Home » Exchange Server » PowerShell Script to Remove Mailbox Folder Permissions

PowerShell Script to Remove Mailbox Folder Permissions

In a previous article I demonstrated how to use a PowerShell script to grant read-only permissions to an Exchange mailbox. The script achieves this by granting the “Reviewer” permission to each folder within the mailbox. In fact, it can be used to grant any mailbox folder permission or role (eg Owner, Editor, Contributor), not just read-only, and I have just made a minor update to the script to handle errors better.

One of the most common requests from people who use that script is how to *remove* permissions from mailbox folders.

Fortunately this is an easy task with just a few modifications to the original script. Naturally just as there is an Add-MailboxFolderPermission cmdlet for Exchange Server, there is also a Remove-MailboxFolderPermission cmdlet.

So we can use the same approach of traversing the mailbox folder hierarchy, checking for the user in question, and removing the permissions.

Here is a sample from the script that shows how this is performed:

You can download the complete Remove-MailboxFolderPermissions.ps1 script from Github here.

And here is an example of the script in action, removing permissions for the user “Alan Reid” from the mailbox of “Alex Heyne”.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

34 comments

  1. Al says:

    Hi Paul,
    Would it be possible to remove delete and send access from an outlook? one of the employees is under investigation but he needs to access his email to get evidence. but the company does not want the employee to send or delete any emails from his outlook. He should be able to view his emails and print, if necessary. Is it possible?

    • Seems strange that an employee under investigation would be allowed to access the mailbox to collect evidence.

      But… you can place the mailbox on litigation hold if you want to preserve it from deletions.

  2. trank0 says:

    Hi Paul, your web is awesome, your knowledge is infinite, pls, can you tell me where is stored those permissions?, may be in Active Directory on security tab or in the ADSI Editor?

    Thanks a lot.

  3. MAK says:

    Hi Paul, Your posts are fabulous, I have recently came across an issue, I restored the mailboxes from a corrupted edb file. I created new DB and imports all the mailboxes. The problem i am having is the users are able to see the system folders now like (common view, exchange syncdata, freebusy data, etc). Is there any way we can hide these folders from the user mailboxes. Appreciate your feedback on this.

    Thanks
    MAK

    • Sounds to me like whatever tool you used to export from the EDB it also exported the hidden/system folders. When you import those from a PST they are just treated as regular folders which are visible to the user.

      I don’t know of any easy way to clean that up.

  4. Edward says:

    when i run the script, it runs okay but at the end i get a message – The operation couldn’t be performed because ‘hrh2:Calendar Logging’ couldn’t be found. Please can you advise

  5. Alpesh says:

    Hello Paul,

    Thank you for the script. It really does the job. We had a user who has close to 100+ folders under his inbox and this script really did the job for us. However, there was another user who has equally same number of folders. Is there anyway I can specify multiple users to the -User parameter?

    Regards,
    Alpesh

    • Short answer, yes. I’ve added an issue to my Github repo for that request.

      In the meantime, if you want to tackle it yourself, look into script parameters that accept multiple values, and then modifying that part of the script to loop through the users.

      • Jhay says:

        I have same case as Alpesh, would you be able to show please 🙂 trying to go through script but I’m quite new in scripting. Thanks a lot Paul your site is awesome!!!

  6. Prince Rozario says:

    A Question

    In our school we would like staff to be able to see any student calendar, we have achieved this by using FullAccess permission with the Add-MailboxFolderPermission command.

    In this case the staff will also be allowed to delete a student email. Is it possible to prevent this from happening? We only need staff to be able to see student calendar and emails not delete them.

  7. Peter Jonkers says:

    Is it also possible to delete all deleted users with this script for all the mailboxes. Removed users like S-1- etc etc
    I have a bulk of mailboxpermissions on mailboxes with deleted users.
    so search all mailboxes for users starting with “S-1-“and delete that user form any mailboxfolder.

    regards
    Peter Jonkers

  8. Kevin says:

    Can the remove-mailboxfolderpermission cmdlet be used to remove a list of users who have access to an individual calendar?

  9. Vicky says:

    Dear Paul,

    I am using the following command to remove the Full access permission for the UserA from all the mailboxes.
    But I am being prompted for each mailbox ! I have about 5000. So how can i go about it with out being prompted?

    Get-Mailbox | Remove-MailboxPermission -user domainuserA -AccessRights FullAccess -InheritanceType All

    Many thanks

    Vicky

  10. Vicky says:

    Hi Paul,

    Thanks a Ton to all for help.

    I have tried

    Get-Mailbox -ResultSize Unlimited | Remove-MailboxPermission -user domainuser -AccessRights FullAccess -InheritanceType All -Confirm:$false

    But the following errorllowing coming up for all the mailboxes …

    WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, ControlType: Allow]
    and was ignored on object “CN=User Name,CN=Users,DC=companydomain,DC=com”.

    Checked the permission on couple of mailboxes and user hasn’t been removed.
    Any suggestions please?

    Many thanks

    Vicky

    • Looks like you’re trying to remove a permission that is being inherited. That won’t work. You’ll need to find where it’s being inherited from (a parent object) and remove it there.

  11. DNK says:

    Hi Paul

    Your web is awesome
    i have a question, if i want to delete all users from access to calendar and only default user will be on the access list
    Do you mind to show it on the powershell ?

      • Jono Clifton says:

        I copied from you paul how to take the variable $mailbox from the command line and then:

        $allmailboxes = Get-Mailbox -identity $mailbox

        foreach ($allmailbox In $allmailboxes) {

        Get-MailboxFolderPermission ($allmailbox.Name + “:Calendar”) | ForEach {

        If (([string]$_.User -ne “Default”) -and ([string]$_.User -ne “Anonymous”) -and ([string]$_.User -ne “Retain Alerts”)) {

        Remove-MailboxFolderPermission -Identity ($allmailbox.Name + “:Calendar”) -User $_.User -Confirm:$false -ErrorAction STOP

        }

        }

        NOTE: retain alerts is a custom user we have in our exchange that needs access to everyone’s mailbox.

        This does what the previous comment wanted but has the unwanted side affect of removing custom permissions that are less restrictive then the ‘reviewer’ . I use this script on a per user basis, but to run it on the whole exchange i need to figure out how to exclude removing permissions that are less restrictive than reviewer.

        not expecting you to write it, but where would i add such a line into this script? is it possible to write after the first IF which excludes users, then also have AND IF Access rights is equal to limiteddetails or availaibility only, then progress with the Remove-permission part.

        is it to complex. it would be essentially saying IF the name isnt one of these AND IF the access rights match the more restrictive seetings

        I’d probably add Reviewer to those that need to be removed, just to tidy things up, as as all people are covered by our Default = Reviewer

  12. David says:

    Hi Paul,

    I find this script very useful however I am having issues removing Owner permission for one user.
    Seem the script runs through all folders but permissions are not being removed – no error message.
    The user has been deleted from AD so the entry is a legacy SID; “NT User:S-1-5-21-1604199630-1702588179-1845911597-5264”
    Is there anything I need to change in the script to get this last user mailbox permission removed for the deleted user?

    Many thanks!

      • David says:

        Debugging the script reveals the script does not seem to identity NT user and just skips it.
        If I manually type the cmdlet: Remove-MailboxFolderPermission -Identity user”:\folder name\subfolder name\subfolder name” -user “NT User:S-1-5-21-1604199630-1702588179-1845911597-5264” the permission is removed successfully hence the syntax is correct and the NT User can be found by PS.

        Thanks for your input and if I find a solution will post it here.

      • David says:

        Issue fixed and the script is running fine now. The problem was caused by illegal characters. Changed line: 85
        $folder = $mailboxfolder.FolderPath.Replace(“/”,”\”).Replace([char]63743,’/’);
        and removed lines 86-89 inclusive.

Leave a Reply

Your email address will not be published. Required fields are marked *