PowerShell Add-MailboxPermission

PowerShell Add-MailboxPermission For Exchange 2010

Here is a PowerShell technique for allowing one user to read another user’s email.  While technically Add-MailboxPermission -identity is a straightforward task, emotionally, it may have repercussion if you give too many access rights to the wrong people.

• Exchange Permissions Pre-requisites
• Understanding Add-MailboxPermission
• Add-MailboxPermission AccessRights SendAs
• Add-ADPermission Send As
• The Effect of AutoDiscover on Outlook 2010

 ♣

Exchange Permissions Pre-requisites

If you think about it, being able to add one user to another user’s mailbox permission is a potent power.  Thus to achieve this task (assuming there is a good business reason), you must be a member of these exchange groups:

• ‘Organization Management role group’
• ‘Server Management management role group’
  Management management is not a typo!

Understanding  PowerShell Add-MailboxPermission

To get started, just focus on just two parameters of Add-MailboxPermission -Identity (the victim!) and -User (spy!).

Note 1: The above example would mean that Eddie Spy could see Joe Victim’s Mailbox in his Outlook 2010.

Add-MailboxPermission -AccessRights

Once you have sorted out those two parts decide on the -AccessRights.  Is SendAs sufficient?  Or do you need FullAccess, which would allow the -User to impersonate the -Identity.

Note 2: The backtick (`) means wrap to the next line.  I used this layout to emphasise the -Parameters.

Add-MailboxPermission AccessRights SendAs

There are 7 possible values for the -AccessRights parameter.

1. FullAccess
2. SendAs
3. ExternalAccount
4. DeleteItem
5. ReadPermission
6. ChangePermission
7. ChangeOwner

Guy Recommends:  SolarWinds’ Free Bulk Mailbox Import Tool

Import users from a spreadsheet, complete with their mailbox.  Just provide a list of the users with the fields in the top row, and save as .csv file.  Then launch this FREE utility, match your Exchange fields with AD’s attributes, click and import the users.  Optionally, you can provide the name of the OU where the new mailboxes will be born.

There are also two bonus tools in the free download, and all 3 have been approved by Microsoft:

1. Bulk-import new users and mailboxes into Active Directory.
2. Seek and zap unwanted user accounts.
3. Find inactive computers.

Download your FREE bulk mailbox import tool.

Add-ADPermission Send As

In the case of SendAs there is an alternative to Add-MailboxPermission, that is to employ a different PowerShell cmdlet called Add-ADPermission.

Note 3: Infuratingly, "Send As" is two separate words with this cmdlet.

Note 4: In the case of the specific right to ‘send as’, there seems little difference between Add-MailboxPermission and Add-ADPermission.  However when it comes to other scripting maniplation their abilities diverge.

Add-MailboxPermission Syntax

Observe that like almost all PowerShell nouns, MailboxPermission is singular.  You can examine the parameters with this command

Get-Help Add-MailboxPermission

Note 5:  Add-MailboxPermission -Identity accepts the following values:

• GUID
• ADObjectID
• Distinguished name (DN)
• Domain\Account
• User principal name (UPN)
• LegacyExchangeDN
• SmtpAddress
• Alias

See more on Add-MailboxPermission

PowerShell Script to Automate Setting Mailbox Permissions

Note 6: If this works only for some of the users, try inserting Start-Sleep 5 in the loop.  This will give more time to set the permissions.

Check Mailboxes Manually with the EMC

With PowerShell it’s often worth a manual walk-through to compare the PowerShell script with what you see in the Exchange Managment Console.

• Launch the EMC, navigate to the Recipient Configuration Mailbox (see right)
• Select the mailbox of the victim who you are interested in.
• Select ‘Manage Full Access Permissions’ in the right hand pane.

Research More Members of the MailboxPermission Family

Get-MailboxPermission -Identity "Joe Victim"

or

Get-MailboxPermission -Identity "Joe Victim" -User Eddie Spy

Lastly, if you make a mistake try Remove-MailboxPermission

Note 7:  See more on PowerShell’s Add-MailboxPermission.

Guy Recommends: The SolarWinds Exchange Monitor

Here is a free tool to monitor your Exchange Server.  Download and install the utility, then inspect your mail queues, monitor the Exchange server’s memory, confirm there is enough disk space, and check the CPU utilization.

This is the real deal – there is no catch.  SolarWinds provides this fully-functioning freebie, as part of their commitment to supporting the network management community.

Free Download of SolarWinds Exchange Monitor

The Effect of AutoDiscover on Outlook 2010

Thanks to Autodiscover, In Exchange 2010 Service Pack 1 (SP1), Outlook 2007 and 2010 clients automatically map to every mailbox to which they have Full Access permissions.

Sometimes this can be a curse, for example if Exchange Administrators are given full control of everyone’s mailbox.  If they try and open their own Outlook 2010, they will be snowed under with everyone else’s email.  Solution Administrator Guy Thomas has his own, humble, ordinary email account, and does not logon as Administrator.

See My Review of Solarwinds Free Permissions Analyzer »

Summary of Add-MailboxPermission in Exchange 2010

While the syntax for PowerShell’s Add-MailboxPermission -identity is straightforward; however, you may stop and ask, ‘Am I doing the right thing here?’  Because giving one user access to another users inbox may have repercussions within the organization.

See more PowerShell Cmdlets for Exchange 2010:

• Exchange 2010 Home   • Get-ExchangeServer   • Set-ExchangeServer   • New-SystemMessage   • SP1

• Get-Mailbox   • Get-MailboxStatistics   • Connect-Mailbox   • Enable-Mailbox   • Disable-Mailbox

• PowerShell Exchange Cmdlets   • Set-Contact    • New-Mailcontact   • Add-MailboxPermission -identity