How to reset mailbox folder permissions

A thread over at the TechNet forums got me thinking about what is the best (or at least a proper) way to “reset” folder level permissions, with the added challenge of doing it in bulk. Generally speaking, it’s a simple operation, at most you’d have some loop running Remove-MailboxFolderPermission on each entry. But, there are some intricacies, so let’s dig in.

First of all, if you simply want to “reset” the permissions on a given, “known” folder, the task is easy. Say we have the user JohnSmith and we want to remove any permissions on his Calendar folder. All we need to do in such scenario is run the following cmdlet:

Get-MailboxFolderPermission JohnSmith:\Calendar  | % { Remove-MailboxFolderPermission -Identity $_.Identity -User $_.User }

Right? Wrong. There are actually many issues with the one-liner above, starting from the fact that we are not using the proper User identifier. As we’ve discussed in other articles, the Get-MailboxFolderPermission cmdlet returns the reduced recipient object, and not a string value. Thus, a correct entry to use would look something like: $_.User.ADRecipient.ExchangeObjectId.Guid.

Next, we need to exclude the “default” permissions entries, as in the ones configured for the Default and Anonymous security principals. This part is easy to handle with a simple Where clause, and we can even use regex to address some other cases (more on this later). And, we might also want to avoid having to confirm the removal of each individual entry, so the updated cmdlet will look something like this:

Get-MailboxFolderPermission JohnSmith:\Calendar `
  | ? {$_.User -notmatch "^(Default|Anonymous)$"} `
  | % { Remove-MailboxFolderPermission -Identity $_.Identity -User $_.User.ADRecipient.ExchangeObjectId.Guid -Confirm:$false }

From here, we can generalize this cmdlet to run against multiple mailboxes and achieve our dream of resetting the permissions in bulk. Something like this should do the trick:

Get-Mailbox -RecipientTypeDetails RoomMailbox `
  | % { Get-MailboxFolderPermission "$($_.PrimarySmtpAddress):\Calendar" } `
  | ? {$_.User -notmatch "^(Default|Anonymous)$"} `
  | % { Remove-MailboxFolderPermission -Identity $_.Identity -User $_.User.ADRecipient.ExchangeObjectId.Guid -Confirm:$false }

Now that’s a loooong one-liner, but frankly we are still just getting started. There are many additional factors that we need to address, such as the actual folder names, as depending on the localization, the Calendar folder might be renamed to Kalender or whatnot. Then, what if we want to include all folders in the mailbox, not just Calendar? And there are things to consider when removing the permissions as well, such as dealing with orphaned entries, external permissions, published Calendars. Are you getting bored yet?

What started as a simple exercise will have to be turned into a full-blown script if we want to handle everything correctly. Which of course is true for most examples – there is no way to properly handle errors or account for throttling in one-liner solutions. I will have to leave the complete solution for another post, but here are some of the building blogs we need to put together:

  • Account for the type of User, and depending on it handle things accordingly. In other words, for each permission entry, look at the $entry.User.UserType.Value. Available values will include Internal, External and Unknown and all of these will have to be handled differently.
  • Utilize the Get-MailboxFolderStatistics cmdlet to get a list of the localized folder names and trim the list to only include folders you care about. There’s no point in adjusting permissions on Purges folder for example.
  • If you are using the above method to get the localized folder names across multiple mailboxes, you need to start to account for throttling!
  • Decide what you want to do with the Default (and Anonymous) permission level. The regex we used in the above example can be generalized to exclude other entries as well, if needed.
  • Put some logging or utilize the –WhatIf parameter to “preview” the result.

The script I published on the TechNet Gallery a while back can help you get started with all this. And I’ll get started on actually turning all of the above into a proper script. In the meantime, those nifty one-liners should do.

P. S. Things are so much easier with Mailbox permissions, as we discussed previously:

Remove-MailboxPermission JoshSmith -ResetDefault
This entry was posted in Exchange Online, Office 365, PowerShell. Bookmark the permalink.

One Response to How to reset mailbox folder permissions

  1. Pingback: PowerShell script to remove folder-level Exchange permissions, in bulk | Blog

Leave a Reply

Your email address will not be published. Required fields are marked *