Maintain MAPI permissions recursive

I strongly believe that many of you already run into this scenario:

“Hey, can you help me and grant access to all my folders in my mailbox to this one person?”

When it starts like this, in most cases this user has folders, where the total number is for sure more than 2 digits.

Background

This is a common scenario, where users are very “creative” and “ambiguous” in creating a folder structure, and then realize that permissions are not inherited as expected and they need to assign on each and every single folder permissions.

Yes, there is inheritance, but this takes place ONLY when a subfolder is created AFTER permissions have been assign on the parent folder. When subfolders already exists, permissions are not applied recursively.

Recommendations

Before I come to my solution, which is rather a workaround as you need to involve an Exchange admin, let me emphasize the following:

Solution (workaround!)

I wrote two functions, which are doing the job for you. One to add/replace and another to remove permissions. Both work as follows:

  • get all folders of scope Inbox using Cmdlet Get-MailboxFolderStatistics
# retrieve folders with scope Inbox
$folderSet = Get-MailboxFolderStatistics -Identity $Identity -FolderScope Inbox
  • loop through all of the folders and add the permission using the attribute FolderId of each folder
if (-not [System.String]::IsNullOrEmpty($folderSet) )
{
    Write-Verbose "Found $(($folderSet | measure).Count) folders..."
    foreach ($folder in $folderSet)
    {
        Write-Verbose "Processing folder:$($folder.Name)..."

        $params = @{
            Identity = $Identity + ":" + $folder.FolderId
            User = $trustee.Identity
            AccessRights = $AccessRights
            ErrorAction = 'Stop'
        }
        try
        {
            Add-MailboxFolderPermission @params
        }

Note: I’m using FolderId for performance and stability reasons. Stability as I don’t have to bother about special characters.

  • in case a permission already exists, it will be replaced with the one used in the parameter -AccessRights by using the Cmdlet Set-MailboxFolderPermission
catch
{
    if ('UserAlreadyExistsInPermissionEntryException' -eq $_.CategoryInfo.Reason)
    {
        Write-Verbose "Existing permission found. Will replace..."
        Set-MailboxFolderPermission @params
    }
  • in case you want to maintain permission only to a subset of folders, you can use the switch -FilterFolderPath, and it will filter the result set based on this filter on the FolderPath attribute
if ($FilterFolderPath)
{
    $folderSet = $folderSet | Where-Object {$_.FolderPath -Match $FilterFolderPath}
    Write-Verbose "Found the following folders for filter $($FilterFolderPath):"
    $folderSet.FolderPath
}

You can find both function on GitHub in the file I’m using every day for work and extend my PowerShell with functions like these:

Miscellaneous/HelperFunctions.ps1 at master · IngoGege/Miscellaneous · GitHub

I named them Add-MailboxFolderPermissionRecursive and Remove-MailboxFolderPermissionRecursive.

Here some screenshots:

Conclusion

I hope you find this useful. Feedback is always more than welcome!

2 thoughts on “Maintain MAPI permissions recursive

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s