Wednesday, October 11, 2017

Delegate Access Recursively in Exchange 2010 using Powershell

It wasn't straight forward to add an ex-employees mailbox to another user, or set of users, with readpermissions only or reviewer access


- "cannot expand folders" error after mailbox was added
- there were no folders in the mailbox which was added
- A bit of a shuffle and wait in regards to adding the read-only data to the user's mailbox
- You want to add/remote/change access to multiple, nested folders using Powershell.

I only wanted to give read access, not the ability to make changes - for a number of reasons - but really to maintain the integrity and authenticity of the mailbox (didn't want other employeees removing data, etc)

Keep in Mind:

ADD-Item adds new entries, but does not modify entries if they already exist
SET-Item modifies entries, but does not add new entries if they don't exist
REMOVE-item removes items
Following any command by |whatif will show you what it would do, opposed to doing it. 
Following any command with |out-file C:\myresults.txt will output the console to text file, so you can browse or search & use as strings.
 Gee, powershell is cool! 

With this in mind, if you're modifying or removing access, simply change your the appropriate verb in any powershell command.. mostly. 


Using exchange 2010 Powershell:

First, add the generic permission:

add-mailboxpermission -identity UserBeingShared -user UserReceivingAccess -AccessRights ReadPermissions -InheritanceType All -AutoMapping $True

( Reference: )

This gives access and maps the folder - but you will probably get a cannot expand folder error when attempting to open it.

Next, add the permissions you want: 
If you just want to add a single folder, that's easy:

Add-mailboxfolderpermission -identity UserBeingShared:\Inbox -user UserReceivingAccess -AccessRights Reviewer

( Reference:

You'll notice that just the inbox comes through.

If you want to add everything:

ForEach($f in (Get-MailboxFolderStatistics UserBeingShared| Where { $_.FolderPath} ) ) { $fname = "UserBeingShared:" + $f.FolderPath.Replace("/","\"); Add-MailboxFolderPermission $fname -User UserReceivingAccess -AccessRights Reviewer }

If you don't want to share everything but do need recursion check out:

ForEach($f in (Get-MailboxFolderStatistics UserA | Where { $_.FolderPath.Contains("/Inbox") -eq $True } ) ) {
 $fname = "UserA:" + $f.FolderPath.Replace("/","\");
 Add-MailboxFolderPermission $fname -User UserB -AccessRights Reviewer }

Credit due here, and, recursively :-)


If the delegated mailbox does not appear in outlook, try closing & re-opening Outlook, waiting 15 minutes, or, add it manually by opening that users' email setup, choosing advanced, then add the mailbox in question.

You should see the Delegated User's Name, with an expanding-karet next to it.

No comments:

Post a Comment