Managing folder/calendar permission

In this topic, we will review the usage of folder permissions within a mailbox using PowerShell in Exchange 2013 and 2016 On-Premise and the Exchange Online environment. The three cmdlets that will help us to modify and view the permission on inpidual folders are Add-MailboxFolderPermission, Set-MailboxFolderPermission, Get-MailboxFolderPermission, and Remove-MailboxFolderPermission.

You can specify the following access rights using the Access Rights parameter, which are self-explanatory. If you want to understand about a particular access rights, type Get-Help Set-Mailbox folder permission. The access rights available are: Read Items, Create Items, Edit Owned Items, Delete Owned Items, Edit All Items, Delete All Items, Create Subfolders, Folder Owner, Folder Contact, and Folder Visible

There is a provision to specify a combination of the previously mentioned access rights by using: None, Owner, Publishing Editor, Editor, Publishing Author, Author, Non Editing Author, Reviewer, and Contributor.

For Calendars, we have two levels of access:

• Availability Only: This right will only show availability data.
• Limited Details: This will allow users to view the availability data along with its subject and location

The following command will add Amy Alberts as the Owner of the marketing folder in John Doe's mailbox:

Add-MailboxFolderPermission -Identity johnd@contoso.com:\Marketing -User amya@contoso.com -AccessRights Owner

Now, the administrator who gave the permission earlier figured out that he wanted to only allow Amy as a Publishing Editor and not an owner. He will fix this using this command:

Set-MailboxFolderPermission -Identity johnd@contoso.com:\Marketing -User amya@contoso.com -AccessRights PublishingEditor

Now, let's add Holly as the Publishing Editor for John Doe's calendar:

Add-MailboxFolderPermission Johnd:\calendar -AccessRight PublishingEditor -User hollyh

Similarly, add Holly to John's contact folder as a Publishing Editor:

Add-MailboxFolderPermission Johnd:\contacts -AccessRight PublishingEditor -User hollyh

Now, let's view the results using the Get-Mailbox Folder permission. You can use the pipeline and select the desired results and even export it to a CSV file to review later:

Get-MailboxFolderPermission John:\calendar | Select FolderName, user, AccessRights
Get-MailboxFolderPermission John:\contacts
Get-MailboxFolderPermission John:\contacts | Select FolderName, user, AccessRights
Get-Mailbox | Get-MailboxFolderPermission | Export-CSV c:\temp\users.csv

Removing the permissions that are no longer required can be done by typing the following command:

Remove-MailboxFolderPermission Johnd:\calendar -User hollyh -Confirm:$false
Remove-MailboxFolderPermission Johnd:\contacts -User hollyh

As an Exchange administrator, there are times when you want to remove a particular user's access from all the mailboxes for a particular folder, such as the calendar in this case. The unfortunate user is John Doe in this case. The first cmdlet called Get-Mailbox will return all the mailboxes in the Exchange organization, and you can filter this output using multiple attributes in the Active directory especially if you are managing a large organization with thousands of users. The output of Get-Mailbox will be fed into a ForEach-Object loop, and it will remove the permission from the calendar folder of each mailbox for the user John:

Get-Mailbox | ForEach-Object {Remove-MailboxFolderPermission $_":\Calendar" -User Johnd} -Confirm:$False