: The user assigned with this right is the contact for the designated folder.
• FolderVisible: The user assigned with this right can view the specified folder, but can't read or edit the items within it.

The following roles are made up by one or more of the permissions specified in the previous list and can also be used with the -AccessRights parameter:

• None: FolderVisible
• Owner: CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
• PublishingEditor: CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
• Editor: CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
• PublishingAuthor: CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
• Author: CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
• NonEditingAuthor: CreateItems, ReadItems, FolderVisible
• Reviewer: ReadItems, FolderVisible
• Contributor: CreateItems, FolderVisible

There's more...

Using the *-MailboxFolderPermission cmdlets makes it easier to perform bulk operations on many mailboxes at once. For example, let's say that you need to assign the Reviewer permissions to all employees on every mailbox calendar in the organization. You can use the following code to accomplish this task:

$mailboxes = Get-Mailbox -ResultSize Unlimited
$mailboxes | %{
$calendar = Get-MailboxFolderPermission ` "$($_.alias):\Calendar" -User Default
if(!($calendar.AccessRights)) {
  Add-MailboxFolderPermission "$($_.alias):\Calendar" `
  -User Default -AccessRights Reviewer
}
  if($calendar.AccessRights -ne "Reviewer") {
    Set-MailboxFolderPermission "$($_.alias):\Calendar" `
    -User Default -AccessRights Reviewer
  }
}

First, we use the Get-Mailbox cmdlet to retrieve all the mailboxes in the organization and store that result in the $mailboxes variable. We then loop through each mailbox in the $mailboxes collection. Within the loop, we retrieve the current calendar settings for the Default user using the Get-MailboxFolderPermission cmdlet and store the output in the $calendar variable. If the Default user has not been assigned any rights to the calendar, we use the Add-MailboxFolderPermission cmdlet to add the Reviewer access right.

If the Default user has been assigned calendar permissions, we check to see if the access rights are set to Reviewer. If not, we modify the existing setting for the Default user to the Reviewer access right.

See also

• Granting users full access permissions to mailboxes in Chapter 10, Exchange Security