Tuesday, October 22, 2013

Public Folders Permissions on Exchange 2007/2010

I used to work with Exchange System Manager when managing permissions on Exchange Public Folders, but last week got in trouble when in need to do it on our recently migrated to Exchange 2007 PFs. Turns out that Exchange Management Console doesn't seem to have any feature to manage the Public Folders permissions, so we need to use Power Shell in order to do it. Below are the cmdlets that will help us with that:

To add administrative permissions:

  Add-PublicFolderAdministrativePermission -Identity "\FolderPath" -AccessRights ACCESSRIGHTS -User USERNAME

-AccessRights parameter value may be:
  • None
  • ModifyPublicFolderACL
  • ModifyPublicFolderAdminACL
  • ModifyPublicFolderDeletedItemRetention
  • ModifyPublicFolderExpiry
  • ModifyPublicFolderQuotas
  • ModifyPublicFolderReplicaList
  • AdministerInformationStore
  • ViewInformationStore
  • AllExtendedRights
To add client permissions:

  Add-PublicFolderClientPermission -Identity "\FolderPath" -AccessRights ACCESSRIGHTS -User USERNAME

-AccessRights parameter value may be:
  • ReadItems
  • CreateItems
  • EditOwnedItems
  • DeleteOwnedItems
  • EditAllItems
  • DeleteAllItems
  • CreateSubfolders
  • FolderOwner
  • FolderContact
  • FolderVisible
To add send as permissions (for mail enabled public folders):

  Add-ADPermission "\All Public Folders\FolderPath" -User "USERNAME" -Extendedrights "Send As"

Here comes the complicated part...

In order to recursively add permissions to a folder and its subfolders, we'll need to use a script we'll find in Exchange Server: AddUsersToPFRecursive.ps1, however, this script will remove the user's permissions before adding the new ones, and that will require confirmation, which will be a pain if we're talking about too many subfolders (believe me, in my case there were hundreds of them). So I've made a small change in the script and renamed AddUsersToPFRecursive-No-Confirm.ps1 to keep the original.

All you need to do in order to remove the confirmation is to find this line:

  $permission | remove-PublicFolderClientPermission -identity $_.Identity -server $_.OriginatingServer

And add "Confirm:$false" in the end.

  $permission | remove-PublicFolderClientPermission -identity $_.Identity -server $_.OriginatingServer -Confirm:$false

Then save the script with a new name as I did, or one you prefer.

Once you have it done, you just need to call the script from the Shell console as usual:

  AddUsersToPFRecursive-No-Confirm.ps1 -TopPublicFolder "'\Europe\France'" -User "LAURENT_BARONI" -Permission Owner

** Note that I've put quotes " and an apostrophe ' on the parameter -TopPublicFolder. That's not a typo, don't ask me why, but this was the only way I could make it work. But it works, I promise :)

More info:
Add-PublicFolderAdministrativePermission cmdlet
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Related Posts Plugin for WordPress, Blogger...