• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint Online
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Videos
    • Interview Videos
    • How To Guide Videos
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / How to Grant Read-Only Access to an Exchange Mailbox

How to Grant Read-Only Access to an Exchange Mailbox

September 24, 2013 by Paul Cunningham 167 Comments

Brian asks about granting a user read-only access to the mailbox and calendar of another user in an Exchange Server organization.

This is a common scenario and the solution is reasonably simple though perhaps not obvious.

Let’s look at the scenario of Alan Reid trying to access the mailbox of Alex Heyne. With no access configured Alan gets an error message when he tries to open Alex’s inbox in Outlook.

exchange-read-access-mailbox-01

To meet the requirements of this scenario we need to grant Alan read-only access to Alex’s mailbox, not full access, and without making him a delegate.

It is worth noting that the mailbox owner can configure these permissions themselves using Outlook. But I will assume that if you’re reading this you have been asked to handle it for them 🙂

Where some admins get stuck is in the Exchange Management Console, which only presents the option to grant full access to a mailbox.

exchange-read-access-mailbox-02

Instead we need to use the Exchange Management Shell and run the Add-MailboxFolderPermission cmdlet.

The first step is to grant permissions (in this case “Reviewer”) to the “Top of Information Store”.

1
2
3
4
5
6
7
8
[PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\ -User Alan.Reid -AccessRights Reviewer
 
RunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6
FolderName   : Top of Information Store
User         : Alan Reid
AccessRights : {Reviewer}
Identity     : Alan Reid
IsValid      : True


Those permissions do not inherit down the mailbox folder hierarchy to existing folders (newly created folders will inherit the permissions of their parent folder though). So you still need to grant permissions for specific folders, for example the inbox:

1
2
3
4
5
6
7
8
[PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\Inbox -User Alan.Reid -AccessRights Reviewer
 
RunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6
FolderName   : Inbox
User         : Alan Reid
AccessRights : {Reviewer}
Identity     : Alan Reid
IsValid      : True


Or the calendar:

1
2
3
4
5
6
7
8
[PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\Calendar -User Alan.Reid -AccessRights Reviewer
 
RunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6
FolderName   : Calendar
User         : Alan Reid
AccessRights : {Reviewer}
Identity     : Alan Reid
IsValid      : True


This starts to get tedious if you want to grant permissions to the entire mailbox folder hierarchy. For that you would need to write a script.

Here is an example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#Proof of concept code to apply mailbox
#folder permissions to all folders in
#a mailbox
 
[CmdletBinding()]
param (
[Parameter( Mandatory=$true)]
[string]$Mailbox,
    
[Parameter( Mandatory=$true)]
[string]$User,
    
   [Parameter( Mandatory=$true)]
[string]$Access
)
 
$exclusions = @("/Sync Issues",
                "/Sync Issues/Conflicts",
                "/Sync Issues/Local Failures",
                "/Sync Issues/Server Failures",
                "/Recoverable Items",
                "/Deletions",
                "/Purges",
                "/Versions"
                )
 
 
 
$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)
 
foreach ($mailboxfolder in $mailboxfolders)
{
    $folder = $mailboxfolder.FolderPath.Replace("/","\")
    if ($folder -match "Top of Information Store")
    {
       $folder = $folder.Replace("\Top of Information Store","\")
    }
    $identity = "$($mailbox):$folder"
    Write-Host "Adding $user to $identity with $access permissions"
    Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access -ErrorAction SilentlyContinue
}


You can download the full Add-MailboxFolderPermissions.ps1 script from Github here.

1
[PS] C:\Scripts>.\Add-MailboxFolderPermissions.ps1 -Mailbox alex.heyne -User alan.reid -Access reviewer


So as you can see, granting read-only access to specific mailbox folders is quite simple, with just a little extra work required (or a script like the one above) to apply the permissions to all existing mailbox folders.

If you’re looking for a script to remove mailbox folder permissions I have also published Remove-MailboxFolderPermissions.ps1.

Exchange Server Add-MailboxFolderPermission, Exchange 2007, Exchange 2010, Exchange 2013, Permissions, PowerShell

Comments

  1. Justatech says

    September 29, 2021 at 9:24 pm

    Hi Paul,

    Thanks a lot for that post that get me so close to my goal.

    Is it really that with Add-MailboxFolderPermission you can’t add the mailbox in Outlook as a standalone like you could when share is done with GUI (file / account setting / new) but need to add it as a second mailbox (More Settings / advanced tab / add) ?
    In the last case you won’t be able to use “send as” without typing it manually.

    Reply
  2. Hendrik says

    May 18, 2021 at 7:06 pm

    how can i do this for multiple users at once? i need to grant reviewer rights for 1 user to multiple mailboxes.

    Reply
  3. Steve says

    February 20, 2020 at 8:43 pm

    Thanks for the script.

    I’m seeing an error for every folder stating “WARNING: The user “user@domain.com” is either not valid SMTP address, or there is no matching information.”

    Other searching has indicated this is because the mailbox I’m targeting is a Shared mailbox. (I don’t think it is relevant, but the environment is Office 365, not on-prem.)

    Are you familiar with this error and do you know how I may correct things to eliminate it?

    Thanks.

    Reply
    • Steve says

      February 20, 2020 at 8:53 pm

      Never mind – you can delete my question if you’d like. Turns out I was mistaken. The mailbox I was targeting was a user mailbox, but the *User* I specified is a Shared Mailbox. So that explains that.

      Reply
  4. vicky says

    June 26, 2019 at 4:17 am

    Hello,
    After we run the folder permission command then how to add user account to our mailbox without full accessing? I am almost there but bit confusing. Can you please tell me how to add user account to our Outlook Client?

    Thanks

    Reply
  5. DoReMi says

    December 15, 2018 at 8:48 am

    I am getting the following error

    WARNING: No snap-ins have been registered for Windows PowerShell version 5.

    Reply
    • premax says

      September 18, 2019 at 9:25 pm

      As Bart Louwagie mentioned, comment out everything from
      #Initialize
      to
      #Script

      Reply
  6. Chris Nenzel says

    November 15, 2018 at 3:56 am

    Hi Paul! Just stumbled across this script as a result of a user request to give about 20 people read only access to an Exchange 2010 shared mailbox.

    When I run the script I get the following error:

    [PS] H:\ExchReports\MailboxFolderPermissions>.\Add-MailboxFolderPermissions.ps1
    : Missing ‘)’ in method call.
    + CategoryInfo : ParserError: (CloseParenToken:TokenId) [], ParseException
    + FullyQualifiedErrorId : MissingEndParenthesisInMethodCall

    Any idea why?

    Thanks!

    Reply
    • Chris Nenzel says

      November 15, 2018 at 4:07 am

      When I ran the command from my workstation in EMS it didn’t give me the position of the error but when I ran it from an Exchange server it did…

      EMS states the script has an error at PS1:113 char:34 which is in the line $folder = $folder.Replace(“\Top of Information Store”,”\”) between the ” and the \ if I’ve counted correctly. The exchange server complains about the same error in the remove script…

      I’m not savvy enough to figure this out on my own. Hoping someone will chime in with a reply on how to fix this.

      Reply
      • Tim says

        September 15, 2020 at 11:51 pm

        In the script files downloaded from github , there are smart-quote characters in the line below that PowerShell doesn’t parse correctly:

        $folder = $folder.Replace(“\Top of Information Store”,”\”)

        Replace them with standard double quote characters to fix it.

        My PowerShell reported the error as follows:

        At Remove-MailboxFolderPermissions.ps1:107 char:34
        + $folder = $folder.Replace(“\Top of Information Store”,”\ …
        + ~
        Missing ‘)’ in method call.

        Reply
  7. Alex says

    November 14, 2018 at 12:30 am

    Hi Paul,
    Thanks a lot from Toronto.
    Your script was a huge help, thanks again,
    For folks using Exchange 2016 just edit the line for Exchange Management Snapin with below
    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

    Reply
    • Bart Louwagie says

      June 29, 2019 at 1:12 am

      Thank you for this clear script!

      When connection via IE or Edge to Exchange online (Office 365) by using the admin https://outlook.office365.com/ecp/?rfr=Admin_o365 , going to hybrid > Configure > Connect-EXOPSSession , I get the same WARNING: No snap-ins have been registered for Windows PowerShell version 5 and nothing seems to execute.

      Here is how I solved it: I commented out the Initialize section about lines 68-94, basically running only the part after
      #……………………………..
      # Script
      #……………………………..

      Reply
  8. Marc says

    August 22, 2018 at 7:12 pm

    Hi Paul,

    I hope you still follow this thread, since you first published it FIVE years ago!

    We need to move away from Exchange to Gsuite by command of our New Overlords who have bought our company.

    There are two things that don’t quite work with your wonderful script (a true life-saver, no, time-saver!)

    If the sub-folder contains a forward slash, I get a warning that it can’t find the folder.
    E.g. “user:Inbox\cashflow/balances”

    Also the script is very English-oriented. It can’t perform the operation on French, German, Polish and Dutch “Top of Information Store”s. Is there a common solution for this, or do the Top of Information Store names be specified for each individual language?

    French: Partie supérieure de la banque d’informations
    German: Oberste Ebene des Informationsspeichers
    Polish: Folder nadrzędny magazynu informacji
    Dutch: Bovenste map van gegevensarchief

    I hope you, or anyone else with some scripting knowledge can help me out.

    Best regards,
    Marc

    Reply
    • Marc says

      August 23, 2018 at 6:10 pm

      Huh, that last bit is simple: just copy the bits between the curly brackets where it deals with the Top of Information Store, replacing said text.

      The forward slash seems to be tricky as it replaces all forward slashes with backslashes? Not sure though.

      Reply
      • Marc says

        August 23, 2018 at 10:39 pm

        $folder = $folder.Replace(“”,”/”)

        Heh, just copy the question-mark-in-a-box from the output into the script and hey presto!

        Reply
  9. Mike says

    August 18, 2018 at 6:32 pm

    Hello

    i used this script to give a user limited permissions to another Mailbox in Office 365 but the user can’t open the Mailbox. Owa gives the error OwaExplicitLogonException if i try to open the Mailbox and Outlook tells me a Client process failed.

    Can you Help?

    Reply
  10. Ario says

    July 16, 2018 at 6:53 am

    Hi paul,

    Thanks for sharing this Article,

    When I run this command to Giv reviewer Access to Another user mailbox, I recieve this error :

    The operation couldn’t be performed because ‘user:\Inbox’ couldn’t be found.
    + CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission],
    + PSComputerName : outlook.office365.com

    this not work for any of my users mailboxes

    what is the issue ?

    Thanks

    Reply
  11. Stef V says

    April 4, 2018 at 8:14 pm

    Just a quick question regarding online archive. The current script changes the permissions of the mailbox of the user, not the permissions of his/her online archive… What do I need to change to include the also the online archive folders in the script?

    Reply
  12. Fathi says

    February 4, 2018 at 8:08 pm

    Thanks for your great efforts

    How can i share a folder under contacts folder in exchange 2010

    Reply
  13. Brian says

    December 12, 2017 at 1:04 am

    Oh, sorry… the why… We are migrating away from Exchange to another platform, but two things are making the migration more difficult than necessary: (1) some users may be using Exchange intentionally to thwart the efforts and (2) many users have multiple devices that are (probably) unwittingly connecting to Exchange.

    By creating the transport rule that rejects all messages sent from within the organization solves the sending problem, but I also have some users which are still creating, modifying, and deleting events from their calendars and complaining that other users aren’t getting meeting invitations, etc. (Yes, we actually have users who are that technologically challenged. Unfortunately, we have a fairly liberal BYOD ‘policy’ so that complicates things exponentially.)

    The best solution would be to revoke access for all BYODs, but the IT department does not make policy decisions and if I did that, I’d be looking for a new job next week. 🙂

    Reply
    • Paul Cunningham says

      December 12, 2017 at 6:47 am

      I think you’re out of luck. If it was a business process thing, e.g. something that you should be using a shared mailbox for, that would probably have a solution.

      What you’ve described is simply a human problem. IT often not empowered to fix those, especially if you can’t do anything impactful like blocking mobile devices. I would just do my best to provide the information and education to help users during the transition process, and live with the disruption until the project is complete.

      Reply
  14. Brian says

    December 8, 2017 at 11:48 pm

    Hi Paul!

    I have need to take away a user’s ability to create/edit/remove events on their own calendar. I think I’m close, but something is missing.

    If I’m working on usr1’s box, I am trying this…
    Add-MailboxFolderPermission -identity usr1\Calendar -user usr1 -AccessRights Reviewer
    Add-MailboxFolderPermission -identity usr1\Calendar -user usr2 -AccessRights Owner

    These complete successfully with…
    Calendar usr2 {Owner}
    Calendar usr1 {Reviewer}

    However, usr1 can still modify his/her calendar. Any suggestions?

    Thanks!!!

    Reply
    • Brian says

      December 8, 2017 at 11:49 pm

      Hmmm, not sure what happened to the colons, but they are present in my script.

      Reply
    • Paul Cunningham says

      December 9, 2017 at 7:21 am

      I’ve never seen a solution that prevents a person from managing their own calendar.

      Reply
      • Brian says

        December 10, 2017 at 7:13 pm

        Ok, thanks… Is it possible to remove the calendar folder and still leave the rest of the mailbox intact? (P.S. Thanks for such a quick reply!)

        Reply
        • Paul Cunningham says

          December 11, 2017 at 6:54 am

          Remove the calendar from the mailbox? No, I don’t think there is a way to do that.

          Maybe if you explain your actual requirements here I can make some other suggestion.

          Reply
          • Brian says

            December 11, 2017 at 4:29 pm

            I need to prevent users from using (modifying) their Exchange calendars from either Outlook (Mac/Win), OWA, or other mail clients, including those on iOS/Android.

            Yes, it would be ideal to just train them, but unfortunately that doesn’t seem to be 100%, or even 75%, effective.

          • Brian says

            December 11, 2017 at 4:42 pm

            Actually, in this case, what would solve this problem (and another which was solved in a different way) is if I could make the whole mailbox read-only for this group of users. Ideally, they should not send/delete emails or modify calendar events. Can I give ownership of the entire mailbox to another user (admin acct) and make the original owner to be just a reviewer of their own mailbox?

            I had already solved the problem of denying the sending of mail with a transport rule, but if I could just give them read-only access to their own mailboxes (and calendars) that would solve all of my problems.

            I know all too well how little time there is and how precious it is. I do appreciate yours!

          • Brian says

            December 11, 2017 at 4:49 pm

            FYI, it was the following article which led me to your site, but unfortunately I have the same issue as the OP, but his question was never actually answered even though an answer was marked as correct.

            https://social.technet.microsoft.com/Forums/exchange/en-US/86e77240-617a-4d89-822e-e2b983ef18a6/how-to-configure-mailbox-readonly-access-for-mailboxs-owner-on-exchange-server-2010

          • Paul Cunningham says

            December 11, 2017 at 10:25 pm

            But why? I’m no closer to understanding what business reason there is for this? Maybe there is an alternative solution, one that is possible to achieve from a technical standpoint.

            Owners can access their own mailbox and mailbox folders, that is the reality you should start from. I don’t think you’re going to get any joy from trying to stop owners accessing their own mailbox.

  15. David Geiger says

    October 28, 2017 at 1:59 am

    Hi, Paul- can I get more granular with this? I have to do custom permissions. My users need “Contributor” plus Read – Full Details.

    Is that possible with this script? Thanks!

    This is awesome, btw.

    Reply
  16. aldo says

    August 12, 2017 at 1:00 am

    Ok thanks not sure if this has been answered. but i can grant access. that works. But if i want the person to see the inbox on the left pane in outlook. How is that done?

    they lose access to the folder as soon as they do anything else in outlook

    thanks

    Reply
    • Paul Cunningham says

      August 12, 2017 at 4:33 pm

      When you grant access using folder permissions there’s no auto-mapping of the mailbox. You will need to manually add the mailbox as an additional mailbox in the user’s Outlook profile.

      Reply
  17. Matt Freshwater says

    July 27, 2017 at 6:25 am

    Hello,

    I was wondering if someone could please explain what I need to change in this script to only apply to calendars? I know when I write the command in PS it’s -User email@email.com:\calendar but I don’t know where to add the “:\calendar” in this script. Thank you in advance for your help.

    Matt

    Reply
    • Paul Cunningham says

      July 27, 2017 at 11:15 pm

      If you only want to apply it to calendars you don’t really need to use the script do you? There’s a one-line command shown in the article above for applying permissions to calendars only.

      Reply
      • Matt Freshwater says

        July 28, 2017 at 12:41 am

        No, not necessarily, however, this script is very helpful if I need to do it time and time again. It could save me time by only needing to enter the mailbox, user account, and access level. It also gives my other IT staff members a way to change permissions via PS if I am away (it’s just easier). For some reason in my organization calendar permissions are constantly changing. It would just be a big help.

        Thanks for the quick response, Paul.

        Reply
        • Paul Cunningham says

          July 28, 2017 at 10:10 am

          Ok. You could probably cut the script down to just a couple of lines that takes the mailbox name as input and then runs the two commands to add the permissions to the mailbox root and then to the calendar folder. Most of the logic in the script is required for looping through the entire list of mailbox folders (except for the exclusions), so you don’t need all that.

          Reply
          • Matt Freshwater says

            July 29, 2017 at 12:47 am

            Thanks Paul. Would you be able to help me do that? I’m not versed in PS scripting. Thank you in advance.

            Have a great weekend!

            Thanks,

            Matt

          • Paul Cunningham says

            July 29, 2017 at 1:33 pm

            This is an example of an excellent learning opportunity then. Adjusting other people’s scripts and code samples for own needs is a great place to start.

          • Matt says

            August 2, 2017 at 12:58 am

            I have tried playing with this script, other scripts (hence my need for my original post), but my lack of experience in PowerShell makes it very difficult to know if I’m even going in the right direction. This is an excellent opportunity for a teaching moment 😉 If you don’t care to, that’s fine. I won’t die without this script working the way I need it to, it just saves time.

          • Paul Cunningham says

            August 2, 2017 at 8:49 am

            I recommend the PowerShell “month of lunches” book as the best place to start. You’ll learn a ton just from the first few hours you spend on it. There’s also great PowerShell courses on Pluralsight covering fundamentals, scripting, toolmaking, advanced functions, there’s even one on Exchange admin using PowerShell by yours truly.

            The resources are all there, and to put it as friendly but bluntly as I can, it’s 2017 and you’ve identified that your PowerShell experience is lacking. You need to fix that ASAP. I don’t mind providing scripts for more complex stuff here but the basics are something everyone needs to learn.

            Start with the resources above. In a month you’ll wonder how you lived without PowerShell and you’ll be saving time on this task and many, many more. I have never met an IT pro who regrets investing time in learning PowerShell.

      • Wilfred says

        August 14, 2020 at 4:37 am

        Hi Paul, to shorten it, why not using the identity instead of folderpath?

        $mailboxfolders = (Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)}).identity

        foreach ($mailboxfolder in $mailboxfolders)
        {
        if($mailboxfolder -match “Top of Information Store”){
        $folder = $mailboxfolder.Replace(“\Top of Information Store”,”:\”) }
        else{
        $folder = $mailboxfolder.Replace(“\”,”:\”)
        }
        $folder
        }

        Seems simpler.

        Reply
  18. Greg says

    April 25, 2017 at 2:54 am

    Get-MailboxStatistics sometimes “replaces” characters in the folders’ names if they contain illegal characters. I have seen references that both the “\” and “/” characters are not allowed. (Why does Exchange allow users to create folders that contain illegal characters… Another topic, I am sure.) So the “folder name” returned by Get-MailboxStatistics cannot be used in the pipeline:

    jones:\archive\Inbox\Inbox\Conferences\2016\Spurs San Antonio, TX 11?6-7?16
    The operation couldn’t be performed because ‘jones:\archive\Inbox\Inbox\Conferences\2016\Spurs San Antonio, TX 11?6-7?16’ couldn’t be found.

    I am guessing this was a “date” (11/6-7/16 -or- 11\6-7\16, but how can I use the results/output from Get-MailboxStatistics for any other command?

    Using .FolderPath becomes an issue. I am trying to figure out the .FolderID property, hoping it will work better in the pipeline…

    Reply
  19. Azer says

    January 30, 2017 at 8:55 pm

    Hello, Paul.
    Thank you for a great script.
    I have a question – what is a reason to exclude folders listed in the $exclusions ?
    Thanks
    Azer

    Reply
    • Paul Cunningham says

      January 30, 2017 at 9:17 pm

      To exclude some system folders that users typically would not need access to, and also to demonstrate how to exclude folders if your scenario requires it.

      Reply
  20. Rick Shepard says

    January 17, 2017 at 12:45 pm

    Thank you Paul for all of your great articles. I have found them extremely helpful, to the point and relatively easy to follow. I am also happy to se they are kept current as I only recently moved up to Exchange 2013 from 2007.

    Rick

    Reply
  21. Suriya says

    November 30, 2016 at 8:27 pm

    I did try to give the top information as reviewer and give a “owner” on one of the folder (created as subfolder).

    When i tried to open that folder by adding the mailbox as addtional, i could’t expend the folder

    How long shall i wait?

    Reply
  22. Antonio says

    October 5, 2016 at 10:25 am

    Hi Paul,

    Love your work!! Really helping me out in my new role, with simplifying things and automating tasks.

    With this script, it is overwriting the previous permissions;

    For example,

    I have a reviewer group already with review access on all folders, when I run the script for a new group to be added, it just overwrites the previous.

    Is there are way to add a new group without overwriting the existing?

    Hope that makes sense.

    Cheers.
    A

    Reply
    • Paul Cunningham says

      November 30, 2016 at 9:51 pm

      That’s not the behavior I get. I can’t think why adding another user/group would remove any other user/group permissions already on the folder.

      Reply
  23. Gav says

    September 22, 2016 at 9:55 pm

    thanks much appreciated

    Reply
  24. Gav says

    September 22, 2016 at 8:49 pm

    Hi Paul,

    I am trying to grant reviewer access to the Default user on all calendars in our Exchange 2013 org. I’m using the following script but it just sits there with two arrows like it’s waiting for another value. Any ideas what I am doing wrong?

    Get-Mailbox -resultsize unlimited -RecipientTypeDetails UserMailbox | ForEach {Set-MailboxFolderPermission -Identity “$($_.alias):Calendar” -User default-AccessRights “Reviewer”

    Reply
    • Paul Cunningham says

      September 22, 2016 at 9:28 pm

      You’ve opened a curly brace and then you haven’t closed it again.

      Reply
  25. Alexis Crawford says

    June 22, 2016 at 7:59 am

    Great article that’s for sure. Paul not too sure if I can import a list of users and have the script executes on each user.

    import-csv C;path | then I’m not too sure how to go about it.

    I’m sure it can be done just not too sure of the syntax.

    Reply
  26. Keshav says

    June 18, 2016 at 8:55 am

    Good Article Paul 🙂

    Reply
  27. Manish Kumar says

    May 17, 2016 at 2:42 am

    Hi All,

    How can i provide reviewer access to a security group. I have a request to provide reviewer access to one shared mailbox to everyone in the organization. Can it be done, If yes please guide

    Reply
  28. Josh Smith says

    May 13, 2016 at 3:46 am

    Hi Paul,
    These scripts are great! I’m very new to using powershell and I only understand about 5% of what is in your scripts but I’m slowly figuring things out. I even managed to modify one for a set-mailboxfolderpermissions.
    We have a mailbox set up for archiving email with thousands of folders. Each project has it’s own set of folders.
    Anyway, I have a user group that currently has publishing author access rights but I need to modify it so nothing can be deleted. As far as I can tell there is no “-accessrights deletenone”. What I think I’ve figured out is I need to give them Reviewer access rights and then set createitems,createsubfolders,editowneditems on. It appears, however, that I can’t enter a string of commands into your script. Is there anyway to modify the script to accept this or any other work around that you could suggest? I’m so close to being finished, it’s just this one last obsatcle. 🙂
    Looking forward to your response.
    Thanks,
    Josh.

    Reply
    • Josh says

      May 13, 2016 at 4:34 am

      Well, in the process of typing up my original message, a thought occurred to me and it appears to have worked. I took out $access from the command line and replaced it with the string of access rights I needed. It didn’t matter what permission I applied at the prompt.

      Regardless, thanks for your help! Your scripts have been invaluable. 🙂

      Reply
  29. Steve says

    April 14, 2016 at 12:57 am

    Got it… thanks!

    Reply
  30. Steve says

    April 13, 2016 at 7:02 am

    Thank you – though now that I think about it a bit more, I think maybe what I really wanted to ask was, is there a way to programmatically add the mailbox via the powershell script (like with manage full access permissions within Exchange), rather than manually adding it via Outlook?

    Reply
    • Paul Cunningham says

      April 13, 2016 at 4:16 pm

      No, auto-mapping doesn’t work when you grant access as folder permissions.

      Reply
  31. Steve says

    April 8, 2016 at 4:28 am

    Hi Paul,

    Great article – it’s now April of 2016 and the article you wrote back in September of 2013 is still helping people!

    Now we are finally able to apply read only permissions to a disabled Exchange account; however, my question is this – generally when we disable accounts, our procedure dictates that we ‘hide’ the Exchange mailbox. The issue here, is that when you hide a mailbox, you can’t add it via the account settings within Outlook. Do you know of a way to add an account to Outlook without ‘un-hiding’ said account?

    Reply
    • Paul Cunningham says

      April 8, 2016 at 12:06 pm

      No, you’ll need to unhide it temporarily.

      Reply
  32. Galin says

    February 23, 2016 at 12:24 am

    This is very useful article and script, however I am thinking that if the original user creates additional folder in his/her mailbox, the user who has reviewer access will not see the new folder, i haven’t tested it but seems logical as access is granted per folder.

    Reply
    • Paul Cunningham says

      February 23, 2016 at 12:35 pm

      From the article…

      “permissions do not inherit down the mailbox folder hierarchy to existing folders (newly created folders will inherit the permissions of their parent folder though)”

      Reply
      • Galin says

        February 26, 2016 at 1:00 am

        Thanks Paul, I missed that one out, however I tested and it works.

        Much appreciated

        Reply
  33. Jon Morgan says

    February 12, 2016 at 2:14 am

    I’ve got a weird one…

    I’m trying to grant access to a group of users (Group A), allowing full access (Pub Ed) rights to a specific calendar folder only in User A’s mailbox. So I’ve added Group A to the TopOfInfoStore with “Folder Visible” of User A’s mailbox, then I’ve added Group A to the permissions of only the specific calendar folder with PubEd rights.

    When I log on as a user who is a member of Group A, add User A’s mailbox as an additional mailbox to the Outlook profile, the mailbox appears. I can open it and see all the sub-folders (great), I can open the specific calendar folder and see, create and edit (great), I can see the contents of all the mail folders (not so great), I can delete any item in the folders I care to (REALLY not great!).

    I’ve also noticed, If I add an item to the specific calendar folder and then open it again, down in the bottom right it’s says “Last modified by User A”, when I was expecting “Last modified by [user who is member of Group A]”, which leads me to suspect I’m being allowed access to everything in User A’s mailbox, because somehow my access is being granted via ‘impersonation’ of User A somehow???

    Any tips appreciated…

    Reply
  34. Lamees says

    November 30, 2015 at 8:58 pm

    dear Paul

    I would like to thank you for sharing your knowledge with us 🙂

    My problem is slightly different, When I granted the user (reviewer) permission, he can’t delete or add new items (which is great) but the problem that he can replay and forward the email to everyone and the big problem that he can pick any user from the address book in the (from) field !!!!

    Kindly, can you help me on that issue?

    Regards,
    Lamees

    Reply
  35. Robert says

    October 13, 2015 at 2:04 pm

    Paul,

    I am confused on why your -Identity and -User values show alan reid when you typed different values for each?

    Also i cant remove this:

    RunspaceId : e8dde2df-9e33-4145-a37a-9046a871f47b
    FolderName : Top of Information Store
    User : John Adams
    AccessRights : {Editor}
    Identity : John Adams
    IsValid : True

    Everytime i try it keeps saying that There is no existing permission entry found for user: John Adams. IN the above example i granted mailbox permissions on a conference room mailbox.

    Thanks,
    Robert

    Reply
  36. yogesh says

    September 2, 2015 at 11:48 pm

    Hi I have Exchange 2013 and tried adding the read only permissions for a Resource (Room) for a user. Used the command as such

    Add-MailboxFolderPermission -Identity abc: -User xyz-AccessRights Reviewer

    Add-MailboxFolderPermission -Identity abc:Calendar -User xyz-AccessRights Reviewer

    Then I ran this command to check permissions

    Get-MailboxPermission abc

    But I don’t see XYZ user anywhere with Reviewer permissions. I see all the users whom I have given full access permissions from Exchange Control Panel but not this user. Is there is any other way to give any user ReadOnly permissions for a Room Calendar

    Reply
  37. Mike DiVergilio@cox.com says

    August 28, 2015 at 3:32 am

    Paul, one thing I added was to first check the current permissions on the folder and if the user had permissions already set, I would modify them instead. This prevented the script from throwing an error if permissions were already defined on the folder. I also have the script sending the requesting individual a html formatted email with the steps to add the mailbox through Outlook

    (code removed)

    Reply
    • Mike DiVergilio@cox.com says

      August 28, 2015 at 3:35 am

      Pasting the above information pulled the HTML code out of the function, I can email you the complete code if interested.

      Reply
      • Paul Cunningham says

        August 28, 2015 at 10:04 am

        There’s also Github 🙂

        https://github.com/cunninghamp/Powershell-Exchange/tree/master/MailboxFolderPermissions

        Reply
  38. Frakse says

    July 29, 2015 at 10:57 am

    Hi Paul,

    What a kind heart you have to share such amazing knowledge for the benefit of us who are not too tech savi, I believe even other IT pros to will definitely need this.

    Thanks and thumbs up to you.

    Frakse of Papua New Guinea

    Reply
  39. Hendri de Vries says

    July 9, 2015 at 8:25 pm

    Due to HTML formating i reformatted my question;

    Hi Paul,

    First of all, great article!

    I have a question about the permission inheritance of the “Top of Information Store”.
    I’m having a folder called ex-employees. A current colleague, called colleague1, needs to access this folder ( reviewer permission )

    I set this permission by; Add-MailboxFolderPermission -Identity ex-employees: -AccessRights Reviewer -User colleague1

    The following step will be to give colleague1 rights to the folder of the ex employee, this by doing; Add-MailboxFolderPermission ex-employees:ex-employee1 -AccessRight Reviewer –User colleague1
    So far so good!

    Then the next colleague sadly leaves the company and has his box made available in the ex-employees mailbox archive.

    Colleague2 needs to review ex-employee2’s old email;

    Add-MailboxFolderPermission -Identity ex-employees:ex-employee2 -AccessRights Reviewer -User colleague2

    and to the subfolder of ex-emplyee2

    Add-MailboxFolderPermission ex-employees:ex-employee2 -AccessRight Reviewer –User colleague2

    Due to the inheritance of accessrights of the top of information store, colleague1 will have access to both folders; ex-employees:ex-employee1 and ex-employees:ex-employee2

    So the question is;

    – How can i disable the inheritance of accessrights on the top of information store so the above situation will not accur?

    Kind regards,

    Hendri de Vries

    Reply
  40. Hendri de Vries says

    July 9, 2015 at 8:13 pm

    Hi Paul,

    First of all, great article!

    I have a question about the permission inheritance of the “Top of Information Store”.
    I’m having a folder called ex-employees. A current colleague, called colleague1, needs to access this folder ( reviewer permission )
    I set this permission by; Add-MailboxFolderPermission -Identity ex-employees: -AccessRights Reviewer -User
    The following step will be to give colleague1 rights to the folder of the ex employee, this by doing; Add-MailboxFolderPermission ex-employees: -AccessRight Reviewer –User
    So far so good!

    Then the next colleague sadly leaves the company and has his box made available in the ex-employees mailbox archive.

    Colleague2 needs to review ex-employee2’s old email;

    Add-MailboxFolderPermission -Identity ex-employees: -AccessRights Reviewer -User

    and to the subfolder of ex-emplyee2
    Add-MailboxFolderPermission ex-employees: -AccessRight Reviewer –User

    Due to the inheritance of accessrights of the top of information store, colleague1 will have access to both folders; ex-employees: and ex-employees:

    So the question is;

    – How can i disable the inheritance of accessrights on the top of information store so the above situation will not accur?

    Kind regards,

    Hendri de Vries

    Reply
  41. Stephen says

    June 23, 2015 at 1:30 am

    Have you had any luck with applying the same Read Only Script to the Users Archive mailbox?

    Reply
  42. Jay says

    June 5, 2015 at 1:08 am

    Hello –

    Good stuff as always Paul!

    I tried adding in the -automapping $ True parameter into the script but, get back a warning that the position parameter cannot be found that accepts the argument. ‘-AutoMapping’ Below is where I added the parameter, is this possible to do achieve one nice thing about full access is automapping and not having to track down end users and walk them through how to add the mailbox manually.

    Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access -Automapping $true -ErrorAction STOP
    }
    catch
    {
    Write-Warning $_.Exception.Message
    }
    }

    #……………………………..
    # End
    #……………………………..

    Reply
    • Paul Cunningham says

      June 5, 2015 at 9:26 am

      There’s no -AutoMapping parameter for Add-MailboxFolderPermission.

      Reply
  43. Frank says

    May 27, 2015 at 1:37 pm

    Hi Paul,

    Thanks again for such a handy script. I had the same issue trying to add a Universal SG to the folder permissions.

    I was pulling my hair out with >100 users abusing me they can’t open their Social mailbox while I was running over and over the script saying the permissions were added successfully but they weren’t.

    Then I realised that the script had SilentlyContinue on the ErrorAction switch and it wasn’t reported the error. I mail-enabled the SG, re-ran the script and became the hero of the day in the Server department. 🙂

    Reply
  44. Jerry Loyd says

    May 8, 2015 at 3:53 am

    Does anyone have experience with this on Office 365? The same instructions all work, but what I’m seeing is that “FolderVisible” ended up giving FullAccess to the user who just wanted to see one subfolder.

    After that, every attempt to remove all access is just not working. It’s like once the deed is done, you can’t undo it.

    Reply
  45. Duncan Bachen says

    March 17, 2015 at 2:21 am

    The problem that I’ve run into is that add-mailboxpermission allows you to supply a Security Group, but add-mailboxfolderpermission does not. It has to be a user.

    This seems to be a change from 2010 to 2013, and there are plenty of folks who are supplying syntax for add-mailboxfolderpermission saying you can supply a group, but it doesn’t work.

    It even says so in the techNet syntax:

    The User parameter specifies who’s granted permission to view or modify the folder contents of the user specified in the Identity parameter. This parameter accepts only users and distribution lists that have SMTP addresses. Security Groups are not allowed. The following values are acceptable:
    Alias
    SMTP address

    Holds true for both Domain Local or Universal, no SG works.

    Hoping there was a workaround, because managing a group mailbox is really difficult without group membership. I can’t add and remove every single person.

    Reply
    • Duncan Bachen says

      March 17, 2015 at 3:25 am

      What I was able to do was to first make the security group be universal. Then I mail-enabled it. Once it was a mail-enabled security group, you could refer to it by it’s SMTP address.

      I hid the group from the Exchange GAL.

      For my purposes, I was trying to grant the group reviewer access so that they could only read messages in a certain box.

      The end users in the group can now read the messages. if they delete them, they aren’t stopped, so it looks like they are deleted in the GUI, but as soon as you go back to the folder, the messages are there as if they hadn’t been deleted.

      Reply
      • Frank says

        May 27, 2015 at 1:40 pm

        Thanks Duncan. This saved my day (and probably my work).

        I’m not a highly experienced Exchange guy as you are but I’ve found that MS documentation in Technet is so unrealistic and poorly applied to day-to-day battles that admins face. Reason why I’m loving this blogs and their participants.

        Reply
  46. Junaid Abrar says

    March 10, 2015 at 2:53 pm

    Hi Paul,
    Can you please guide me on how to delegate Reviewer right on All Mailboxes. i-e we are adding a reviewer rights on a mailbox, whereas we have a requirement to add an Audit account to review all users mailbox.

    I know I can do full access using -AccessRights Full Access. But wanted to delegate only read only rights.

    Really appreciate your help, Thank you.

    Reply
  47. Milton Lopez says

    February 26, 2015 at 6:55 am

    Great one again, Paul, thanks.

    Could you please clarify what type of AD groups should be used to grant permissions to shared mailboxes (Security vs. Distribution, Global, vs. Universal)?

    There seems to be some issues with Security groups, particularly for mailboxes that were first created in previous versions of Exchange. For example, there is a discussion on this that started in 2011 and it is still open:

    https://social.technet.microsoft.com/Forums/exchange/en-US/9840fd13-daf8-45aa-ab35-4a827f1ba1e0/exchange-2010-unable-to-assign-full-access-permissions-using-a-security-group?forum=exchangesvrgenerallegacy&prof=required

    Reply
    • Paul Cunningham says

      February 26, 2015 at 8:26 am

      There’s two simple rules to remember:

      1) When applying permissions it has to be a Security group. It can be a mail-enabled Security group (and therefore act as a distribution list as well), as long as it is a Security group.
      2) When doing anything groups-related with Exchange it has to be a Universal group.

      So the answer is always to use a Universal Security Group.

      Reply
  48. Kyle Barina says

    January 21, 2015 at 4:10 am

    Thanks for the script! I had to modify it slightly:

    $folder = $mailboxfolder.FolderPath.Replace(“/”,””)
    $folder = $folder.Replace([char]63743,”/”)

    PowerShell was replacing [char]63743 with a ? and I was getting errors on those entries.

    Reply
    • shaptoni says

      March 27, 2015 at 8:57 pm

      Super script, thanks
      I have one issue in that if a folder has a / or the permissions are not granted:
      WARNING: The operation couldn’t be performed because ‘user:InboxTest ?’ couldn’t be found.
      WARNING: The operation couldn’t be performed because ‘user:InboxTest ‘ couldn’t be found.
      WARNING: The operation couldn’t be performed because ‘user:Test ?’ couldn’t be found.
      WARNING: The operation couldn’t be performed because ‘user:Test ‘ couldn’t be found.
      I have modified the folder.replace and folderpath.replace but cant get it to work
      can anyone fix this?

      Reply
      • Duncan Bachen says

        March 28, 2015 at 6:14 am

        Are you sure the problem might not be the space after “test”. unsure if that’s the way you typed it, or if that was a copy/paste

        Reply
        • shaptoni says

          March 31, 2015 at 6:41 pm

          Thanks for the response, I have tried it with the space removed but I get the same result. Does it work for you?

          Reply
  49. Paul Cunningham says

    January 12, 2015 at 8:19 pm

    A number of people have requested a script for removing the mailbox folder permissions. I have published one now:

    https://www.practical365.com/powershell-script-remove-permissions-exchange-mailbox/

    Reply
  50. Praveen Kumar says

    January 5, 2015 at 6:51 pm

    Hi,

    Thanks for the script, its much useful. Its really a great job!!!

    Can you please add one more script for revoking the permission as well? i used to receive request for adding and removing as well 🙂 Hope its simple for you.

    Reply
  51. Scory says

    November 25, 2014 at 2:19 pm

    Hi! I am sorry for my english. Is it possible to grant read-only permissions to another users’s archive mailbox? I granted neccessary rights through Outlook (top of archive mailbox and Inbox folder) then I filled msExchDelegateListLink attribute to make autodiscover possible to display this archive mailbox in Outlook, but I can’t expand archive mailbox, I got an error “Cannot expand the folder. The set of folders cannot be opened”. Thank you!

    Reply
  52. Mohammed Maulana says

    November 21, 2014 at 12:35 am

    Hey Paul,

    Thanks for this amazing post. Your posts always help many exchange admins out there. I have got a request from one of my users and the request is, User A has full access to User B’s mailbox but User B does not want User A to create any calendar entry. Is this possible? I tried giving below command but it did not work.

    add-mailfolderpermissions -identity user B:contacts -user A -accessright reviewer

    Can you please help me here?

    Reply
  53. Conrad says

    November 12, 2014 at 3:03 pm

    Paul,

    You’re a legend! You save my day!

    Reply
  54. Andrew Lee says

    November 11, 2014 at 12:08 pm

    Hi,
    Your script just save my day!.

    I just would like to know how do i remove the permission from all folders when i’m requested to remove the user as Reviewer?

    can i use the same script but change the following?
    Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access -ErrorAction SilentlyContinue

    to

    Remove-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access -ErrorAction SilentlyContinue

    Reply
    • Paul Cunningham says

      November 11, 2014 at 1:32 pm

      Yes, changing Add- to Remove- should basically do the trick but I suggest testing it first to make sure it gives you the desired outcome.

      Reply
  55. Jonathan Smyth says

    October 15, 2014 at 7:38 pm

    Hi, your script was a godsend for me – previously we were just giving people full access permission to leavers’ mailboxes because it was such a pain to grant reviewer access.

    The only issue I had with your PowerShell script was that it threw an error when applying a permission to the Top of Information Store. That’s because the script was trying to run the command
    Add-MailboxFolderPermission -Identity alex.heyne:Top of Information Store -User Alan.Reid -AccessRights Reviewer
    where it should be
    Add-MailboxFolderPermission -Identity alex.heyne: -User Alan.Reid -AccessRights Reviewer

    So I modified your script as follows:

    #Proof of concept code to apply mailbox
    #folder permissions to all folders in
    #a mailbox (including Top of Information Store)

    [CmdletBinding()]
    param (
    [Parameter( Mandatory=$true)]
    [string]$Mailbox,

    [Parameter( Mandatory=$true)]
    [string]$User,

    [Parameter( Mandatory=$true)]
    [string]$Access
    )

    $exclusions = @(“/Sync Issues”,
    “/Sync Issues/Conflicts”,
    “/Sync Issues/Local Failures”,
    “/Sync Issues/Server Failures”,
    “/Recoverable Items”,
    “/Deletions”,
    “/Purges”,
    “/Versions”
    )

    $mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)

    foreach ($mailboxfolder in $mailboxfolders)
    {
    $folder1 = $mailboxfolder.FolderPath.Replace(“/”,””)
    $folder2 = $folder1.Replace(“Top of Information Store”,””)
    $identity = “$($mailbox):$folder2”
    Write-Host “Adding $user to $identity with $access permissions”
    Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access
    }

    and this does the trick. Thanks again!

    Reply
    • Paul Cunningham says

      October 15, 2014 at 9:31 pm

      Good catch, thanks.

      Reply
  56. Joe says

    October 15, 2014 at 1:09 am

    Nevermind on the above question! I was able to get it to work with a “set” rather than a “update”

    Reply
  57. Joe says

    October 15, 2014 at 12:19 am

    I tried to update the “add” folder permissions of your script, so that it “update”s the existing permissions rather than trying to add permissions when an account already exist’s with different permissions. When I try to use the Update command it seems to break the script though, any suggestions?

    Reply
  58. hedi says

    October 13, 2014 at 9:47 pm

    hello,

    great script 🙂

    i use it in exchange 2013, are this error is normal:

    The operation couldn’t be performed because ‘test.mailbox:Top of Information Store’ couldn’t be found.
    + CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=mailboxserver1,RequestId=44d1cd48-8a1b-46ae-bcf6-fda199f2be50,TimeStamp=13/10/2014 10
    :32:20] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] B52CDE40,Microsoft.Exchange.Management.StoreTas
    ks.AddMailboxFolderPermission
    + PSComputerName : mailboxserver1.domain.com

    and this error:

    The operation couldn’t be performed because ‘test.mailbox:Calendar Logging’ couldn’t be found.
    + CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=mailboxserver1,RequestId=6097ea46-ae18-402c-b424-3f71cdaeccf9,TimeStamp=13/10/2014 10
    :32:32] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 42945040,Microsoft.Exchange.Management.StoreTas
    ks.AddMailboxFolderPermission
    + PSComputerName : mailboxserver1.domain.com

    thanks for help

    Reply
  59. Aditya Mendiratta says

    September 22, 2014 at 3:11 pm

    is this possible to give someone read-only access to another user’s mailbox only for OWA and not for outlook ?

    Reply
  60. Manoj says

    August 26, 2014 at 4:48 pm

    Hi Paul,

    I am facing a issue in providing shared mailbox access to all users in my domain . My shared mailbox to be visible to all users but they should only have reviewer access. Only admins should have full mailbox access. Can you please help me in this…

    Reply
  61. Ken says

    July 11, 2014 at 12:32 pm

    How about a reversal of this command, removing all Read-Only Access

    Reply
    • Paul Cunningham says

      July 11, 2014 at 1:05 pm

      As a general rule for Exchange and PowerShell, when you see an Add-* cmdlet there is a corresponding Remove-* cmdlet.

      Reply
      • Ken says

        July 11, 2014 at 1:25 pm

        was actually looking for something similar to the script .ps1 script above but what it does is to remove.

        thank you

        Reply
        • Paul Cunningham says

          July 11, 2014 at 1:57 pm

          Yep, I understand that. I’m encouraging you to tackle it as a learning exercise 🙂

          The script example above is pretty simple. If you look at the code you can see the step where it gets the folder list, then you can see where it loops through each folder adding the permissions. The same process could be used to remove permissions as well, by changing from an Add-* to a Remove-*.

          You might need to copy/paste the code into the PowerShell ISE to see it properly with all of the normal syntax highlighting.

          Give it a test run on a test mailbox before trying against any prod mailboxes.

          Reply
        • Ken says

          July 11, 2014 at 2:00 pm

          Thank you, still a noob at this.

          Reply
  62. felix says

    July 4, 2014 at 8:14 pm

    Hi Paul,

    thanks for your response. This is happeneing to both users still in exch 2010 and 2013.

    nice weekend.

    Reply
  63. felix says

    July 4, 2014 at 9:04 am

    Hi Paul,

    I have a outlook 2010 client having disconnected from exchange 2010 server, ie keeps prompting for outlook password (same as the domain credentials) and even he enters his correct password, it keeps prompting (even after resetting the password). What I did was created another outlook profile under control panel, mail and then restart the outlook and now it can get connected to the exchange server, but the issue is, the user’s emails in inbox and folders on his initial profile are not updated (synchronized) with this new profile. When we connect using the initial profile, the mails and the folders are all there but are not updated in his new profile here. His outlook is cached.

    Any workaround or fix to this issue please.

    thanks, felix

    Reply
    • Paul Cunningham says

      July 4, 2014 at 7:59 pm

      Your questions have nothing to do with this particular article. You’ve got a connectivity issue and by the looks of things it has something to do with your earlier comment of moving the mailbox to 2013. My best guess is that you’ve not set up your Exchange 2010/2013 co-existence correctly.

      So you might find some tips here:
      https://www.practical365.com/exchange-2010-to-exchange-2013-migration/

      Or in the Exchange Deployment Assistant:
      http://technet.microsoft.com/en-au/exchange/jj657516.aspx

      Or if you’re still stuck, there is also the TechNet forums.

      But please don’t post unrelated questions on random articles here.

      Reply
  64. felix says

    July 1, 2014 at 10:49 am

    Hi Paul,

    I have successfully moved a user mailbox from server 2010 – 2013 and after that his outlook is disconnected, unable to connect to the exchange server. I have tried some tips but still no luck, any idea?

    thanks, felix

    Reply
  65. joakim says

    June 27, 2014 at 4:48 pm

    Hi!
    Nice tips.
    If I grant preview rights as you describe. will previous added users with granted full access still work or will this mess upp theirs access to the mailbox?
    I, mean do I need to do the same for all users in powershell?

    Have a nice weekend.

    \Joakim

    Reply
  66. Jason says

    June 6, 2014 at 4:42 am

    I’m going to 2nd the question about granting the mailbox owner read only access. I have been asked for this a few times and so far the only thing I’ve come up with is connect the mailbox to another AD object, then grant the original user’s AD object read only access using Paul’s process above.

    Thoughts?

    Also want to give Paul a great thanks for this site, very useful, very profesional.

    Reply
    • Paul Cunningham says

      June 6, 2014 at 9:23 am

      Exchange isn’t designed to limit a user’s access to their own mailbox. You can lock down protocols but that isn’t what you’re asking here.

      Your solution would work.

      Reply
  67. Paul Cunningham says

    June 3, 2014 at 11:19 am

    “I am the admin so I have his Windows login credentials”

    No, wrong approach.

    Adding the email account using their credentials means you are authenticating as them, which gives you full access to the mailbox.

    Grant yourself read only access (following the steps shown in the article above), then add their mailbox as a secondary mailbox in your Outlook profile, not as a secondary email account.

    The steps to perform that in Outlook are available here if you need more details:
    http://office.microsoft.com/en-au/outlook-help/manage-another-person-s-mail-and-calendar-items-HA010355561.aspx

    Reply
    • John Gordon says

      October 25, 2014 at 1:43 am

      In my situation, as the Exchange 2010 Admin I need to periodically manage meetings for our senior people. Most of the instructions come from the Outlook client direction, but I would like to be able to do that centrally either through a PS script or the management interface.

      Could a script be written that would
      -Grant access
      -Change Meeting and send updates to all participants
      -Remove access

      I would prefer not to log in to their accounts directly.

      Any help is appreciated.

      Reply
      • Paul Cunningham says

        October 27, 2014 at 10:13 am

        1) Yes, simple PowerShell script could be written to grant access. Really it is a one-liner anyway.
        2) Yes, not with Exchange management cmdlets but with Exchange Web Services
        3) Yes

        But I think you may be over-thinking this. If your job involves managing calendars for other people just make yourself a delegate for those mailboxes and you’ll have calendar management permissions.

        Reply
        • John Gordon says

          October 28, 2014 at 2:13 am

          I was able to do this by granting the Editor permission

          Add-MailboxFolderPermission -Identity USERID:Calendar -User USERGRANTTOID -AccessRights Editor

          .. then opening the calendar in my Outlook and doing the change/update.

          I then removed the permission using the Remove-MailboxFolderPermission command.

          Would you be able to post an example script that I could customize to my environment, or is that beyond the scope of this thread?

          Reply
        • Paul Cunningham says

          October 28, 2014 at 10:52 am

          A PowerShell script is basically just a series of PowerShell commands. You’ve already worked out the commands you need to run, so turning that into a script is a pretty trivial task. If it is your first time writing a PowerShell script then it will also be a good learning exercise.

          Reply
  68. felix says

    June 3, 2014 at 11:04 am

    Hi Paul,

    I want to have access to someone’s emails and would only like to have READ only permission, I do not want to accidentally delete any mails. So from my outlook, I go to Files–>Account Settings–>Account Settings..–>E-mail ..New and add the email of the user, I am the admin so I have his Windows login credentials. After this, the user’s mail box is added under my outlook. Now I want to set READ only permission on this mail box, how can i do this?

    I have tried right click on the mail box, Properties–>Permission add myself and give permission level as Reviewer BUT this does not seem to work. I can still delete mails under his inbox.

    Please advise.

    thanks, Felix -2014

    Reply
  69. Tim says

    May 28, 2014 at 12:45 am

    Hi Paul.

    Sorry to bother you.

    I have an organization where they need 50-70 users added as reviewer to a mailbox (We’ll call it eData)

    I am not 100% certain which fields of text I am supposed to change.

    Am I supposed to change:

    [CmdletBinding()]
    param (
    [Parameter( Mandatory=$true)]
    [string]$Mailbox,

    [Parameter( Mandatory=$true)]
    [string]$User,

    [Parameter( Mandatory=$true)]
    [string]$Access
    )

    to something or am I supposed to change

    foreach ($mailboxfolder in $mailboxfolders)
    {
    $folder = $mailboxfolder.FolderPath.Replace(“/”,””)
    $identity = “$($mailbox):$folder”
    Write-Host “Adding $user to $identity with $access permissions”
    Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access
    }

    ?

    I just don’t want to mess up a mail server related to a medical related organization.

    Thanks!

    Reply
    • Tim says

      May 28, 2014 at 12:45 am

      Oh, an I am using Exchange 2010 in that org.

      Reply
      • Paul Cunningham says

        May 29, 2014 at 1:37 pm

        The short answer is that the Add-MailboxFolderPermission command would need to be looped through a list of users instead of just run against a single user.

        I’ll try and find time to expand the sample code to demonstrate that but for now that should give you enough to Google/Bing on.

        Reply
  70. Jeremy says

    May 22, 2014 at 11:40 pm

    Too bad there is no way to give Read Only permissions and have it appear in the users folder list automatically. We have 20+ people who need read only and are computer challenged 🙁

    Reply
  71. Rod says

    April 25, 2014 at 9:46 pm

    Hi!
    Great article, do you know how the command should look like if I were grant Read-Only permission for the user itself.
    E.g so the user cannot delete nor change a contact from his own contact list.

    I tried this with no luck
    Add-MailboxFolderPermission -Identity john.doe: -User john.doe -AccessRights Reviewer
    Add-MailboxFolderPermission -Identity john.doe:Calendar -User john.doe -AccessRights Reviewer

    Reply
  72. Chris says

    April 17, 2014 at 1:40 am

    Hi Paul,

    Thanks heaps for the article, very informative and straight to the point!

    There is one aspect that still a bit unclear to me – do I need to grant the users Reviewer acces rights on the Top of the IS before running the script or granting them Reviewer access on certain folders?

    I did it anyway, but it would be good to know for future reference!

    Thanks in advance for your answer!

    Cheers,

    Chris

    Reply
    • Paul Cunningham says

      April 20, 2014 at 11:46 pm

      Yes, I believe that permission at Top of IS is required for them to be able to open/expand the mailbox in their left-side Outlook pane.

      Reply
  73. Brett says

    April 12, 2014 at 9:45 am

    Hello Paul,

    Can you point me in the right direction on how to give a user ‘Delegate’ access say with ‘Author’ rights to ALL folders and subfolders?
    This has been a thorn in my side for some time. When these requests come up, I have to go into each subfolder individually and apply permissions. I have one now with 100’s.!
    Your assistance or direction would be much appreciated, Thank you.

    Reply
  74. aldwin nabua says

    April 10, 2014 at 4:24 pm

    Hi Paul,

    Im trying to reverse the code but i’m receiving error.

    A positional parameter cannot be found that accepts argument ‘-AccessRights’.
    + CategoryInfo : InvalidArgument: (:) [Remove-MailboxFolderPermission], Para
    + FullyQualifiedErrorId : PositionalParameterNotFound,Remove-MailboxFolderPermission

    can you help me out on this?

    Reply
    • Paul Cunningham says

      April 10, 2014 at 9:27 pm

      What is the exact command you are running?

      Reply
      • aldwin nabua says

        April 11, 2014 at 7:56 am

        The script for adding permissions to all folders … except that had changed the Add-MailboxFolderPermission to Remove-MailboxFolderPermission

        Reply
        • Paul Cunningham says

          April 11, 2014 at 2:56 pm

          There’s no -AccessRights parameter for Remove-MailboxFolderPermission, so you’ll need to take that off your commands.

          http://technet.microsoft.com/en-us/library/dd351181(v=exchg.150).aspx

          Reply
  75. Ed says

    March 25, 2014 at 10:59 pm

    Paul – first and foremost – thank you for providing MANY useful scripts and advice over the years… I have the need to remove the read-only permissions that were set by your example script above. Kindly reply back with a solution/reverse script, it would be most appreciated.

    Thanks in advance

    Reply
    • Paul Cunningham says

      March 26, 2014 at 9:09 pm

      Add-MailboxFolderPermission is the cmdlet doing the heavy lifting there. So the reverse action is Remove-MailboxFolderPermission.

      Reply
  76. Mark says

    February 27, 2014 at 6:59 pm

    Thanks Paul,

    This issue was causing me a problem and a headache had a few users who wanted to grant view only access to the inbox sub folders without giving them access to the inbox itself. Needless to say script has been saved and I have since joined and will no doubt be catching up on more of your articles.

    Mark

    Reply
    • Purushothama says

      April 28, 2017 at 8:24 pm

      Mark, If we provide Read only access to the Inbox sub-folders. other user can’t access Sub-folders .Beacuse , we don’t have option. We have only option to “Inbox,sentitems, calendar…..etc” . No sub-folder.

      Reply
  77. Matthew Procter says

    February 26, 2014 at 8:52 am

    Paul,

    This works great for Exchange 2010. How can you do the same in Ex2007?

    Cheers

    Matthew

    Reply
    • Paul Cunningham says

      February 26, 2014 at 1:24 pm

      Looks like the Add-MailboxFolderPermission cmdlet isn’t available in Exchange 2007.

      Reply
  78. ByteMan says

    February 8, 2014 at 6:56 am

    OK, I have researched a new issue, per request from Administration.
    Exchange 2013 with Outlook 2010.
    The user has a mailbox on the Exchange 2013 server.
    This user likes to change the appointments made by the scheduling staff.
    Is there a way to make the user’s own calendar read-only?

    I only come to the conclusion that the answer is no.

    Reply
  79. Navneet Gupta says

    January 23, 2014 at 1:09 am

    Hi Paul,

    Thanks for this, but i am in the situation where you can pull me out.
    The thing is my requirement is exactly same, But i only need y user can see all the folder in inbox and inbox as well, except junk email,contacts,sent items etc and when i add the x account in y outlook. i cannot able to expand the folders. that is because on the root account i haven’t take permission. So please tell how can take permission on root as well as all folders in inbox including inbox folder.except all i want to put in exclusions…

    I used below command : but still my requirement not succeed.

    ForEach($f in (Get-MailboxFolderStatistics X | Where { $_.FolderPath.Contains(“/Clients”) -eq $True } ) ) {
    $fname = “X:” + $f.FolderPath.Replace(“/”,””);
    Add-MailboxFolderPermission $fname -User Y -AccessRights Reviewer }

    Any help really appreciated
    Thanks,

    Reply
  80. Dimitri says

    January 18, 2014 at 12:42 am

    Excellent article.

    So the user who received the reviewer access will always have to go to File | Open or is there a way that the inbox can be diplayed as an additional mailbox (similarly when you give full mailbox access) but with only the inbox showing?

    Thanks,

    Reply
    • Dimitri says

      January 18, 2014 at 12:52 am

      No need to answer this. It just hit me. Add the account from the Account Settings – Thanks.

      Reply
  81. Roberto says

    January 15, 2014 at 6:33 am

    Great article.
    I have an issue.. I can set the Reviewer access, but it also lets me do a ‘replay’ on the message..
    It’s there a way to prevent the users from replying to the messages?

    Thanks

    Reply
    • Roberto says

      January 15, 2014 at 6:38 am

      I meant “Reply” not “Replay”

      Reply
    • Fedor says

      February 26, 2017 at 4:38 pm

      I’d love to hear the answer too.
      Any way to block Reply and Forward feature for read-only mailbox?

      I’m thinking on doing RMS instead.

      Reply
  82. Kottees says

    December 20, 2013 at 3:38 am

    Again Good one Pual, thanks for sharing 🙂

    Reply
  83. Manuel Pombo says

    December 10, 2013 at 4:35 am

    Great tutorial and script.
    In my organization, however, it only works if I give the user FullAccess with Add-MailboxPermission. Anything less just returns a ConnectionFailedTransientException in OWA.
    Any idea why? Already installed CU3, but the issue remains.

    Reply
    • Paul Cunningham says

      December 11, 2013 at 11:36 pm

      I see the same on my CU3 lab. Let me see if I can find out some more and come back with an update in a day or two.

      Reply
      • Ilke Cetin says

        May 27, 2019 at 11:55 pm

        Hello Paul,

        Do you have any update regarding working these permissions on OWA ?

        Everything work properly on Outlook, but on OWA I cant even open the box without full access.

        Reply
  84. vince.whiston says

    December 6, 2013 at 2:49 am

    Is there a parameter to stop the items being marked as read when another user access them?

    Reply
    • vince.whiston says

      December 6, 2013 at 2:51 am

      to expand like in public folders option ‘maintain per-user read and unread information’.

      Excellent article by the way thank you

      Reply
      • Paul Cunningham says

        December 6, 2013 at 10:03 am

        No I don’t think so, but users can configure Outlook to behave that way.

        Reply
  85. Simon McAuley says

    December 2, 2013 at 9:28 am

    Hi Paul, great blog as usual. I’m trying to grant Reviewer Access only to a sub folder of a user’s inbox. No other folders or email should be seen or if they are no emails are shown. Is this possible or is the minimum access level you can set “Read Only” and therefore “Reviewer”

    Reply
    • Simon McAuley says

      December 2, 2013 at 10:29 am

      Actually think I figured it out. You need to either move the sub folder onto the same level as the Inbox or you allow the user to see your inbox plus this folder.

      Reply
      • Paul Cunningham says

        December 2, 2013 at 10:57 am

        “FolderVisible” would be the minimum required to let someone traverse a folder hierarchy without seeing the items within.

        Reply
        • Simon McAuley says

          December 2, 2013 at 4:27 pm

          Thanks Paul, didn’t even know “FolderVisible” was an option! In our scenario what your blog said was perfect as we don’t want them to be able to see any other folders.

          Reply
  86. Aron Rose says

    November 19, 2013 at 6:41 am

    Great article, any idea how to make the user with reviewer permissions not be able to mark email as read?

    Reply
    • Paul Cunningham says

      November 20, 2013 at 12:25 pm

      No. Not sure that is even possible. You can control that behaviour with Outlook settings though.

      Reply
  87. TechBajan says

    November 15, 2013 at 7:16 pm

    I have to say that this is probably the most useful site on the Internet! Many times I’ve been stuck with an issue and you’ve written about the EXACT issue and always seem to have the right solution.

    Your blog is amazing and continually helps many an Exchange admin.

    Reply
    • Paul Cunningham says

      November 15, 2013 at 8:39 pm

      Thank you for the kind words. Feedback is always appreciated.

      Reply
    • ExchangeLove says

      September 23, 2016 at 3:41 am

      I agree this site is the best! It has saved my butt many times. His e-books are really good too!

      Reply
  88. Larry Michaels says

    September 30, 2013 at 11:43 pm

    I had a problem where e-mails were being deleted from a shared mailbox inbox and was tasked to stop the e-mails from being deleted – GUI & retention policies did not work. I read that retention policies only work with powershell but could not get that right.
    This site helped with an easier way and it worked. I did not need to use script to populate the entire mailbox – just the top of the information stoe & inbox.
    There was a problem where I had the users that were supposed to be blocked in the ‘Manage Full Access Permission’ option – removing them then the powershell commands worked..
    Thank you

    Reply
  89. Itworkedinthelab says

    September 30, 2013 at 9:29 pm

    Thanks for sharing

    Reply
    • Gary says

      September 13, 2016 at 12:50 am

      Would this apply to Office 365 mailboxes also. How would you do this for Office 365 mailboxes. A couple of people need to see all mailboxes but not delete anything.

      Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • Microsoft Launches Group Ownership Governance Policy
  • Making the Case for Identity Governance in Azure Active Directory
  • Prepare an Office 365 migration plan assessment using PowerShell
  • Microsoft Releases May 2022 Exchange Server Security Updates
  • New Future of Work for Microsoft 365, IOT and more: Practical 365 Podcast S3 Ep. 2

Copyright © 2022 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland