Managing Mailbox Permissions CMDlets

Managing Mailbox Permissions PowerShell Commands

Grant Send on Behalf of Permissions

Set-Mailbox ‘[email protected]’ -GrantSendOnBehalfTo ‘[email protected]

Add Editor permissions

Add-MailboxFolderPermission -Identity ‘[email protected]’ -User ‘[email protected]’ -AccessRights Editor

Add Reviewer permissions (what if)

Set-MailboxFolderPermission -Identity ‘[email protected]’ -User ‘[email protected]’ -AccessRights Reviewer -whatif

Getting Mailbox Folder Permissions

Get-MailboxFolderPermission -Identity ‘[email protected]’ | fl

Get-MailboxFolderPermission -Identity [email protected]:\inbox

Impersonation Rights

New-ManagementRoleAssignment Name:RoleName -Role:ApplicationImpersonation -User:’domain\alias’

Get User Mailbox Permissions other than Inherited Permissions

Get-MailboxPermission -identity ‘[email protected]’ | Where-Object {($_.AccessRights -like “*FullAccess*”) -and ($_.User -notlike “NT AUTHORITY\SELF”) -and ($_.IsInherited -eq $false)}

Get ALL User Mailbox Permissions

Get-MailboxPermission ‘[email protected]’ | ft -AutoSize

Get User Mailbox Permissions (defined)

Get-MailboxPermission ‘[email protected]’ | ft User,AccessRights -AutoSize

Use this command to find who is being rejected from sending to the target mailbox

get-mailbox -Identity ‘target mailbox’ | fl name, *reject*

Find Mailbox Folder Stats on folder

Get-MailboxFolderStatistics ‘[email protected]’ | Where { $_.FolderPath.Contains(“FolderName”) -eq $true }

Find Mailbox Folder Stats on folder and add permissions

ForEach($f in (Get-MailboxFolderStatistics John | Where { $_.FolderPath.Contains(“/Clients”) -eq $True } ) ) {$fname = “John:” + $f.FolderPath.Replace(“/”,”\”); Add-MailboxFolderPermission $fname -User Jane -AccessRights Reviewer }

Remember

Set-MailboxFolderPermission cmdlet only updates existing folder-level permissions for all folders within a user’s mailbox

Add-MailboxFolderPermission cmdlet adds new permissions to mailbox

Grant Full Access and SendAs Permissions

Add-MailboxPermission -Identity ‘[email protected]’ -User ‘user alias’ -AccessRights FullAccess

Add-ADPermission ‘user alias’ -User ‘user alias’ -Extendedrights “Send As”

View Send As permission (use display name)

Get-ADPermission ‘User Display name)’ | select user,extendedrights

Remove Full Access mailbox permission

Remove-MailboxPermission -Identity ‘[email protected]’ -User domain\alias -AccessRights FullAccess -InheritanceType all

Get AD Permission ‘not inherited’, like local domain users 

Get-Mailbox -identity ‘User Alias’ | Get-ADPermission | where {($_.IsInherited -eq $false) -and ($_.User -like “Test_USERS*”)} | select User, extendedrights

Get Mailbox Permission ‘not inherited’, like local domain users

Get-MailboxPermission -Identity [email protected] | where {($_.IsInherited -eq $false) -and ($_.User -like “Test_USERS*”)} | select User,Accessrights | FT

Get AD Permission ‘not inherited’

Get-Mailbox -identity ‘User Name’ | Get-ADPermission | where {($_.IsInherited -eq $false)} | select User, extendedrights

Get AD Permission ‘not inherited’, like local domain users

Get-Mailbox -identity ‘User Name’ | Get-ADPermission | where {($_.IsInherited -eq $false) -and ($_.User -like “Pilot*”)} | select User, extendedrights

Get Mailbox Permission ‘not inherited’, like local domain users 

Get-MailboxPermission -Identity [email protected] | where {($_.IsInherited -eq $false) -and ($_.User -like “Pilot*”)} | select User,Accessrights | FT

Grant Read Only permissions

Add-MailboxPermission -Identity “User Name” -User “domain\user” -AccessRights ReadPermission

Remove Read Only permissions

Remove-MailboxPermission -Identity “User Name” -User “domain\user” -AccessRights ReadPermission

Set Read-Only Permisions to existing

Set-MailboxFolderPermission -Identity [email protected] -User [email protected] -AccessRights Reviewer

Set-MailboxFolderPermission -Identity [email protected] -User ‘domain\user’ -AccessRights Reviewer

Grant Users full access permissions to mailboxes

Add-MailboxPermission -Identity [email protected] -User ‘User’ -AccessRights FullAccess

Grant Full Access to a Room Mailbox

Add-MailboxPermission -Identity ‘Conference-Room’ -User ‘[email protected]’ -AccessRights FullAccess

When you assign full access rights to a mailbox, you may notice that the change does not take effect immediately, and the user that has been granted permissions to a mailbox still cannot access that resource. This is because the Information Store service uses a cached mailbox configuration that by default is only refreshed every two hours. You can force the cache to refresh by restarting the Information Store service on the mailbox server that is hosting the active database where the mailbox resides.

Get ‘Send on Behalf of’ permissions

Get-Mailbox -identity ‘[email protected]’ | fl name, grant*

Set Send on Behalf permissions

Set-Mailbox UserMailbox -GrantSendOnBehalfTo UserWhoSends

Remove Users full access permissions to mailboxes

Remove-MailboxPermission -Identity user1 -User user2 -AccessRights FullAccess -Confirm:$false

Grant Group full access permissions to mailbox

Add-MailboxPermission -Identity user -User “Help Desk” -AccessRights FullAccess

Leave a Reply

%d bloggers like this: