Managing Mailbox Permissions CMDlets

Managing Mailbox Permissions PowerShell Commands

Grant Send on Behalf of Permissions

Set-Mailbox ‘user@domain.com’ -GrantSendOnBehalfTo ‘user@domain.com’

Add Editor permissions

Add-MailboxFolderPermission -Identity ‘user@domain.com’ -User ‘user@domain.com’ -AccessRights Editor

Add Reviewer permissions (what if)

Set-MailboxFolderPermission -Identity ‘user@domain.com’ -User ‘user@domain.com’ -AccessRights Reviewer -whatif

Getting Mailbox Folder Permissions

Get-MailboxFolderPermission -Identity ‘user@domain.com’ | fl

Get-MailboxFolderPermission -Identity user@domain.com:\inbox

Impersonation Rights

New-ManagementRoleAssignment Name:RoleName -Role:ApplicationImpersonation -User:’domain\alias’

Get User Mailbox Permissions other than Inherited Permissions

Get-MailboxPermission -identity ‘user@domain.com’ | Where-Object {($_.AccessRights -like “*FullAccess*”) -and ($_.User -notlike “NT AUTHORITY\SELF”) -and ($_.IsInherited -eq $false)}

Get ALL User Mailbox Permissions

Get-MailboxPermission ‘user@domain.com’ | ft -AutoSize

Get User Mailbox Permissions (defined)

Get-MailboxPermission ‘user@domain.com’ | ft User,AccessRights -AutoSize

Use this command to find who is being rejected from sending to the target mailbox

get-mailbox -Identity ‘target mailbox’ | fl name, *reject*

Find Mailbox Folder Stats on folder

Get-MailboxFolderStatistics ‘user@domain.com’ | Where { $_.FolderPath.Contains(“FolderName”) -eq $true }

Find Mailbox Folder Stats on folder and add permissions

ForEach($f in (Get-MailboxFolderStatistics John | Where { $_.FolderPath.Contains(“/Clients”) -eq $True } ) ) {$fname = “John:” + $f.FolderPath.Replace(“/”,”\”); Add-MailboxFolderPermission $fname -User Jane -AccessRights Reviewer }

Remember

Set-MailboxFolderPermission cmdlet only updates existing folder-level permissions for all folders within a user’s mailbox

Add-MailboxFolderPermission cmdlet adds new permissions to mailbox

Grant Full Access and SendAs Permissions

Add-MailboxPermission -Identity ‘user@domain.com’ -User ‘user alias’ -AccessRights FullAccess

Add-ADPermission ‘user alias’ -User ‘user alias’ -Extendedrights “Send As”

View Send As permission (use display name)

Get-ADPermission ‘User Display name)’ | select user,extendedrights

Remove Full Access mailbox permission

Remove-MailboxPermission -Identity ‘user@domain.com’ -User domain\alias -AccessRights FullAccess -InheritanceType all

Get AD Permission ‘not inherited’, like local domain users 

Get-Mailbox -identity ‘User Alias’ | Get-ADPermission | where {($_.IsInherited -eq $false) -and ($_.User -like “Test_USERS*”)} | select User, extendedrights

Get Mailbox Permission ‘not inherited’, like local domain users

Get-MailboxPermission -Identity user@domain.com | where {($_.IsInherited -eq $false) -and ($_.User -like “Test_USERS*”)} | select User,Accessrights | FT

Get AD Permission ‘not inherited’

Get-Mailbox -identity ‘User Name’ | Get-ADPermission | where {($_.IsInherited -eq $false)} | select User, extendedrights

Get AD Permission ‘not inherited’, like local domain users

Get-Mailbox -identity ‘User Name’ | Get-ADPermission | where {($_.IsInherited -eq $false) -and ($_.User -like “Pilot*”)} | select User, extendedrights

Get Mailbox Permission ‘not inherited’, like local domain users 

Get-MailboxPermission -Identity user@domain.com | where {($_.IsInherited -eq $false) -and ($_.User -like “Pilot*”)} | select User,Accessrights | FT

Grant Read Only permissions

Add-MailboxPermission -Identity “User Name” -User “domain\user” -AccessRights ReadPermission

Remove Read Only permissions

Remove-MailboxPermission -Identity “User Name” -User “domain\user” -AccessRights ReadPermission

Set Read-Only Permisions to existing

Set-MailboxFolderPermission -Identity user@domain.com -User user@domain.com -AccessRights Reviewer

Set-MailboxFolderPermission -Identity user@domain.com -User ‘domain\user’ -AccessRights Reviewer

Grant Users full access permissions to mailboxes

Add-MailboxPermission -Identity user@domain.com -User ‘User’ -AccessRights FullAccess

Grant Full Access to a Room Mailbox

Add-MailboxPermission -Identity ‘Conference-Room’ -User ‘user@domain.com’ -AccessRights FullAccess

When you assign full access rights to a mailbox, you may notice that the change does not take effect immediately, and the user that has been granted permissions to a mailbox still cannot access that resource. This is because the Information Store service uses a cached mailbox configuration that by default is only refreshed every two hours. You can force the cache to refresh by restarting the Information Store service on the mailbox server that is hosting the active database where the mailbox resides.

Get ‘Send on Behalf of’ permissions

Get-Mailbox -identity ‘user@domain.com’ | fl name, grant*

Set Send on Behalf permissions

Set-Mailbox UserMailbox -GrantSendOnBehalfTo UserWhoSends

Remove Users full access permissions to mailboxes

Remove-MailboxPermission -Identity user1 -User user2 -AccessRights FullAccess -Confirm:$false

Grant Group full access permissions to mailbox

Add-MailboxPermission -Identity user -User “Help Desk” -AccessRights FullAccess

Leave a Reply

Your email address will not be published. Required fields are marked *