Cheat Sheet: Setting Exchange Mailbox User Permissions via PowerShell

One of the things I get asked about quite a lot, is how you can set specific permissions in Exchange Server and Exchange Online. Most cases the Management Console (in 2010) or the Exchange Admin Center (EAC, Exchange 2013 & 2016 and Online) provide most basic permissions like Full Access, Send As and Send On Behalf. However, sometimes an admin has to set Send on Behalf permissions on a Shared Mailbox or disable AutoMapping, those options are not available via EAC. Just as setting specific Folder Permissions within a mailbox.

The solution is to use the Exchange Management Shell, or PowerShell. However, every type of permission has a different cmdlet. If you do not set these permissions on a regular basis, you probably have to look up how to perform these actions. Below are the cmdlets with a specific example, each with a link to the TechNet article explaining in more detail their function (provided you have the correct permissions in order to use them):

Example Full Access:

Add-MailboxPermission -user <user> -identity <mailbox> -AccessRights FullAccess -InheritanceType All -Automapping $false

Click here for more info.

Where <Mailbox> is the identity of the mailbox you wish to apply permissions on and <user> the account that will receive these permissions. In this case the AccessRights FullAccess was applied, but others are available. Also in this case Inheritance was set, so these permissions permiate throught the whole mailbox. Also, Automapping (the automatic addition of mailboxes the user has FullAccess to, via AutoDiscover) can be set to False, disabling this feature. This feature is only available via PowerShell, not via EAC unfortunately.

Example Folder Permission:

Add-MailboxFolderPermission -Identity <Mailbox>:\<Folder> -User <user> -AccessRights Owner

Click here for more info.

Where <Mailbox> is the identity of the mailbox you wish to apply permissions on, <Folder> the name of the specific folder and <user> the account that will receive these permissions. In this case the AccessRight Owner was applied, but others are available. For Calendar folders there are two extra permissions listed, in order to configure the visible calendar information when planning a meeting or viewing one others Calendar.

Note that the Well-Known-folders (like Inbox, Calendar, Sent Items etc.) will change with regional settings set by the user (via OWA) or by language settings of Outlook when first connecting to their Mailbox. This might pose a challenge if you want to automate specific settings on those Well-Known folders. Luckily the FolderType is a constant and that value will tell you what kind of folder it is. Custom made folders (a second calendar for instance) have the folder type of “User Created”.

Use the following PowerShell one-liner in order to find the specific name of the Well-Known Calendar folder:

Get-Mailbox <Mailbox>|Get-MailboxFolderStatistics|Where {$_.FolderType -eq "Calendar"}

The value of the FolderType can be Inbox, Contacts, Sent Items, Deleted Items etc.. You can list this for a specific mailbox with:

Get-Mailbox <mailbox> |Get-MailboxFolderStatistics| Select FolderType

Example SendAs (on-premises only):

Add-ADPermission -Identity <mailbox> -User <user> -AccessRights ExtendedRight -ExtendedRights "Send As“

Click here for more info.

Where <Mailbox> is the identity of the mailbox (or Distribution Group) you wish to apply permissions on and <user> the account that will receive these permissions. In this case the AccessRights SendAs are set, although in some cases ReceiveAs might be required. Permissions to send mail as another user is actually an Active Directory permission, so this cmdlet will only work on On-Premises environments.

Example SendAs (Exchange Online only):

Add-RecipientPermission <mailbox> -AccessRights SendAs -Trustee <user>

Click here for more info.

Where <Mailbox> is the identity of the mailbox (or Distribution Group) you wish to apply permissions on and <user> the account that will receive these permissions.

Example Send On Behalf:

 Set-Mailbox –Identity <mailbox> -GrantSendOnBehalfTo <user>

Click here for more info.

Where <Mailbox> is the identity of the mailbox you wish to apply permissions on and <user> the account that will receive these permissions. As I’m writing this, you cannot set these permissions via the EAC on non UserMailbox type mailboxes (i.e. Shared Mailboxes), so PowerShell is your only way.

Please note that these permissions with the example syntax will overwrite previously set permissions. If you only require additions, use the @{add=”user1″,”user2″} syntax as the <user> value. In this case user1 and user2 are added Send on Behalf permissions and already present user permissions are retained.

Changing the Sent Item behavior:

In Exchange 2010 since Service Pack 3 you can change the Sent Item behavior with:

Set-MailboxSentItemsConfiguration -Identity <Mailbox> -SendAsItemsCopiedTo <Option>

Click here for more info.

Where <Mailbox> is the identity of the mailbox that other users have SendAs or Send on Behalf permissions on. Use parameter SendAsItemsCopiedTo for Send As permissions and the parameter SendOnBehalfOfItemsCopiedTo for any Send on Behalf permissions. <Option> defines the specific behavior you require (just the mailbox specified with the Identity or both mailbox and the actual sender).

In Exchange 2013 since CU9 and in Exchange Online (if your tenant is enabled, at the time of writing it’s possible some are not) you can change the Sent Item behavior with:

Set-Mailbox <Mailbox> -MessageCopyForSentAsEnabled $True
Set-Mailbox <Mailbox> -MessageCopyForSendOnBehalfEnabled $True

Where <Mailbox> is the identity of the (Shared) mailbox that other users have SendAs or Send on Behalf permissions on, use MEssageCopyForSentAsEnabled and MessageCopyForSendOnBehalfEnabled respectively; i.e. you won’t change the behavior for users who have Sent As permission when setting MessageCopyForSendOnBehalfEnabled to $True and vice versa. Setting the value to $False you can disable the feature again.

Click here for more general information.

Removing permissions

Removing permissions would be performed by the Remove-* equivalent cmdlet, with the exception of the Send On Behalf permission. Those permissions can be completely cleared when using the User value of $null.

 

Now you have a little cheat sheet for setting mailbox permissions in Exchange via PowerShell!

Leave a Reply

Your email address will not be published. Required fields are marked *