Click - Nitin Gupta's HomePage
Go to HOMEPAGE
Nitin Gupta's Leaf
<%Response.Write(Date())%>
 

Exchange 2010 SP1: Add/Modify Mailbox Folder Permissions (Add-MailboxFolderPermission and Set-MailboxFolderPermission)

In Exchange 2010 RTM,  a new cmdlet “Add-MailboxFolderPermission” was added that enabled Administrators (with necessary permissions) to delegate folder-level permissions for all folders within a user’s mailbox. The limitation of this cmdlet was that, once a user was given permission to a mailbox folder, then you could not change the permissions, you had to remove the user permission using “Remove-MailboxFolderPermission” and then re-assign the permissions.

With Exchange 2010 SP1 (beta), we now have a new cmdlet “Set-MailboxFolderPermission”, that helps in editing an existing permission entry. To be able to use Set-MailboxFolderPermission cmdlet on a mailbox for assigning permissions to a user, an entry should already be present. So this means, before running Set-MailboxFolderPermission on a mailbox, we need to set permissions for a user with Add-MailboxFolderPermission first.

Let me explain this with an example.

Let us first look at the Add-MailboxFolderPermission cmdlet…In my example I will give permissions to user “Quest-User99” the “Reviewer” permissions on Inbox folder of the mailbox “Nitin Gupta”.

Add-MailboxFolderPermission -Identity ngupta@quest-demo.com:\Inbox -User quest-user99@quest-demo.com -AccessRights ReadItems

Set-MailboxFolderPermission Mailbox Folder Permissions

Once this is done, we will use the Get-MailboxFolderPermission cmdlet to check the permissions….

Get-MailboxFolderPermission -Identity ngupta@quest-demo.com:\Inbox

Set-MailboxFolderPermission Mailbox Folder Permissions

So far so good, now let us try to use Add-MailboxFolderPermission cmdlet to change the permissions of ‘”Quest-User99” on the mailbox “Nitin Gupta”  to FolderVisible….

Add-MailboxFolderPermission -Identity ngupta@quest-demo.com:\Inbox -User quest-user99@quest-demo.com -AccessRights FolderVisible

So what happens, as mentioned in the beginning we encounter an error….

An existing permission entry was found for user: Quest-User99.
    + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], UserAlreadyExis…nEntryException
    + FullyQualifiedErrorId : CACE8CC4,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

Set-MailboxFolderPermission Mailbox Folder Permissions

This means that Add-MailboxFolderPermission cannot be used to modify an existing permission, so what was the workaround till Exchange 2010 RTM, remove the permissions and re-assign…

What happens now with Exchange 2010 SP1 (beta)….

With SP1, we now have “Set-MailboxFolderPermission” that we will use to modify the permissions….

Set-MailboxFolderPermission -Identity ngupta@quest-demo.com:\Inbox -User quest-user99@quest-demo.com -AccessRights FolderVisible

Set-MailboxFolderPermission Mailbox Folder Permissions

Set-MailboxFolderPermission Mailbox Folder Permissions

Wonderful, now let us look at the option where there is no permission entry for a user on a mailbox. To see, let us remove the permissions of “Quest-user99”” from the Inbox folder on mailbox “Nitin Gupta”

Remove-MailboxFolderPermission -Identity ngupta@quest-demo.com:\Inbox -User quest-user99@quest-demo.com

Set-MailboxFolderPermission Mailbox Folder Permissions

Set-MailboxFolderPermission Mailbox Folder Permissions

So now “Quest-User99” does not have any permission on mailbox “Nitin Gupta”. Let us run the cmdlet, Set-MailboxFolderPermission

[PS] C:\>Set-MailboxFolderPermission -Identity ngupta@quest-demo.com:\Inbox -User quest-user99@quest-demo.com -AccessRights Owner

There is no existing permission entry found for user: Quest-User99.
    + CategoryInfo          : NotSpecified: (0:Int32) [Set-MailboxFolderPermission], UserNotFoundInPermissionEntryException
    + FullyQualifiedErrorId : 4A3CC18C,Microsoft.Exchange.Management.StoreTasks.SetMailboxFolderPermission

Set-MailboxFolderPermission Mailbox Folder Permissions

This shows that a permission entry is required, before we can use Set-MailboxFolderPermission to edit/modify the permissions

 

The List of Permissions that can be set using the AccessRights parameter are as follows [Source: http://technet.microsoft.com/en-us/library/dd298062(EXCHG.140).aspx]

  • ReadItems   The user has the right to read items within the specified folder.
  • CreateItems   The user has the right to create items within the specified folder.
  • EditOwnedItems   The user has the right to edit the items that the user owns in the specified folder.
  • DeleteOwnedItems   The user has the right to delete items that the user owns in the specified folder.
  • EditAllItems   The user has the right to edit all items in the specified folder.
  • DeleteAllItems   The user has the right to delete all items in the specified folder.
  • CreateSubfolders   The user has the right to create subfolders in the specified folder.
  • FolderOwner   The user is the owner of the specified folder. The user has the right to view and move the folder and create subfolders. The user can’t read items, edit items, delete items, or create items.
  • FolderContact   The user is the contact for the specified public folder.
  • FolderVisible   The user can view the specified folder, but can’t read or edit items within the specified public folder.

The AccessRights parameter also specifies the permissions for the user with the following combination:

  • None   FolderVisible
  • Owner   CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingEditor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • Editor   CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingAuthor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • Author   CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • NonEditingAuthor   CreateItems, ReadItems, FolderVisible
  • Reviewer   ReadItems, FolderVisible
  • Contributor   CreateItems, FolderVisible

The following roles apply specifically to calendar folders:

  • AvailabilityOnly   View only availability data
  • LimitedDetails   View availability data with subject and location

 


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

« Exchange 2010 – Set Default Language in Outlook Web App (OWA)