Managing Mailbox Permissions PowerShell Commands
Grant Send on Behalf of Permissions
Set-Mailbox ‘[email protected]’ -GrantSendOnBehalfTo ‘[email protected]’
Add Editor permissions
Add-MailboxFolderPermission -Identity ‘[email protected]’ -User ‘[email protected]’ -AccessRights Editor
Add Reviewer permissions (what if)
Set-MailboxFolderPermission -Identity ‘[email protected]’ -User ‘[email protected]’ -AccessRights Reviewer -whatif
Getting Mailbox Folder Permissions
Get-MailboxFolderPermission -Identity ‘[email protected]’ | fl
Get-MailboxFolderPermission -Identity [email protected]:\inbox
Impersonation Rights
New-ManagementRoleAssignment Name:RoleName -Role:ApplicationImpersonation -User:’domain\alias’
Get User Mailbox Permissions other than Inherited Permissions
Get-MailboxPermission -identity ‘[email protected]’ | Where-Object {($_.AccessRights -like “*FullAccess*”) -and ($_.User -notlike “NT AUTHORITY\SELF”) -and ($_.IsInherited -eq $false)}
Get ALL User Mailbox Permissions
Get-MailboxPermission ‘[email protected]’ | ft -AutoSize
Get User Mailbox Permissions (defined)
Get-MailboxPermission ‘[email protected]’ | ft User,AccessRights -AutoSize
Use this command to find who is being rejected from sending to the target mailbox
get-mailbox -Identity ‘target mailbox’ | fl name, *reject*
Find Mailbox Folder Stats on folder
Get-MailboxFolderStatistics ‘[email protected]’ | Where { $_.FolderPath.Contains(“FolderName”) -eq $true }
Find Mailbox Folder Stats on folder and add permissions
ForEach($f in (Get-MailboxFolderStatistics John | Where { $_.FolderPath.Contains(“/Clients”) -eq $True } ) ) {$fname = “John:” + $f.FolderPath.Replace(“/”,”\”); Add-MailboxFolderPermission $fname -User Jane -AccessRights Reviewer }
Remember
Set-MailboxFolderPermission cmdlet only updates existing folder-level permissions for all folders within a user’s mailbox
Add-MailboxFolderPermission cmdlet adds new permissions to mailbox
Grant Full Access and SendAs Permissions
Add-MailboxPermission -Identity ‘[email protected]’ -User ‘user alias’ -AccessRights FullAccess
Add-ADPermission ‘user alias’ -User ‘user alias’ -Extendedrights “Send As”
View Send As permission (use display name)
Get-ADPermission ‘User Display name)’ | select user,extendedrights
Remove Full Access mailbox permission
Remove-MailboxPermission -Identity ‘[email protected]’ -User domain\alias -AccessRights FullAccess -InheritanceType all
Get AD Permission ‘not inherited’, like local domain users
Get-Mailbox -identity ‘User Alias’ | Get-ADPermission | where {($_.IsInherited -eq $false) -and ($_.User -like “Test_USERS*”)} | select User, extendedrights
Get Mailbox Permission ‘not inherited’, like local domain users
Get-MailboxPermission -Identity [email protected] | where {($_.IsInherited -eq $false) -and ($_.User -like “Test_USERS*”)} | select User,Accessrights | FT
Get AD Permission ‘not inherited’
Get-Mailbox -identity ‘User Name’ | Get-ADPermission | where {($_.IsInherited -eq $false)} | select User, extendedrights
Get AD Permission ‘not inherited’, like local domain users
Get-Mailbox -identity ‘User Name’ | Get-ADPermission | where {($_.IsInherited -eq $false) -and ($_.User -like “Pilot*”)} | select User, extendedrights
Get Mailbox Permission ‘not inherited’, like local domain users
Get-MailboxPermission -Identity [email protected] | where {($_.IsInherited -eq $false) -and ($_.User -like “Pilot*”)} | select User,Accessrights | FT
Grant Read Only permissions
Add-MailboxPermission -Identity “User Name” -User “domain\user” -AccessRights ReadPermission
Remove Read Only permissions
Remove-MailboxPermission -Identity “User Name” -User “domain\user” -AccessRights ReadPermission
Set Read-Only Permisions to existing
Set-MailboxFolderPermission -Identity [email protected] -User [email protected] -AccessRights Reviewer
Set-MailboxFolderPermission -Identity [email protected] -User ‘domain\user’ -AccessRights Reviewer
Grant Users full access permissions to mailboxes
Add-MailboxPermission -Identity [email protected] -User ‘User’ -AccessRights FullAccess
Grant Full Access to a Room Mailbox
Add-MailboxPermission -Identity ‘Conference-Room’ -User ‘[email protected]’ -AccessRights FullAccess
When you assign full access rights to a mailbox, you may notice that the change does not take effect immediately, and the user that has been granted permissions to a mailbox still cannot access that resource. This is because the Information Store service uses a cached mailbox configuration that by default is only refreshed every two hours. You can force the cache to refresh by restarting the Information Store service on the mailbox server that is hosting the active database where the mailbox resides.
Get ‘Send on Behalf of’ permissions
Get-Mailbox -identity ‘[email protected]’ | fl name, grant*
Set Send on Behalf permissions
Set-Mailbox UserMailbox -GrantSendOnBehalfTo UserWhoSends
Remove Users full access permissions to mailboxes
Remove-MailboxPermission -Identity user1 -User user2 -AccessRights FullAccess -Confirm:$false
Grant Group full access permissions to mailbox
Add-MailboxPermission -Identity user -User “Help Desk” -AccessRights FullAccess