{"id":1382,"date":"2013-10-08T20:07:56","date_gmt":"2013-10-08T20:07:56","guid":{"rendered":"http:\/\/microsoftgeek.com\/?p=1382"},"modified":"2013-10-08T20:07:56","modified_gmt":"2013-10-08T20:07:56","slug":"how-to-grant-read-only-access-to-an-exchange-mailbox","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=1382","title":{"rendered":"How to Grant Read-Only Access to an Exchange Mailbox"},"content":{"rendered":"

Granting a user read-only access to the mailbox and calendar of another user in an Exchange Server organization.<\/p>\n

This is a common scenario and the solution is reasonably simple though perhaps not obvious.<\/p>\n

Let\u2019s look at the scenario of Alan Reid trying to access the mailbox of Alex Heyne. With no access configured Alan gets an error message when he tries to open Alex\u2019s inbox in Outlook.<\/p>\n

\"exchange-read-access-mailbox-01\"<\/p>\n

To meet the requirements of this scenario we need to grant Alan read-only access to Alex\u2019s mailbox, not full access, and without making him a delegate.<\/p>\n

It is worth noting that the mailbox owner can configure these permissions themselves using Outlook. But I will assume that if you\u2019re reading this you have been asked to handle it for them \":)\"<\/p>\n

Where some admins get stuck is in the Exchange Management Console, which only presents the option to grant full access to a mailbox.<\/p>\n

\"exchange-read-access-mailbox-02\"<\/p>\n

Instead we need to use the Exchange Management Shell and run the Add-MailboxFolderPermission cmdlet.<\/p>\n

The first step is to grant permissions (in this case \u201cReviewer\u201d) to the \u201cTop of Information Store\u201d.<\/p>\n

[PS] C:\\>Add-MailboxFolderPermission -Identity alex.heyne:\\ -User Alan.Reid -AccessRights Reviewer\r\n\r\nRunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6\r\nFolderName   : Top of Information Store\r\nUser         : Alan Reid\r\nAccessRights : {Reviewer}\r\nIdentity     : Alan Reid\r\nIsValid      : True<\/pre>\n
Those permissions do not inherit down the mailbox folder hierarchy to existing folders (newly created folders will inherit the permissions of their parent folder though). So you still need to grant permissions for specific folders, for example the inbox:<\/p>\n
[PS] C:\\>Add-MailboxFolderPermission -Identity alex.heyne:\\Inbox -User Alan.Reid -AccessRights Reviewer\r\n\r\nRunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6\r\nFolderName   : Inbox\r\nUser         : Alan Reid\r\nAccessRights : {Reviewer}\r\nIdentity     : Alan Reid\r\nIsValid      : True<\/pre>\n
Or the calendar:<\/p>\n
[PS] C:\\>Add-MailboxFolderPermission -Identity alex.heyne:\\Calendar -User Alan.Reid -AccessRights Reviewer\r\n\r\nRunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6\r\nFolderName   : Calendar\r\nUser         : Alan Reid\r\nAccessRights : {Reviewer}\r\nIdentity     : Alan Reid\r\nIsValid      : True<\/pre>\n
This starts to get tedious if you want to grant permissions to the entire mailbox folder hierarchy. For that you would need to write a script.<\/p>\n
Here is an example:<\/p>\n
#Proof of concept code to apply mailbox\r\n#folder permissions to all folders in\r\n#a mailbox\r\n\r\n[CmdletBinding()]\r\nparam (\r\n\t[Parameter( Mandatory=$true)]\r\n\t[string]$Mailbox,\r\n\r\n\t[Parameter( Mandatory=$true)]\r\n\t[string]$User,\r\n\r\n  \t[Parameter( Mandatory=$true)]\r\n\t[string]$Access\r\n)\r\n\r\n$exclusions = @(\"\/Sync Issues\",\r\n                \"\/Sync Issues\/Conflicts\",\r\n                \"\/Sync Issues\/Local Failures\",\r\n                \"\/Sync Issues\/Server Failures\",\r\n                \"\/Recoverable Items\",\r\n                \"\/Deletions\",\r\n                \"\/Purges\",\r\n                \"\/Versions\"\r\n                )\r\n\r\n$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)\r\n\r\nforeach ($mailboxfolder in $mailboxfolders)\r\n{\r\n    $folder = $mailboxfolder.FolderPath.Replace(\"\/\",\"\\\")\r\n    $identity = \"$($mailbox):$folder\"\r\n    Write-Host \"Adding $user to $identity with $access permissions\"\r\n    Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access\r\n}<\/pre>\n
Save that code as a .ps1 file and run it in the Exchange Management Shell with the required parameters.<\/p>\n
[PS] C:\\Scripts>.\\MailboxFolderPermissions.ps1 -Mailbox alex.heyne -User alan.reid -Access reviewer<\/pre>\n
So as you can see, granting read-only access to specific mailbox folders is quite simple, with just a little extra work required (or a script like the one above) to apply the permissions to all existing mailbox folders.<\/p>\n","protected":false},"excerpt":{"rendered":"
Granting a user read-only access to the mailbox and calendar of another user in an Exchange Server organization. This is a common scenario and the solution is reasonably simple though perhaps not obvious. Let\u2019s look at the scenario of Alan Reid trying to access the mailbox of Alex Heyne. With no access configured Alan gets […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,21,22],"tags":[],"class_list":["post-1382","post","type-post","status-publish","format-standard","hentry","category-ms-exchange","category-exchange-2007","category-exchange-2010"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/1382","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1382"}],"version-history":[{"count":2,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/1382\/revisions"}],"predecessor-version":[{"id":1384,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/1382\/revisions\/1384"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1382"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1382"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}