• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

View/Add/Edit/Remove Access Permission on Mailboxes

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2013] >> Management >> View/Add/Edit/Remove Access Permission on Mailboxes Page: [1]
Login
Message << Older Topic   Newer Topic >>
View/Add/Edit/Remove Access Permission on Mailboxes - 10.Mar.2016 12:21:20 AM   
mr_unknowns

 

Posts: 1
Joined: 9.Mar.2016
Status: offline
View who has permission (single user)
Get-MailboxPermission -Identity ReadTest | Select Identity,User,AccessRights | FT –Wrap
Get-MailboxFolderPermission -Identity email@domain.com:\
Get-MailboxFolderPermission "ReadTest:\"
Get-MailboxFolderPermission "ReadTest:\Calendar"
Get-MailboxFolderPermission "ReadTest:\Inbox”
Get-ADPermission -Identity "Read Test" | Where-Object {$_.extendedrights -like "*send*"} | Select Identity,User
Get-Mailbox ReadTest | fl DisplayName, GrantSendOnBehalfTo
$mailboxfolders = Get-MailboxFolderStatistics -Identity "ReadTest" | Where {$_.Identity -like "ReadTest\*" -and $_.Identity -notlike "*\Top Of Information Store" -and $_.Identity -notlike "*\Recoverable Items" -and $_.Identity -notlike "*\Calendar Logging" -and $_.Identity -notlike "*\Deletions" -and $_.Identity -notlike "*\Purges" -and $_.Identity -notlike "*\Versions" -and $_.Identity -notlike "*\(Custom Expiration\Manage Folders)"} | Select FolderPath; $mailboxfolders = $mailboxfolders.FolderPath.Replace("/","\"); $myArray = New-Object System.Collections.ArrayList
for ($i=0; $i -le $mailboxfolders.Length-1 ; $i++) {$myArray.Add("ReadTest:"+$mailboxfolders.Item($i))}
for ($i=0; $i -le $mailboxfolders.Length-1 ; $i++) {Get-MailboxFolderPermission $myArray.Item($i) | Where {$_.User -notlike "Read Test"}
$mailboxfolders.Clear(); $myArray.Clear()


View who has permission (all users)
Full or Other Access
Get-Mailbox –ResultSize unlimited | Where {$_.Identity –like “*/Users/*”} | Get-MailboxPermission | Where {$_.User -notlike "*\Organization Management" -and $_.User -notlike "*\Domain Admins" -and $_.User -notlike "*\Administrator" -and $_.User -notlike "*\Enterprise Admins" -and $_.User -notlike "*\Delegated Setup" -and $_.User -notlike "*\Exchange*" -and $_.User -notlike "*\Managed Availability Servers" -and $_.User -notlike "*\Public Folder Management"} | ft Identity,User,AccessRights –Wrap | tee c:\scripts\fullAccess.csv


Folder Access
Get-Mailbox –ResultSize unlimited | Where {$_.Identity –like “*/Users/*”} | Get-MailboxFolderPermission | Where {$_.User -notlike "Default"} | ft Identity,User,AccessRights –Wrap | tee c:\scripts\folderAccess.csv


Send Access
Get-Mailbox -ResultSize unlimited | Where {$_.Identity –like “*/Users/*”} | Get-ADPermission | Where-Object {($_.ExtendedRights -like "*send*") -and $_.User -notlike "NT Authority\SELF"} | ft Identity,User –Wrap | tee c:\scripts\sendAccess.csv
Get-Mailbox –ResultSize unlimited | Where {$_.Identity –like “*/Users/*”} | GrantSendOnBehalfTo | tee -a c:\scripts\sendAccess.csv



View All user’s folders
Get-MailboxFolderStatistics -Identity "ReadTest" | Select Identity
Get-MailboxFolderStatistics -Identity "ReadTest" | Where {$_.Identity -like "ReadTest\*"} | Select Identity


Add a new permission
Those permissions do not inherit down the mailbox folder hierarchy to existing folders (newly created folders will inherit the permissions of their parent folder though). So you still need to grant permissions for specific folders, for example the inbox or calendar
Add-MailboxFolderPermission "ReadTest:\Calendar" -User ReadAdmin@domain.com -AccessRights Owner/Editor/Reviewer


The AccessRights parameter also specifies the permissions for the user with the following roles, which are a combination of the rights listed previously:
• None FolderVisible
• Owner CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
• PublishingEditor CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
• Editor CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
• PublishingAuthor CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
• Author CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
• NonEditingAuthor CreateItems, ReadItems, FolderVisible
• Reviewer ReadItems, FolderVisible
• Contributor CreateItems, FolderVisible
The following roles apply specifically to calendar folders:
• AvailabilityOnly View only availability data
• LimitedDetails View availability data with subject and location

Modifies existing permission entries
Set-MailboxFolderPermission "ReadTest:\Calendar" -User "Read Admin" -AccessRights Owner/Editor/Reviewer


Remove existing permission
Remove-MailboxFolderPermission "ReadTest:\Calendar" -User "Read Admin"



To grant permissions to the entire mailbox folder hierarchy, run the below commands or you would need to write a script.
Add-MailboxPermission -Identity "ReadTest" –User “ReadAdmin” -AccessRights ReadPermission -InheritanceType All


* FullAccess - These permissions are similar mbx owner with exception of SendAs and a few other rights.
* ExternalAccount - will allow a user to associate an external account to this mailbox, this is typically used when working with resource forests.
* DeleteItem - allows a user to delete a mailbox which they have been delegated this right.
* ReadPermission - by default everyone has this permission which allows users to view the permissions on a mailbox
* ChangePermission - allows a user to change (add/remove) permission on a mailbox
* ChangeOwner - allows a user to change the owner of the mailbox.

When we assign to a User “Full Access” permission to another user Mailbox (Such as Shared Mailbox), the Mailbox is automatically added to the user’s Outlook mail profile. This feature described as: AutoMap.

To Add Permission to Reply and Forward along with only Read permission, as below
Add-ADPermission "Read Test" –User “Read Admin” -Extendedrights "Send As" -Confirm:$False
Set-Mailbox "ReadTest" -GrantSendOnBehalfTo “ReadAdmin”

OR

Add-RecipientPermission "ReadTest" -Trustee “ReadAdmin” -AccessRights SendAs -Confirm:$False


To avoid the need for confirmation, we can add the option: “-Confirm:$False”.

Exchange will cache information for two hours. So if you set Send-As permissions, it could take upto 2 hours for it take effect. There is a registry key to shorten this interval "Mailbox Information Cache Age Limit" but it requires a Store restart to take effect.

Now you can access the mailbox by adding as an additional mailbox. To grant access to expand and view folders

Add-MailboxFolderPermission "ReadTest:\" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Inbox" -User "ReadAdmin" -AccessRights Reviewer
Add-MailboxFolderPermission "ReadTest:\Sent Items" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Deleted Items" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Conversation History" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Drafts" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Junk Email" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Outbox" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Notes" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Tasks" -User "ReadAdmin" -AccessRights Reviewer
Add-MailboxFolderPermission –Identity "ReadTest:\Calendar" -AccessRights ReadItems/Reviewer –User "ReadAdmin"
$mailboxfolders.Clear(); $myArray.Clear()
$mailboxfolders = Get-MailboxFolderStatistics -Identity "ReadTest" | Where {$_.Identity -like "ReadTest\*" -and $_.Identity -notlike "*\Top Of Information Store" -and $_.Identity -notlike "*\Recoverable Items" -and $_.Identity -notlike "*\Calendar Logging" -and $_.Identity -notlike "*\Deletions" -and $_.Identity -notlike "*\Purges" -and $_.Identity -notlike "*\Versions" -and $_.Identity -notlike "*\(Custom Expiration\Manage Folders)"} | Select FolderPath; $mailboxfolders = $mailboxfolders.FolderPath.Replace("/","\"); $myArray = New-Object System.Collections.ArrayList
for ($i=0; $i -le $mailboxfolders.Length-1 ; $i++) {$myArray.Add("ReadTest:"+$mailboxfolders.Item($i))}
for ($i=0; $i -le $mailboxfolders.Length-1 ; $i++) {Add-MailboxFolderPermission $myArray.Item($i) -User "ReadAdmin" -AccessRights Reviewer -whatif}
$mailboxfolders.Clear(); $myArray.Clear()


======================

Add-MailboxPermission -Identity "ReadTest" –User “ReadAdmin” -AccessRights ReadPermission -InheritanceType All


* FullAccess - These permissions are similar mbx owner with exception of SendAs and a few other rights.
* ExternalAccount - will allow a user to associate an external account to this mailbox, this is typically used when working with resource forests.
* DeleteItem - allows a user to delete a mailbox which they have been delegated this right.
* ReadPermission - by default everyone has this permission which allows users to view the permissions on a mailbox
* ChangePermission - allows a user to change (add/remove) permission on a mailbox
* ChangeOwner - allows a user to change the owner of the mailbox.

When we assign to a User “Full Access” permission to another user Mailbox (Such as Shared Mailbox), the Mailbox is automatically added to the user’s Outlook mail profile. This feature described as: AutoMap.

To Add Permission to Reply and Forward along with only Read permission, as below
Add-ADPermission "Read Test" –User “Read Admin” -Extendedrights "Send As" -Confirm:$False
Set-Mailbox "ReadTest" -GrantSendOnBehalfTo “ReadAdmin”

OR

Add-RecipientPermission "ReadTest" -Trustee “ReadAdmin” -AccessRights SendAs -Confirm:$False

To avoid the need for confirmation, we can add the option: “-Confirm:$False”.
Exchange will cache information for two hours. So if you set Send-As permissions, it could take upto 2 hours for it take effect. There is a registry key to shorten this interval "Mailbox Information Cache Age Limit" but it requires a Store restart to take effect.

Now you can access the mailbox by adding as an additional mailbox. To grant access to expand and view folders

Add-MailboxFolderPermission "ReadTest:\" -User "ReadAdmin" -AccessRights Reviewer
foreach($item in (Get-MailboxFolderStatistics ReadTest | where { ($_.foldertype -ne "ConversationActions") -and ($_.foldertype -notlike "Recoverable*") -and ($_.FolderPath -notlike "/Sync*")})){$fname = “ReadTest:” + $f.FolderPath.Replace(“/”,”\”); Add-MailboxFolderPermission $fname -User ReadAdmin -AccessRights Reviewer -whatif}


You may execute the command by adding ‘–whatif’ at the end to verify what happens when you run the command. It will help to understand what action the command will perform on real execution.


================================


#Proof of concept code to apply mailbox
#folder permissions to all folders in
#a mailbox

[CmdletBinding()]
param (
[Parameter( Mandatory=$true)]
[string]$Mailbox,

[Parameter( Mandatory=$true)]
[string]$User,

[Parameter( Mandatory=$true)]
[string]$Access
)

$exclusions = @("/Sync Issues",
"/Sync Issues/Conflicts",
"/Sync Issues/Local Failures",
"/Sync Issues/Server Failures",
"/Recoverable Items",
"/Deletions",
"/Purges",
"/Versions"
)

$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)

foreach ($mailboxfolder in $mailboxfolders)
{
$folder = $mailboxfolder.FolderPath.Replace("/","\")
if ($folder -match "Top of Information Store")
{
$folder = $folder.Replace(“\Top of Information Store”,”\”)
}
$identity = "$($mailbox):$folder"
Write-Host "Adding $user to $identity with $access permissions"
Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access -ErrorAction SilentlyContinue
}


Remove Mailbox Folder Permissions on the entire mailbox folder hierarchy
$mailboxfolders.Clear(); $myArray.Clear()
Remove-MailboxPermission -Identity "ReadTest" -User “ReadAdmin” -AccessRights FullAccess, ExternalAccount,DeleteItem,ReadPermission,ChangePermission,ChangeOwner -InheritanceType All
Remove-ADPermission "Read Test" –User “Read Admin” -Extendedrights "Send As"
Set-Mailbox "ReadTest" -GrantSendOnBehalfTo @{remove=“ReadAdmin”}
Remove-MailboxFolderPermission "ReadTest:\" -User "ReadAdmin"; Remove-MailboxFolderPermission "ReadTest:\Inbox" -User "ReadAdmin"
$mailboxfolders.Clear(); $myArray.Clear()
$mailboxfolders = Get-MailboxFolderStatistics -Identity "ReadTest" | Where {$_.Identity -like "ReadTest\*" -and $_.Identity -notlike "*\Top Of Information Store" -and $_.Identity -notlike "*\Recoverable Items" -and $_.Identity -notlike "*\Calendar Logging" -and $_.Identity -notlike "*\Deletions" -and $_.Identity -notlike "*\Purges" -and $_.Identity -notlike "*\Versions" -and $_.Identity -notlike "*\(Custom Expiration\Manage Folders)"} | Select FolderPath; $mailboxfolders = $mailboxfolders.FolderPath.Replace("/","\"); $myArray = New-Object System.Collections.ArrayList
for ($i=0; $i -le $mailboxfolders.Length-1 ; $i++) {$myArray.Add("ReadTest:"+$mailboxfolders.Item($i))}
for ($i=0; $i -le $mailboxfolders.Length-1 ; $i++) {Remove-MailboxFolderPermission $myArray.Item($i) -User "ReadAdmin"}
$mailboxfolders.Clear(); $myArray.Clear()


=====================================


$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)

foreach ($mailboxfolder in $mailboxfolders)
{
$folder = $mailboxfolder.FolderPath.Replace("/","\")
if ($folder -match "Top of Information Store")
{
$folder = $folder.Replace(“\Top of Information Store”,”\”)
}
$identity = "$($mailbox):$folder"
Write-Host "Checking $identity for permissions for user $user"
if (Get-MailboxFolderPermission -Identity $identity -User $user -ErrorAction SilentlyContinue)
{
try
{
Remove-MailboxFolderPermission -Identity $identity -User $User -Confirm:$false -ErrorAction STOP
Write-Host -ForegroundColor Green "Removed!"
}
catch
{
Write-Warning $_.Exception.Message
}
}
}

===================================

Ref

http://exchangeserverpro.com/grant-read-access-exchange-mailbox/
http://exchangeserverpro.com/powershell-script-remove-permissions-exchange-mailbox/
http://www.exchangedictionary.com/articles/assign-read-only-mailbox-permission-on-exchange-2010-2013-powershell
http://www.computerperformance.co.uk/exchange2010/powershell_add_mailboxpermission.htm
http://o365info.com/mailbox-permissions-powershell-commands/
http://blogs.technet.com/b/ilvancri/archive/2009/11/24/exchange-2010-and-then-there-is-the-long-awaited-cmdlet-add-mailboxfolderpermission.aspx
http://www.exchange-genie.com/2007/07/add-mailboxpermission-vs-add-adpermission-part-1/
http://o365info.com/shared-mailbox-powershell-commands/
https://theucguy.net/exchange-shell-finding-mailboxes-with/

_____________________________

Exchange Newbie... Please feel free to leave your comments
Post #: 1

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2013] >> Management >> View/Add/Edit/Remove Access Permission on Mailboxes Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter