Another example of interesting, but useless functionality – you can now check the folder permissions for Group mailboxes in Office 365. The Get-MailboxFolderPermission cmdlet has been updated to work against Group mailbox objects, via the -GroupMailbox parameter. Here’s an example:
[13:05:35][O365]# Get-MailboxFolderPermission -GroupMailbox default
FolderName User AccessRights
---------- ---- ------------
Top of Informatio... Default {None}
Top of Informatio... Anonymous {None}
Top of Informatio... Owner@local {ReadItems, CreateItems, EditOwnedItems, DeleteOwnedItems, DeleteAllItems, FolderVisible}
Top of Informatio... Member@local {Author}
The Add- and Set-MailboxFolderPermission cmdlets don’t yet recognize groups, so you cannot anything but look at the data. As Group permissions are governed by the membership of the Owners and Members group respectively, it’s expected to have both the Default and Anonymous levels set to None. Note that there aren’t any specific permissions for External users – similar to what we have with the Group files, external users get the same access as any other “regular” member of the Group (in this case Author permissions).
You can of course get the (sub)folder permissions too, but since there are no ways to actually grant permissions the result of this task will hardly be surprising. Still, I guess it’s a good exercise as some people might be unaware that Group mailbox folders are visible via the Get-MailboxFolderStatistics cmdlet. Here’s how to get the permissions for a particular (sub)folder:
[13:21:39][O365]# Get-MailboxFolderPermission -GroupMailbox external:\Inbox
FolderName User AccessRights
---------- ---- ------------
Inbox Default {None}
Inbox Anonymous {None}
Inbox Owner@local {ReadItems, CreateItems, EditOwnedItems, DeleteOwnedItems, DeleteAllItems, FolderVisible}
Inbox Member@local {Author}
And here’s how to do this recursively for all folders of the Group (there are quite many more than you might suspect!):
$mailbox = "external"
$folders = Get-MailboxFolderStatistics $mailbox | ? {$_.FolderType -notlike “RecoverableItems*” -and $_.FolderType -ne “Audits” -and $_.FolderType -ne “CalendarLogging”}
$arrPermissions = @()
foreach ($folder in $folders) {
if ($folder.Name -eq "Top of Information Store") { $MailboxFolder = $mailbox }
else {
$FolderPath = $folder.FolderPath.Replace("/","\").Replace([char]63743,"/") #with PowerShell v3 'fix'
$MailboxFolder = "$mailbox`:$FolderPath"
}
#replace with -Identity for User mailboxes
$MBrights = Get-MailboxFolderPermission -GroupMailbox $MailboxFolder # | ? {$_.User.DisplayName -ne "Default" -and $_.User.DisplayName -ne "Anonymous"}
if (!$MBrights) { continue }
foreach ($entry in $MBrights) {
$objPermissions = New-Object PSObject
$i++;Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Number" -Value $i
Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "User" -Value $entry.user
Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Folder" -Value $folder.Name
Add-Member -InputObject $objPermissions -MemberType NoteProperty -Name "Access Rights" -Value $entry.AccessRights
$arrPermissions += $objPermissions
}
}
$arrPermissions | select Folder,User,'Access Rights'
The result will be a long list of useless data, don’t say I didn’t warn you! But you also easily adapt this to run against User mailboxes or export the result to CSV file, which makes a bit more sense 🙂