How to Grant Read-Only Access to an Exchange Mailbox

Where some admins get stuck is in the Exchange Management Console, therapy which only presents the option to grant full access to a mailbox.

exchange-read-access-mailbox-02

Instead we need to use the Exchange Management Shell and run the Add-MailboxFolderPermission cmdlet.

The first step is to grant permissions (in this case “Reviewer”) to the “Top of Information Store”.

[PS] C:>Add-MailboxFolderPermission -Identity alex.heyne: -User Alan.Reid -AccessRights Reviewer

RunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6
FolderName   : Top of Information Store
User         : Alan Reid
AccessRights : {Reviewer}
Identity     : Alan Reid
IsValid      : True

Those permissions do not inherit down the mailbox folder hierarchy to existing folders (newly created folders will inherit the permissions of their parent folder though). So you still need to grant permissions for specific folders, for example the inbox:

[PS] C:>Add-MailboxFolderPermission -Identity alex.heyne:Inbox -User Alan.Reid -AccessRights Reviewer

RunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6
FolderName   : Inbox
User         : Alan Reid
AccessRights : {Reviewer}
Identity     : Alan Reid
IsValid      : True

Or the calendar:

[PS] C:>Add-MailboxFolderPermission -Identity alex.heyne:Calendar -User Alan.Reid -AccessRights Reviewer

RunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6
FolderName   : Calendar
User         : Alan Reid
AccessRights : {Reviewer}
Identity     : Alan Reid
IsValid      : True

This starts to get tedious if you want to grant permissions to the entire mailbox folder hierarchy. For that you would need to write a script.

Here is an example:

#Proof of concept code to apply mailbox
#folder permissions to all folders in
#a mailbox

[CmdletBinding()]
param (
[Parameter( Mandatory=$true)]
[string]$Mailbox,

[Parameter( Mandatory=$true)]
[string]$User,

[Parameter( Mandatory=$true)]
[string]$Access
)

$exclusions = @("/Sync Issues",
"/Sync Issues/Conflicts",
"/Sync Issues/Local Failures",
"/Sync Issues/Server Failures",
"/Recoverable Items",
"/Deletions",
"/Purges",
"/Versions"
)

$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)

foreach ($mailboxfolder in $mailboxfolders)
{
$folder = $mailboxfolder.FolderPath.Replace("/","\")
$identity = "$($mailbox):$folder"
Write-Host "Adding $user to $identity with $access permissions"
Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access
}

Save that code as a .ps1 file and run it in the Exchange Management Shell with the required parameters.

[PS] C:Scripts>.MailboxFolderPermissions.ps1 -Mailbox alex.heyne -User alan.reid -Access reviewer

So as you can see, granting read-only access to specific mailbox folders is quite simple, with just a little extra work required (or a script like the one above) to apply the permissions to all existing mailbox folders.

Revisions

No comments yet.

Leave a Reply