• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

View/Add/Edit/Remove Access Permission on Mailboxes

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2013] >> Management >> View/Add/Edit/Remove Access Permission on Mailboxes Page: [1]
Login
Message << Older Topic   Newer Topic >>
View/Add/Edit/Remove Access Permission on Mailboxes - 10.Mar.2016 12:21:20 AM   
mr_unknowns

 

Posts: 1
Joined: 9.Mar.2016
Status: offline
View who has permission (single user)
Get-MailboxPermission -Identity ReadTest | Select Identity,User,AccessRights | FT –Wrap
Get-MailboxFolderPermission -Identity email@domain.com:\
Get-MailboxFolderPermission "ReadTest:\"
Get-MailboxFolderPermission "ReadTest:\Calendar"
Get-MailboxFolderPermission "ReadTest:\Inbox”
Get-ADPermission -Identity "Read Test" | Where-Object {$_.extendedrights -like "*send*"} | Select Identity,User
Get-Mailbox ReadTest | fl DisplayName, GrantSendOnBehalfTo
$mailboxfolders = Get-MailboxFolderStatistics -Identity "ReadTest" | Where {$_.Identity -like "ReadTest\*" -and $_.Identity -notlike "*\Top Of Information Store" -and $_.Identity -notlike "*\Recoverable Items" -and $_.Identity -notlike "*\Calendar Logging" -and $_.Identity -notlike "*\Deletions" -and $_.Identity -notlike "*\Purges" -and $_.Identity -notlike "*\Versions" -and $_.Identity -notlike "*\(Custom Expiration\Manage Folders)"} | Select FolderPath; $mailboxfolders = $mailboxfolders.FolderPath.Replace("/","\"); $myArray = New-Object System.Collections.ArrayList
for ($i=0; $i -le $mailboxfolders.Length-1 ; $i++) {$myArray.Add("ReadTest:"+$mailboxfolders.Item($i))}
for ($i=0; $i -le $mailboxfolders.Length-1 ; $i++) {Get-MailboxFolderPermission $myArray.Item($i) | Where {$_.User -notlike "Read Test"}
$mailboxfolders.Clear(); $myArray.Clear()


View who has permission (all users)
Full or Other Access
Get-Mailbox –ResultSize unlimited | Where {$_.Identity –like “*/Users/*”} | Get-MailboxPermission | Where {$_.User -notlike "*\Organization Management" -and $_.User -notlike "*\Domain Admins" -and $_.User -notlike "*\Administrator" -and $_.User -notlike "*\Enterprise Admins" -and $_.User -notlike "*\Delegated Setup" -and $_.User -notlike "*\Exchange*" -and $_.User -notlike "*\Managed Availability Servers" -and $_.User -notlike "*\Public Folder Management"} | ft Identity,User,AccessRights –Wrap | tee c:\scripts\fullAccess.csv


Folder Access
Get-Mailbox –ResultSize unlimited | Where {$_.Identity –like “*/Users/*”} | Get-MailboxFolderPermission | Where {$_.User -notlike "Default"} | ft Identity,User,AccessRights –Wrap | tee c:\scripts\folderAccess.csv


Send Access
Get-Mailbox -ResultSize unlimited | Where {$_.Identity –like “*/Users/*”} | Get-ADPermission | Where-Object {($_.ExtendedRights -like "*send*") -and $_.User -notlike "NT Authority\SELF"} | ft Identity,User –Wrap | tee c:\scripts\sendAccess.csv
Get-Mailbox –ResultSize unlimited | Where {$_.Identity –like “*/Users/*”} | GrantSendOnBehalfTo | tee -a c:\scripts\sendAccess.csv



View All user’s folders
Get-MailboxFolderStatistics -Identity "ReadTest" | Select Identity
Get-MailboxFolderStatistics -Identity "ReadTest" | Where {$_.Identity -like "ReadTest\*"} | Select Identity


Add a new permission
Those permissions do not inherit down the mailbox folder hierarchy to existing folders (newly created folders will inherit the permissions of their parent folder though). So you still need to grant permissions for specific folders, for example the inbox or calendar
Add-MailboxFolderPermission "ReadTest:\Calendar" -User ReadAdmin@domain.com -AccessRights Owner/Editor/Reviewer


The AccessRights parameter also specifies the permissions for the user with the following roles, which are a combination of the rights listed previously:
• None FolderVisible
• Owner CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
• PublishingEditor CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
• Editor CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
• PublishingAuthor CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
• Author CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
• NonEditingAuthor CreateItems, ReadItems, FolderVisible
• Reviewer ReadItems, FolderVisible
• Contributor CreateItems, FolderVisible
The following roles apply specifically to calendar folders:
• AvailabilityOnly View only availability data
• LimitedDetails View availability data with subject and location

Modifies existing permission entries
Set-MailboxFolderPermission "ReadTest:\Calendar" -User "Read Admin" -AccessRights Owner/Editor/Reviewer


Remove existing permission
Remove-MailboxFolderPermission "ReadTest:\Calendar" -User "Read Admin"



To grant permissions to the entire mailbox folder hierarchy, run the below commands or you would need to write a script.
Add-MailboxPermission -Identity "ReadTest" –User “ReadAdmin” -AccessRights ReadPermission -InheritanceType All


* FullAccess - These permissions are similar mbx owner with exception of SendAs and a few other rights.
* ExternalAccount - will allow a user to associate an external account to this mailbox, this is typically used when working with resource forests.
* DeleteItem - allows a user to delete a mailbox which they have been delegated this right.
* ReadPermission - by default everyone has this permission which allows users to view the permissions on a mailbox
* ChangePermission - allows a user to change (add/remove) permission on a mailbox
* ChangeOwner - allows a user to change the owner of the mailbox.

When we assign to a User “Full Access” permission to another user Mailbox (Such as Shared Mailbox), the Mailbox is automatically added to the user’s Outlook mail profile. This feature described as: AutoMap.

To Add Permission to Reply and Forward along with only Read permission, as below
Add-ADPermission "Read Test" –User “Read Admin” -Extendedrights "Send As" -Confirm:$False
Set-Mailbox "ReadTest" -GrantSendOnBehalfTo “ReadAdmin”

OR

Add-RecipientPermission "ReadTest" -Trustee “ReadAdmin” -AccessRights SendAs -Confirm:$False


To avoid the need for confirmation, we can add the option: “-Confirm:$False”.

Exchange will cache information for two hours. So if you set Send-As permissions, it could take upto 2 hours for it take effect. There is a registry key to shorten this interval "Mailbox Information Cache Age Limit" but it requires a Store restart to take effect.

Now you can access the mailbox by adding as an additional mailbox. To grant access to expand and view folders

Add-MailboxFolderPermission "ReadTest:\" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Inbox" -User "ReadAdmin" -AccessRights Reviewer
Add-MailboxFolderPermission "ReadTest:\Sent Items" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Deleted Items" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Conversation History" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Drafts" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Junk Email" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Outbox" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Notes" -User "ReadAdmin" -AccessRights Reviewer; Add-MailboxFolderPermission "ReadTest:\Tasks" -User "ReadAdmin" -AccessRights Reviewer
Add-MailboxFolderPermission –Identity "ReadTest:\Calendar" -AccessRights ReadItems/Reviewer –User "ReadAdmin"
$mailboxfolders.Clear(); $myArray.Clear()
$mailboxfolders = Get-MailboxFolderStatistics -Identity "ReadTest" | Where {$_.Identity -like "ReadTest\*" -and $_.Identity -notlike "*\Top Of Information Store" -and $_.Identity -notlike "*\Recoverable Items" -and $_.Identity -notlike "*\Calendar Logging" -and $_.Identity -notlike "*\Deletions" -and $_.Identity -notlike "*\Purges" -and $_.Identity -notlike "*\Versions" -and $_.Identity -notlike "*\(Custom Expiration\Manage Folders)"} | Select FolderPath; $mailboxfolders = $mailboxfolders.FolderPath.Replace("/","\"); $myArray = New-Object System.Collections.ArrayList
for ($i=0; $i -le $mailboxfolders.Length-1 ; $i++) {$myArray.Add("ReadTest:"+$mailboxfolders.Item($i))}
for ($i=0; $i -le $mailboxfolders.Length-1 ; $i++) {Add-MailboxFolderPermission $myArray.Item($i) -User "ReadAdmin" -AccessRights Reviewer -whatif}
$mailboxfolders.Clear(); $myArray.Clear()


======================

Add-MailboxPermission -Identity "ReadTest" –User “ReadAdmin” -AccessRights ReadPermission -InheritanceType All


* FullAccess - These permissions are similar mbx owner with exception of SendAs and a few other rights.
* ExternalAccount - will allow a user to associate an external account to this mailbox, this is typically used when working with resource forests.
* DeleteItem - allows a user to delete a mailbox which they have been delegated this right.
* ReadPermission - by default everyone has this permission which allows users to view the permissions on a mailbox
* ChangePermission - allows a user to change (add/remove) permission on a mailbox
* ChangeOwner - allows a user to change the owner of the mailbox.

When we assign to a User “Full Access” permission to another user Mailbox (Such as Shared Mailbox), the Mailbox is automatically added to the user’s Outlook mail profile. This feature described as: AutoMap.

To Add Permission to Reply and Forward along with only Read permission, as below
Add-ADPermission "Read Test" –User “Read Admin” -Extendedrights "Send As" -Confirm:$False
Set-Mailbox "ReadTest" -GrantSendOnBehalfTo “ReadAdmin”

OR

Add-RecipientPermission "ReadTest" -Trustee “ReadAdmin” -AccessRights SendAs -Confirm:$False

To avoid the need for confirmation, we can add the option: “-Confirm:$False”.
Exchange will cache information for two hours. So if you set Send-As permissions, it could take upto 2 hours for it take effect. There is a registry key to shorten this interval "Mailbox Information Cache Age Limit" but it requires a Store restart to take effect.

Now you can access the mailbox by adding as an additional mailbox. To grant access to expand and view folders

Add-MailboxFolderPermission "ReadTest:\" -User "ReadAdmin" -AccessRights Reviewer
foreach($item in (Get-MailboxFolderStatistics ReadTest | where { ($_.foldertype -ne "ConversationActions") -and ($_.foldertype -notlike "Recoverable*") -and ($_.FolderPath -notlike "/Sync*")})){$fname = “ReadTest:” + $f.FolderPath.Replace(“/”,”\”); Add-MailboxFolderPermission $fname -User ReadAdmin -AccessRights Reviewer -whatif}


You may execute the command by adding ‘–whatif’ at the end to verify what happens when you run the command. It will help to understand what action the command will perform on real execution.


================================


#Proof of concept code to apply mailbox
#folder permissions to all folders in
#a mailbox

[CmdletBinding()]
param (
[Parameter( Mandatory=$true)]
[string]$Mailbox,

[Parameter( Mandatory=$true)]
[string]$User,

[Parameter( Mandatory=$true)]
[string]$Access
)

$exclusions = @("/Sync Issues",
"/Sync Issues/Conflicts",
"/Sync Issues/Local Failures",
"/Sync Issues/Server Failures",
"/Recoverable Items",
"/Deletions",
"/Purges",
"/Versions"
)

$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)

foreach ($mailboxfolder in $mailboxfolders)
{
$folder = $mailboxfolder.FolderPath.Replace("/","\")
if ($folder -match "Top of Information Store")
{
$folder = $folder.Replace(“\Top of Information Store”,”\”)
}
$identity = "$($mailbox):$folder"
Write-Host "Adding $user to $identity with $access permissions"
Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access -ErrorAction SilentlyContinue
}


Remove Mailbox Folder Permissions on the entire mailbox folder hierarchy
$mailboxfolders.Clear(); $myArray.Clear()
Remove-MailboxPermission -Identity "ReadTest" -User “ReadAdmin” -AccessRights FullAccess, ExternalAccount,DeleteItem,ReadPermission,ChangePermission,ChangeOwner -InheritanceType All
Remove-ADPermission "Read Test" –User “Read Admin” -Extendedrights "Send As"
Set-Mailbox "ReadTest" -GrantSendOnBehalfTo @{remove=“ReadAdmin”}
Remove-MailboxFolderPermission "ReadTest:\" -User "ReadAdmin"; Remove-MailboxFolderPermission "ReadTest:\Inbox" -User "ReadAdmin"
$mailboxfolders.Clear(); $myArray.Clear()
$mailboxfolders = Get-MailboxFolderStatistics -Identity "ReadTest" | Where {$_.Identity -like "ReadTest\*" -and $_.Identity -notlike "*\Top Of Information Store" -and $_.Identity -notlike "*\Recoverable Items" -and $_.Identity -notlike "*\Calendar Logging" -and $_.Identity -notlike "*\Deletions" -and $_.Identity -notlike "*\Purges" -and $_.Identity -notlike "*\Versions" -and $_.Identity -notlike "*\(Custom Expiration\Manage Folders)"} | Select FolderPath; $mailboxfolders = $mailboxfolders.FolderPath.Replace("/","\"); $myArray = New-Object System.Collections.ArrayList
for ($i=0; $i -le $mailboxfolders.Length-1 ; $i++) {$myArray.Add("ReadTest:"+$mailboxfolders.Item($i))}
for ($i=0; $i -le $mailboxfolders.Length-1 ; $i++) {Remove-MailboxFolderPermission $myArray.Item($i) -User "ReadAdmin"}
$mailboxfolders.Clear(); $myArray.Clear()


=====================================


$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)

foreach ($mailboxfolder in $mailboxfolders)
{
$folder = $mailboxfolder.FolderPath.Replace("/","\")
if ($folder -match "Top of Information Store")
{
$folder = $folder.Replace(“\Top of Information Store”,”\”)
}
$identity = "$($mailbox):$folder"
Write-Host "Checking $identity for permissions for user $user"
if (Get-MailboxFolderPermission -Identity $identity -User $user -ErrorAction SilentlyContinue)
{
try
{
Remove-MailboxFolderPermission -Identity $identity -User $User -Confirm:$false -ErrorAction STOP
Write-Host -ForegroundColor Green "Removed!"
}
catch
{
Write-Warning $_.Exception.Message
}
}
}

===================================

Ref

http://exchangeserverpro.com/grant-read-access-exchange-mailbox/
http://exchangeserverpro.com/powershell-script-remove-permissions-exchange-mailbox/
http://www.exchangedictionary.com/articles/assign-read-only-mailbox-permission-on-exchange-2010-2013-powershell
http://www.computerperformance.co.uk/exchange2010/powershell_add_mailboxpermission.htm
http://o365info.com/mailbox-permissions-powershell-commands/
http://blogs.technet.com/b/ilvancri/archive/2009/11/24/exchange-2010-and-then-there-is-the-long-awaited-cmdlet-add-mailboxfolderpermission.aspx
http://www.exchange-genie.com/2007/07/add-mailboxpermission-vs-add-adpermission-part-1/
http://o365info.com/shared-mailbox-powershell-commands/
https://theucguy.net/exchange-shell-finding-mailboxes-with/

_____________________________

Exchange Newbie... Please feel free to leave your comments
Post #: 1
RE: View/Add/Edit/Remove Access Permission on Mailboxes - 30.Oct.2017 9:13:22 PM   
valentino11

 

Posts: 24
Joined: 2.Apr.2017
Status: offline
This Coach Outlet Store Online kind of variety of shoeChristian Louboutin Shoes design goal is medium short Kate Spade Outlet distance load lighter on foot, generally Cheap Jordans applicable to a relatively Coach Purses gentle mountain, jungle,Coach Outletland, general picnic or camping Kate Spade Outlet activities. The design features Nike Air Max Shoes of this kind of shoe outsole is as Red Bottom Shoes follows: the upper 12cm, protect the ankle Adidas Yeezy Boost 350 structure; north face Adidas Original at the end of the wear rubber Nike Air Max Pas Cher bottom foaming and double Coach Outlet encryption rubber, high-end Nike chaussures pas cher brands have big bottom Louboutin Pas Cher plastic sandwich, good impact Nike Air Max resistance and shock absorption,Sac Louis Vuitton help full leather shoes Red Bottom Shoes the surface of leather, leather Tory Burch Outletor mixed materials; some models Michael Kors Handbags there have Gore Tex lining,Coach Outlet Online some styles of waterproofing Red Bottom Shoes treatment. The advantage of UGG Outlet the outdoor shoes is light,North Face Outlet soft, comfortable, good permeability. Walking Michael Kors in the complex environment of Yeezy Boost 350 v2 terrain, north face outdoor Scarpe Nike Air Max shoes should be better Scarpe Nike Air Max Uomo than the general movement UGG Outletsof outdoor shoe heel.


Nike Air Max 2017 North Face skate shoes for Coach Outlet the production of sliding, wear resistant Christian Louboutin Shoes. There are more Burberry Outlet characteristics of the skate North Face Outletshoes, especially in recent years, there Guess Outlet are a lot of high-tech technology North Face Jackets to come in, in general,North Face Outlet is to slide in the hands Nike Hoodies of more comfortable and constantly True Religion Outletimprove the design .The North Face Outlet main feature is the sole have North Face Jackets buffer function, do not Coach Outlet Online necessarily have the protective Kate Spade cushion, lace design, prevent wear off,True Religion toe most easily grinding, need very wear-resistant Burberry Outlet material, thick tongue, protect the North Face Outlet ankle, there are a lot of attention,The North Face Outlet the insole, shoe heel, shoe lining,The North Face Jackets a variety of features,Yeezy Boost 350 is to exercise better the more comfortable Louis Vuitton Outlet feeling, and skateboard. The good Ray Ban Outlet or bad of skate shoes is Ray Ban Sunglasses also very important for a Adidas Yeezy good slippery hand.
Coach outlet Under normal circumstances, Coach Outlet the choice of shoes have some of the Scarpe Sportive following places to pay attention to.Coach Outlet The sole north face climbing shoes and the Moncler Jackets upper material is preferably polyurethane, the best fur leather Burberry Scarf vamp is thick, so wear.North Face Outlet Note that you usually used with OLLIE board Kate Spade Outlet shoes

, choose Nike Air Max shoes in these positions Red Bottom Shoes as far as possible to avoid the Christian Louboutin Outlet wiring of shoes, so shoes Kate Spade Outlet can prevent premature for Kate Spade Outletoff-line scrapped. Now, CONVERS the new Coach Factory Outlet shoes, toe parts are "ABR" super Red Bottom Shoes wear-resistant material package, Burberry Outlet very durable. The comfort of Air Jordan Pas Cher the shoes "for some skills Nike Air Max Pas Cherand smooth, they love with a thin shoes. These shoes sole is thin, but usually have relatively thick or with cushioned insole, the upper leather is soft, when do the movements Nike Roshe Run Pas Chercan clearly feel the sand Air Max 90 on the surface of the plate New Jordans with the foot and. And do more Red Bottom Shoesfierce sliding handAdidas Outletgenerally choose relatively UGG Boots Outletthick skate shoes. Such as shoes Adidas NMD with air cushion or oil pad, the tongue is Polo Outletquite thick, so dress Coach Outlet up and feel more uncomfortable Louis Vuitton Outlet.

(in reply to mr_unknowns)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2013] >> Management >> View/Add/Edit/Remove Access Permission on Mailboxes Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter