Exchange Copy-MailboxFolderPermission

Are you sometimes asked by VIPs to get Folder Permissions sorted out in Outlook when they get a replacement PA?

Of course this can be done by the VIP themselves, but what if they have > 100 folders?  Outlook permissions don’t inherit down, so it isn’t enough to just set the permission at the top level and let it inherit, instead each folder needs to be set individually.

One nice way is to ask the VIP to set up the delegation for the new PA (since there are various settings that it will do that you can’t easily do in Powershell) and then use the following script to copy the folder permission from the existing PA to the new PA, and done.

The full script is attached at the end.

Param(
   [Parameter(Position=0,Mandatory=$true)]
   [string]$Mailbox = $null,
   [Parameter(Position=1,Mandatory=$true)]
   [string]$FromRecipient = $null,
   [Parameter(Position=2,Mandatory=$true)]
   [string]$ToRecipient = $null
)

The above is just declaring the three mandatory parameters that we need

if( !$Mailbox -or (@(Get-Mailbox $Mailbox -ErrorAction Silentlycontinue).count -ne 1)) {
   Write-Host ("Mailbox '{0}' not found or ambiguous" -f $Mailbox) -ForegroundColor Red
   return
}
 
if( !$FromRecipient -or (@(Get-Recipient $FromRecipient -ErrorAction Silentlycontinue).count -ne 1)) {
   Write-Host ("From Recipient '{0}' not found or ambiguous" -f $FromRecipient) -ForegroundColor Red
   return
}
 
if( !$ToRecipient -or (@(Get-Recipient $ToRecipient -ErrorAction Silentlycontinue).count -ne 1)) {
   Write-Host ("To Recipient '{0}' not found or ambiguous" -f $ToRecipient) -ForegroundColor Red
   return
}

The above is validating the parameters passed, ensuring that they are present and that we have the appropriate Exchange object for them

$GrantedFolderCount = 0
$FolderCount = 0
$folderstats = Get-MailboxFolderStatistics $mailbox

The above is setting up some variables and then getting the full list of folders

foreach( $folder in $folderstats ) {
   $FolderCount++
   $path = ("{0}:{1}" -f $Mailbox, $folder.FolderPath -replace '/', '\')
   # for the root we don't want the \Top of Information Store in full just \
   if( $FolderType -eq 'Root' ) {
      $path = '\'
   }
   Write-Host ( "Processing '{0}' folder number {1} out of {2}" -f $path, $FolderCount, $folderstats.count )
   Remove-MailboxFolderPermission $path -user $ToRecipient -Confirm:$False -ErrorAction SilentlyContinue 
   $permission = Get-MailboxFolderPermission $path -user $FromRecipient -ErrorAction SilentlyContinue
   if( $permission ) {
      $GrantedFolderCount++
      Write-Host ( "Granting rights to '{0}'" -f $path )
      Add-MailboxFolderPermission $path -user $ToRecipient -AccessRights $permission.AccessRights
   }
}

The above is the main piece of the code, it iterates through each folder and for each one checks if the from recipient has any rights, if so it applies those rights to the to recipient. Note we remove the ToRecipient’s rights from each folder so that at the end the From and To Recipient should have the same rights throughout the mailbox

Write-Host ( "Granted access to {0} folders" -f $GrantedFolderCount )

Finally writing out how many folder the ToRecipient has rights to now

 

*** As always the script is provided on an as is basis, please test it before you use it in a production environment. ***

Copy-MailboxFolderPermission.ps1

Twan van Beers

Twan is a senior consultant with over 20 years of experience. He has a wide range of skills including Messaging, Active Directory, SQL, Networking and Firewalls. Twan loves to write scripts and get deep and dirty into debugging code, in order to understand and resolve the most complex of problems.

Leave a Reply

Your email address will not be published. Required fields are marked *

Search