Few weeks back, a question on the TechNet forums caught my attention and got me thinking of what’s the proper way to “reset” folder-level permissions in a mailbox. My initial thoughts on the subject resulted in the outlining of some building blocks that such a solution should address, and were published in this article. Now, I’m presenting you with a PowerShell script that should make the process easier.
As with almost all of the scripts I release, the intention is to automate things as much as possible while still exposing some parameters to exert additional control over the script execution. In this particular scenario, the intent is to strip any and all folder-level entries from a given mailbox, so the only parameter you need to provide is an identifier for said Mailbox. You can use any attribute that uniquely identifies the mailbox, such as SMTP address, UPN, GUID and so on. And, to make things more interesting, you can provide multiple entries and run the script against a group of mailboxes, all in one go. Here’s an example:
.\Reset_Folder_Permissions_recursive_BULK.ps1 -Mailbox (Get-Mailbox -RecipientTypeDetails RoomMailbox)
Invoking the script with the above set of parameters will cause it to enumerate all Room mailboxes in the organization, then for each mailbox go over the list of folders and remove any non-default permission entry. Folders will be enumerated via the Get-MailboxFolderStatistics cmdlet, which makes sure that any “known” folder type will be returned, regardless of the regional settings of the mailbox. In addition, any user-created folder will also be returned. Lastly, a bunch of “safe to ignore” folders is used to exclude entries that you shouldn’t care about. In case you want to make adjustments to the types of folders to include or exclude, edit the corresponding lists at line 6 and 11 of the script.
Few additional parameters are exposed, as follows:
- ResetDefaultLevel – use this switch parameter when you want to also “reset” the Default entry for each mailbox. This will stamp each Calendar folder with the ‘AvailabilityOnly’ permission level for the Default principal, and the ‘None’ permission level for every other folder type.
- Quiet – used to suppress script output to the console.
- WhatIf – used to run the script in ‘preview’ mode, showing you which permissions will be removed, without actually making the changes. Very useful as troubleshooting tool and recommended as a first run experience.
- Verbose – forces the script to spill out a bunch of additional output, useful for troubleshooting purposes.
The script can be run against Exchange on-premises or Exchange Online, and utilizes implicit remoting for both. This in turn allows better control over the amount of data flowing over the wire and should reduce the execution time in most scenarios. However, as numerous cmdlets are run for each mailbox (getting the mailbox, getting the folders, getting the permissions for each folder, removing the permissions for each folder), things can easily add up and you might end up hitting throttling limits. To help address such scenarios, small delays are added before processing each mailbox, which you can adjust as necessary (lines 122 and 139).
Because it supports various Exchange install types and because of the numerous connectivity methods available nowadays, the script does not include any logic to connect to Exchange Remote PowerShell. You will have to take care of this on your own, before invoking the script. The script however will detect any existing sessions and try to reuse them, where possible.
The script deliberately ignores any permissions entries for which the UserType value is Unknown or Anonymous. Only UserType values of Internal and External are removed, while the Default value is replaced (only when the –ResetDefaultLevel parameter is used). Lastly, the script will generate a CSV file with all the permission changes made, which you can find in the working directory.