How to Grant Read-Only Access to an Exchange Mailbox
Granting a user read-only access to the mailbox and calendar of another user in an Exchange Server organization.
This is a common scenario and the solution is reasonably simple though perhaps not obvious.
Let’s look at the scenario of Alan Reid trying to access the mailbox of Alex Heyne. With no access configured Alan gets an error message when he tries to open Alex’s inbox in Outlook.
To meet the requirements of this scenario we need to grant Alan read-only access to Alex’s mailbox, not full access, and without making him a delegate.
It is worth noting that the mailbox owner can configure these permissions themselves using Outlook. But I will assume that if you’re reading this you have been asked to handle it for them
Where some admins get stuck is in the Exchange Management Console, which only presents the option to grant full access to a mailbox.
Instead we need to use the Exchange Management Shell and run the Add-MailboxFolderPermission cmdlet.
The first step is to grant permissions (in this case “Reviewer”) to the “Top of Information Store”.
[PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\ -User Alan.Reid -AccessRights Reviewer RunspaceId : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6 FolderName : Top of Information Store User : Alan Reid AccessRights : {Reviewer} Identity : Alan Reid IsValid : True
Those permissions do not inherit down the mailbox folder hierarchy to existing folders (newly created folders will inherit the permissions of their parent folder though). So you still need to grant permissions for specific folders, for example the inbox:
[PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\Inbox -User Alan.Reid -AccessRights Reviewer RunspaceId : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6 FolderName : Inbox User : Alan Reid AccessRights : {Reviewer} Identity : Alan Reid IsValid : True
Or the calendar:
[PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\Calendar -User Alan.Reid -AccessRights Reviewer RunspaceId : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6 FolderName : Calendar User : Alan Reid AccessRights : {Reviewer} Identity : Alan Reid IsValid : True
This starts to get tedious if you want to grant permissions to the entire mailbox folder hierarchy. For that you would need to write a script.
Here is an example:
#Proof of concept code to apply mailbox #folder permissions to all folders in #a mailbox [CmdletBinding()] param ( [Parameter( Mandatory=$true)] [string]$Mailbox, [Parameter( Mandatory=$true)] [string]$User, [Parameter( Mandatory=$true)] [string]$Access ) $exclusions = @("/Sync Issues", "/Sync Issues/Conflicts", "/Sync Issues/Local Failures", "/Sync Issues/Server Failures", "/Recoverable Items", "/Deletions", "/Purges", "/Versions" ) $mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath) foreach ($mailboxfolder in $mailboxfolders) { $folder = $mailboxfolder.FolderPath.Replace("/","\") $identity = "$($mailbox):$folder" Write-Host "Adding $user to $identity with $access permissions" Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access }
Save that code as a .ps1 file and run it in the Exchange Management Shell with the required parameters.
[PS] C:\Scripts>.\MailboxFolderPermissions.ps1 -Mailbox alex.heyne -User alan.reid -Access reviewer
So as you can see, granting read-only access to specific mailbox folders is quite simple, with just a little extra work required (or a script like the one above) to apply the permissions to all existing mailbox folders.