about granting a user read-only access to the mailbox and calendar of another user in an Exchange Server organization.
This is a common scenario and the solution is reasonably simple though perhaps not obvious.
Let’s look at the scenario of Alan Reid trying to access the mailbox of Alex Heyne. With no access configured Alan gets an error message when he tries to open Alex’s inbox in Outlook.
To meet the requirements of this scenario we need to grant Alan read-only access to Alex’s mailbox, not full access, and without making him a delegate.
It is worth noting that the mailbox owner can configure these permissions themselves using Outlook. But I will assume that if you’re reading this you have been asked to handle it for them
Where some admins get stuck is in the Exchange Management Console, which only presents the option to grant full access to a mailbox.
Instead we need to use the Exchange Management Shell and run the Add-MailboxFolderPermission cmdlet.
The first step is to grant permissions (in this case “Reviewer”) to the “Top of Information Store”.
| 12345678 | [PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\ -User Alan.Reid -AccessRights Reviewer RunspaceId : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6FolderName : Top of Information StoreUser : Alan ReidAccessRights : {Reviewer}Identity : Alan ReidIsValid : True |
Those permissions do not inherit down the mailbox folder hierarchy to existing folders (newly created folders will inherit the permissions of their parent folder though). So you still need to grant permissions for specific folders, for example the inbox:
| 12345678 | [PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\Inbox -User Alan.Reid -AccessRights Reviewer RunspaceId : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6FolderName : InboxUser : Alan ReidAccessRights : {Reviewer}Identity : Alan ReidIsValid : True |
Or the calendar:
| 12345678 | [PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\Calendar -User Alan.Reid -AccessRights Reviewer RunspaceId : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6FolderName : CalendarUser : Alan ReidAccessRights : {Reviewer}Identity : Alan ReidIsValid : True |
This starts to get tedious if you want to grant permissions to the entire mailbox folder hierarchy. For that you would need to write a script.
Here is an example:
| 1234567891011121314151617181920212223242526272829303132333435363738394041 | #Proof of concept code to apply mailbox#folder permissions to all folders in#a mailbox [CmdletBinding()]param ( [Parameter( Mandatory=$true)] [string]$Mailbox, [Parameter( Mandatory=$true)] [string]$User, [Parameter( Mandatory=$true)] [string]$Access) $exclusions = @(“/Sync Issues”, “/Sync Issues/Conflicts”, “/Sync Issues/Local Failures”, “/Sync Issues/Server Failures”, “/Recoverable Items”, “/Deletions”, “/Purges”, “/Versions” ) $mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath) foreach ($mailboxfolder in $mailboxfolders){ $folder = $mailboxfolder.FolderPath.Replace(“/”,”\”) if ($folder -match “Top of Information Store”) { $folder = $folder.Replace(“\Top of Information Store”,”\”) } $identity = “$($mailbox):$folder” Write-Host “Adding $user to $identity with $access permissions” Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access -ErrorAction SilentlyContinue} |
You can download the full Add-MailboxFolderPermissions.ps1 script from Github here.
| 1 | [PS] C:\Scripts>.\Add-MailboxFolderPermissions.ps1 -Mailbox alex.heyne -User alan.reid -Access reviewer |
So as you can see, granting read-only access to specific mailbox folders is quite simple, with just a little extra work required (or a script like the one above) to apply the permissions to all existing mailbox folders.
If you’re looking for a script to remove mailbox folder permissions I have also published Remove-MailboxFolderPermissions.ps1.