PowerShell Add-MailboxPermission For Exchange 2010
Here is a PowerShell technique for allowing one user to read another user’s email. While technically Add-MailboxPermission -identity is a straightforward task, emotionally, it may have repercussion if you give too many access rights to the wrong people.
- Exchange Permissions Pre-requisites
- Understanding Add-MailboxPermission
- Add-MailboxPermission AccessRights SendAs
- Add-ADPermission Send As
- The Effect of AutoDiscover on Outlook 2010
♣
Exchange Permissions Pre-requisites
If you think about it, being able to add one user to another user’s mailbox permission is a potent power. Thus to achieve this task (assuming there is a good business reason), you must be a member of these exchange groups:
- ‘Organization Management role group’
- ‘Server Management management role group’
Management management is not a typo!
Understanding PowerShell Add-MailboxPermission
To get started, just focus on just two parameters of Add-MailboxPermission -Identity (the victim!) and -User (spy!).
# Add-MailboxPermission Exchange 2010
Add-MailboxPermission -Identity "Joe Victim" -User "Eddie Spy"
Note 1: The above example would mean that Eddie Spy could see Joe Victim’s Mailbox in his Outlook 2010.
Add-MailboxPermission -AccessRights
Once you have sorted out those two parts decide on the -AccessRights. Is SendAs sufficient? Or do you need FullAccess, which would allow the -User to impersonate the -Identity.
Add-MailboxPermission `
-Identity "Boss Man" `
-User Top Secretary `
-AccessRights FullAccess -InheritanceType All
Note 2: The backtick (`) means wrap to the next line. I used this layout to emphasise the -Parameters.
Add-MailboxPermission AccessRights SendAs
There are 7 possible values for the -AccessRights parameter.
- FullAccess
- SendAs
- ExternalAccount
- DeleteItem
- ReadPermission
- ChangePermission
- ChangeOwner
Guy Recommends: SolarWinds’ Free Bulk Mailbox Import Tool
Import users from a spreadsheet, complete with their mailbox. Just provide a list of the users with the fields in the top row, and save as .csv file. Then launch this FREE utility, match your Exchange fields with AD’s attributes, click and import the users. Optionally, you can provide the name of the OU where the new mailboxes will be born.
There are also two bonus tools in the free download, and all 3 have been approved by Microsoft:
- Bulk-import new users and mailboxes into Active Directory.
- Seek and zap unwanted user accounts.
- Find inactive computers.
Download your FREE bulk mailbox import tool.
Add-ADPermission Send As
In the case of SendAs there is an alternative to Add-MailboxPermission, that is to employ a different PowerShell cmdlet called Add-ADPermission.
Add-ADPermission `
-Identity "Boss Man" `
-User Top Secretary `
-AccessRights ExtendedRight -ExtendedRights "Send As"
Note 3: Infuratingly, "Send As" is two separate words with this cmdlet.
Note 4: In the case of the specific right to ‘send as’, there seems little difference between Add-MailboxPermission and Add-ADPermission. However when it comes to other scripting maniplation their abilities diverge.
Add-MailboxPermission Syntax
Observe that like almost all PowerShell nouns, MailboxPermission is singular. You can examine the parameters with this command
Get-Help Add-MailboxPermission
# Add-MailboxPermission Exchange 2010
Add-MailboxPermission -Identity <MailboxIdParameter> -AccessRights <MailboxRights[]> -User <SecurityPrincipalIdParameter> [-Confirm [<SwitchParameter>]] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-IgnoreDefaultScope <SwitchParameter>] [-InheritanceType <None | All | Descendents | SelfAndChildren | Children>] [-WhatIf [<SwitchParameter>]]
Note 5: Add-MailboxPermission -Identity accepts the following values:
- GUID
- ADObjectID
- Distinguished name (DN)
- Domain\Account
- User principal name (UPN)
- LegacyExchangeDN
- SmtpAddress
- Alias
See more on Add-MailboxPermission
PowerShell Script to Automate Setting Mailbox Permissions
# Add-MailboxPermission -identity example
Import-CSV c:\mbox.csv | Foreach-Object -process {
$Id = $_.Identity
Import-CSV c:\secretary.csv | foreach-object -process {
$Secretary = $_.Name
Add-MailboxPermission -Identity "$Id" -user "$Secretary" -AccessRights SendAs, ReadPermission
}
}
Note 6: If this works only for some of the users, try inserting Start-Sleep 5 in the loop. This will give more time to set the permissions.
Check Mailboxes Manually with the EMC
With PowerShell it’s often worth a manual walk-through to compare the PowerShell script with what you see in the Exchange Managment Console.
- Launch the EMC, navigate to the Recipient Configuration Mailbox (see right)
- Select the mailbox of the victim who you are interested in.
- Select ‘Manage Full Access Permissions’ in the right hand pane.
Research More Members of the MailboxPermission Family
Get-Command -noun MailboxPermission
Get-MailboxPermission -Identity "Joe Victim"
or
Get-MailboxPermission -Identity "Joe Victim" -User Eddie Spy
Lastly, if you make a mistake try Remove-MailboxPermission
Note 7: See more on PowerShell’s Add-MailboxPermission.
Guy Recommends: The SolarWinds Exchange Monitor
Here is a free tool to monitor your Exchange Server. Download and install the utility, then inspect your mail queues, monitor the Exchange server’s memory, confirm there is enough disk space, and check the CPU utilization.
This is the real deal – there is no catch. SolarWinds provides this fully-functioning freebie, as part of their commitment to supporting the network management community.
Free Download of SolarWinds Exchange Monitor
The Effect of AutoDiscover on Outlook 2010
Thanks to Autodiscover, In Exchange 2010 Service Pack 1 (SP1), Outlook 2007 and 2010 clients automatically map to every mailbox to which they have Full Access permissions.
Sometimes this can be a curse, for example if Exchange Administrators are given full control of everyone’s mailbox. If they try and open their own Outlook 2010, they will be snowed under with everyone else’s email. Solution Administrator Guy Thomas has his own, humble, ordinary email account, and does not logon as Administrator.
See My Review of Solarwinds Free Permissions Analyzer »
Summary of Add-MailboxPermission in Exchange 2010
While the syntax for PowerShell’s Add-MailboxPermission -identity is straightforward; however, you may stop and ask, ‘Am I doing the right thing here?’ Because giving one user access to another users inbox may have repercussions within the organization.
If you like this page then please share it with your friends
See more PowerShell Cmdlets for Exchange 2010:
• Exchange 2010 Home • Get-ExchangeServer • Set-ExchangeServer • New-SystemMessage • SP1
• Get-Mailbox • Get-MailboxStatistics • Connect-Mailbox • Enable-Mailbox • Disable-Mailbox
• PowerShell Exchange Cmdlets • Set-Contact • New-Mailcontact • Add-MailboxPermission -identity