Exchange 2010: And then there is the long awaited cmdlet Add-MailboxFolderPermission

So many new features have been included in Exchange 2010, that it would indeed take me more than days to talk about all of these, but there are so many very nice features that you should keep in mind when thinking about Exchange 2010, and one is these is the new built-in cmdlet "Add-MailboxFolderPermission".

What's this: Add-MailboxFolderPermission

Looking at the description posted on TechNet this cmdlet enables you to "manage folder-level permissions for all folders within a user's mailbox",  meaning you can use this cmdlet to delegate any of the following roles to any mailbox folder for any mailbox-enabled user in your organization, given you have sufficient permissions :-)

(Source = Add-MailboxFolderPermission)

  • ReadItems   The user has the right to read items within the specified folder.
  • CreateItems   The user has the right to create items within the specified folder.
  • EditOwnedItems   The user has the right to edit the items that the user owns in the specified folder.
  • DeleteOwnedItems   The user has the right to delete items that the user owns in the specified folder.
  • EditAllItems   The user has the right to edit all items in the specified folder.
  • DeleteAllItems   The user has the right to delete all items in the specified folder.
  • CreateSubfolders   The user has the right to create subfolders in the specified folder.
  • FolderOwner   The user is the owner of the specified folder. The user has the right to view and move the folder and create subfolders. The user can't read items, edit items, delete items, or create items.
  • FolderContact   The user is the contact for the specified public folder.
  • FolderVisible   The user can view the specified folder, but can't read or edit items within the specified public folder.

The AccessRights parameter also specifies the permissions for the user with the following roles, which are a combination of the rights listed previously:

  • None   FolderVisible
  • Owner   CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingEditor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • Editor   CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingAuthor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • Author   CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • NonEditingAuthor   CreateItems, ReadItems, FolderVisible
  • Reviewer   ReadItems, FolderVisible
  • Contributor   CreateItems, FolderVisible

The following roles apply specifically to calendar folders:

  • AvailabilityOnly   View only availability data
  • LimitedDetails   View availability data with subject and location

The permissions you need in order to be able to do so, are any of the followin built-in management roles (as stated here), there is no need to have been granted full mailbox access prior to being able to change those folder permissions (!): Organization Management, Recipient Management, Help Desk.

Let's have a look at an example. Here are the permission settings for my test mailbox Ilse, and as you can see, these are the default settings, without previous changes:

Can we get this information using the power of the (Remote) Exchange Management Shell? Yes, by using the cmdlet Get-MailboxFolderPermission, as can be seen in the example below, when running Get-MailboxFolderPermission <ilsevancriekinge@exchange.local:\Calendar>

And then we can run the following cmdlet to add User7 with the permission of Editor:

Add-MailboxFolderPermission -Identity ilsevancriekinge@exchange.local :\Calendar -User user7@exchange.local -AccessRights editor

And when checking with Microsoft Office Outlook, it's clear the permissions have been set:

-Ilse