In the Exchange world, delegating access to a shared resource is usually performed by granting Full Access permissions, meaning that the delegate will get full and unconditional access to all items in folders in the mailbox. Sometimes, this is not the desired behavior, and folder-level permissions are used instead. This is a common scenario for organizations switching from Lotus Notes. Another example scenario is when you want to grant read-only access to the mailbox, or in general, anything less than full control over all items.
For such scenarios, the solution is to use the relevant Add/Set/Remove-MailboxFolderPermission PowerShell cmdlets. The process itself is fairly straightforward, you need to provide the Identity of the folder (which includes the mailbox identity), the identity of the User to which to grant the permissions and the permission levels. The corresponding documentation articles go over any additional details you might need.
One of the problems with this approach however is the sheer amount of operations one needs to perform in order to cover all the relevant folders in a mailbox. A newly-created mailbox in Exchange Online for example features no less than 35 individual folders, not counting any user-created ones. Obviously, having to repeat the same operation that many times can quickly become exhausting, so as usual we turn to PowerShell for help. The handy Get-MailboxFolderStatistics cmdlet will help us get all the folders in a mailbox, so instead of listing each folder individually, we can just provide a mailbox identifier.
In all fairness, many of the pre-created folders in a mailbox will probably be of no interest to the regular user. Almost half of those are not even accessible by any client application, such as Outlook or OWA. So, we can get the output of Get-MailboxFolderStatistics and apply some basic filtering to get rid of such “inaccessible” folders. Removing those, we are left with a list of 15 or so “Default” folders, found in every mailbox. We use the $includedfolders variable to store the list of Default folder types we want to cover:
$includedfolders = @("Root","Inbox","Calendar", "Contacts", "DeletedItems", "Drafts", "JunkEmail", "Journal", "Notes", "Outbox", "SentItems", "Tasks", "CommunicatorHistory", "Clutter", "Archive")
Chances are that in most scenarios, even the above list will be overkill. By editing the $includedfolders variable, you can ensure that the script will only run against default folders of the type(s) you care about, and as a side effect you will also get a faster execution time. As the folders are referenced by their FolderType property in the above list, there is no need to include additional localized values.
Apart from the Default folders however, we also need to cover any user-created ones, as well as non-default folders which are created by Outlook or other mail applications. Examples of such folders are the “News feed” or “Quick Step Settings”. All of these will of course be included in the output of the Get-MailboxFolderStatistics cmdlet, so we can apply yet another set of filters to get rid of them. The scripts use the $excludedfolders variable to store the list of additional folders to exclude from processing:
$excludedfolders = @("News Feed","Quick Step Settings","Social Activity Notifications","Suggested Contacts", "SearchDiscoveryHoldsUnindexedItemFolder", "SearchDiscoveryHoldsFolder","Calendar Logging")
Now, it’s important to understand that unlike the FolderType values we used for the $includedfolders variable, this time folder names are used. Those in turn are language-specific, so you might want to include any localized values to the above list as well. The two lists are then applied against the output of Get-MailboxFolderStatistics:
Get-MailboxFolderStatistics | ? {($_.FolderType -eq "User created" -or $_.FolderType -in $includedfolders) -and ($_.Name -notin $excludedfolders)}
The robust scripting capabilities of PowerShell allow us to craft a simple function that iterates over multiple Mailboxes and repeat the process for each of them. The same applies to the User parameter, which can also be configured to accept multiple identifiers. The documentation article listed above explains all the accepted values for the User parameter, so I will not go into much detail here. The script will do some basic validation checks in order to make sure that a valid and unique identifier has been specified for the user, and if not it will just be removed from the list.
Once all the needed details are gathered, we only need a simple cycle over the list of mailboxes, folders and user in order to execute the action. Two sample scripts are provided – one for adding/setting folder permissions, and one for removing permissions. You can download them from my GitHub repo:
Set folder permissions script: https://github.com/michevnew/PowerShell/blob/master/Set_Folder_Permissions_recursive_BULK.ps1
Help file: https://github.com/michevnew/PowerShell/blob/master/Set_Folder_Permissions_recursive_BULK.md
Remove folder permissions script: https://github.com/michevnew/PowerShell/blob/master/Remove_Folder_Permissions_recursive_BULK.ps1
Help file: https://github.com/michevnew/PowerShell/blob/master/Remove_Folder_Permissions_recursive_BULK.md
For additional details on the scripts please refer to the detailed article over at the Cogmotive blog, the built-in script help or the description over at GitHub. Make sure to also check my other mailbox permissions scripts over at the GitHub repo!
1 thought on “Managing mailbox permissions on the folder level in Bulk”