In a previous article I demonstrated how to use a PowerShell script to grant read-only permissions to an Exchange mailbox. The script achieves this by granting the “Reviewer” permission to each folder within the mailbox. In fact, it can be used to grant any mailbox folder permission or role (eg Owner, Editor, Contributor), not just read-only, and I have just made a minor update to the script to handle errors better.

One of the most common requests from people who use that script is how to *remove* permissions from mailbox folders.

Fortunately this is an easy task with just a few modifications to the original script. Naturally just as there is an Add-MailboxFolderPermission cmdlet for Exchange Server, there is also a Remove-MailboxFolderPermission cmdlet.

So we can use the same approach of traversing the mailbox folder hierarchy, checking for the user in question, and removing the permissions.

Here is a sample from the script that shows how this is performed:

$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)

foreach ($mailboxfolder in $mailboxfolders)
{
    $folder = $mailboxfolder.FolderPath.Replace("/","")
    if ($folder -match "Top of Information Store")
    {
       $folder = $folder.Replace(“Top of Information Store”,””)
    }
    $identity = "$($mailbox):$folder"
    Write-Host "Checking $identity for permissions for user $user"
    if (Get-MailboxFolderPermission -Identity $identity -User $user -ErrorAction SilentlyContinue)
    {
        try
        {
            Remove-MailboxFolderPermission -Identity $identity -User $User -Confirm:$false -ErrorAction STOP
            Write-Host -ForegroundColor Green "Removed!"
        }
        catch
        {
            Write-Warning $_.Exception.Message
        }
    }
}

You can download the complete Remove-MailboxFolderPermissions.ps1 script from Github here.

And here is an example of the script in action, removing permissions for the user “Alan Reid” from the mailbox of “Alex Heyne”.

[PS] C:ScriptsMailboxFolderPermissions>.Remove-MailboxFolderPermissions.ps1 -Mailbox alex.heyne -user alan.reid
Checking alex.heyne: for permissions for user alan.reid
Removed!
Checking alex.heyne:Calendar for permissions for user alan.reid
Removed!
Checking alex.heyne:Contacts for permissions for user alan.reid
Removed!
Checking alex.heyne:Contacts{06967759-274D-40B2-A3EB-D7F9E73727D7} for permissions for user alan.reid
Removed!
Checking alex.heyne:ContactsGAL Contacts for permissions for user alan.reid
Removed!
Checking alex.heyne:ContactsRecipient Cache for permissions for user alan.reid
Removed!
Checking alex.heyne:Conversation Action Settings for permissions for user alan.reid
Removed!
Checking alex.heyne:Deleted Items for permissions for user alan.reid
Removed!
Checking alex.heyne:Drafts for permissions for user alan.reid
Removed!
Checking alex.heyne:Inbox for permissions for user alan.reid
Removed!
Checking alex.heyne:InboxCustomers for permissions for user alan.reid
Removed!
Checking alex.heyne:InboxMarketing Reports for permissions for user alan.reid
Removed!
Checking alex.heyne:InboxTeam Matters for permissions for user alan.reid
Removed!
Checking alex.heyne:Journal for permissions for user alan.reid
Removed!
Checking alex.heyne:Junk E-Mail for permissions for user alan.reid
Removed!
Checking alex.heyne:News Feed for permissions for user alan.reid
Removed!
Checking alex.heyne:Notes for permissions for user alan.reid
Removed!
Checking alex.heyne:Outbox for permissions for user alan.reid
Removed!
Checking alex.heyne:Quick Step Settings for permissions for user alan.reid
Removed!
Checking alex.heyne:RSS Feeds for permissions for user alan.reid
Removed!
Checking alex.heyne:Sent Items for permissions for user alan.reid
Removed!
Checking alex.heyne:Suggested Contacts for permissions for user alan.reid
Removed!
Checking alex.heyne:Tasks for permissions for user alan.reid
Removed!
Checking alex.heyne:Working Set for permissions for user alan.reid
Removed!
Checking alex.heyne:Calendar Logging for permissions for user alan.reid

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Luis

    Hi Paul,

    I have a calendar who’s ACL is full due to too many users being in it. I would like to delete all the users who have access to that calendar regardless of access level. I will then replace the users with groups. Is there a simple way to wipe all users from a calendar?

    1. Avatar photo
      Tony Redmond

      Get all the entries using Get-MailboxFolderPermission -identity “user:\calendar” and put them into an array. Then loop through the array and call Remove-MailboxFolderPermission for each user?

      1. Luis

        Thank you for the reply Tony, the list is extensive and cuts out before it reaches the end. I assume I would have to export it. I was wondering if there was some easier way but I guess not so much. I tried: Remove-MailboxFolderPermission -Identity Account@example.com:\Calendar -User *.* but it tells me the operation can’t be performed because *.* matches multiple entries, which is exactly what I want it to do.

  2. Charles Smith

    Hi

    I am looking for a way to avoid users from changing the default and anonymous folder permissions from none to owner by themselves, is there a policy we can set in place to avoid users from making this on OWA so then it replicates to the outlook client, is not to remove the Default and Anonymous but to disable users ability to do this via desktop client or webmail

  3. Janoah

    Hi paul,
    I’m concerned my former manager might be stalking me. I JUST found out he has had read-only access to my work outlook for the past 5 months that I’ve NOT been his employee. I’m in another department of our company. I feel violated. There is a request into our IT department removing his read-only access to my email which he claims “he forgot” he had. Is there a way to tell if he’s been accessing my email to see if he’s telling the truth or not?

    1. Ya Mum

      Stop smoking so much giggly bush and you wont be so paranoid

  4. Abdul K

    Thanks a lot! This was very useful. I couldn’t thank you enough. Another great work!

  5. christian

    if ($folder -match “Top of Information Store”) does only match to 20% of our mailboxes as we are a German company. How could I extend the script to remove the user also from “Oberste Ebene des Informationsspeichers”. At the moment I use two scripts. One for German and one for English. Can you assist?

    1. Avatar photo
      Paul Cunningham

      Sorry, I only know english and don’t know how to translate the script for other languages.

  6. Rolf A. Vaglid

    Hi there Graham, this script works just as intended on primary mailboxes, but it does not seem to take into account archive mailboxes.
    I tried to add “-archive” to the
    $mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox -archive | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)
    and it seems to enumerate all the mailboxfolders in the archive, but it seems its unable to find the permission I have verified is present.

    1. Rolf A. Vaglid

      Graham? I meant Paul of course, apologies 🙂

    2. Avatar photo
      Paul Cunningham

      Try running on the primary mailbox, wait 24 hours or so, and see if the archive mailbox reflects the changes after that. It’s been a while since I had to look at this but IIRC archive mailbox folders get the same permissions as the primary mailbox folders.

  7. David

    Hi Paul,

    I find this script very useful however I am having issues removing Owner permission for one user.
    Seem the script runs through all folders but permissions are not being removed – no error message.
    The user has been deleted from AD so the entry is a legacy SID; “NT User:S-1-5-21-1604199630-1702588179-1845911597-5264”
    Is there anything I need to change in the script to get this last user mailbox permission removed for the deleted user?

    Many thanks!

    1. Avatar photo
      Paul Cunningham

      I don’t know if the script will work for a deleted user. I suspect not.

      1. David

        Debugging the script reveals the script does not seem to identity NT user and just skips it.
        If I manually type the cmdlet: Remove-MailboxFolderPermission -Identity user”:\folder name\subfolder name\subfolder name” -user “NT User:S-1-5-21-1604199630-1702588179-1845911597-5264” the permission is removed successfully hence the syntax is correct and the NT User can be found by PS.

        Thanks for your input and if I find a solution will post it here.

        1. David

          Actually just found the root cause.
          If the folder name has a special character eg. ?, /, & the script won’t make any changes it will just skip the folder.

          1. Avatar photo
            Paul Cunningham

            Yeah I don’t know why people do that, but anyway, good find.

        2. Raman

          Hello David,
          Were you able to find the solution for deleted users “NT User:S-1-5-21-1604199630-1702588179-1845911597-5264” using this script?
          Thanks,
          Raman

      2. David

        Issue fixed and the script is running fine now. The problem was caused by illegal characters. Changed line: 85
        $folder = $mailboxfolder.FolderPath.Replace(“/”,”\”).Replace([char]63743,’/’);
        and removed lines 86-89 inclusive.

        1. Jackie

          I know this is old, but thanks a ton to both of you! This makes cleaning up dead user accounts so much easier!

  8. Vicky

    Thanks a lot Paul. I removed the permission using ADSIedit from the Database properties.

  9. DNK

    Hi Paul

    Your web is awesome
    i have a question, if i want to delete all users from access to calendar and only default user will be on the access list
    Do you mind to show it on the powershell ?

      1. Jono Clifton

        I copied from you paul how to take the variable $mailbox from the command line and then:

        $allmailboxes = Get-Mailbox -identity $mailbox

        foreach ($allmailbox In $allmailboxes) {

        Get-MailboxFolderPermission ($allmailbox.Name + “:Calendar”) | ForEach {

        If (([string]$_.User -ne “Default”) -and ([string]$_.User -ne “Anonymous”) -and ([string]$_.User -ne “Retain Alerts”)) {

        Remove-MailboxFolderPermission -Identity ($allmailbox.Name + “:Calendar”) -User $_.User -Confirm:$false -ErrorAction STOP

        }

        }

        NOTE: retain alerts is a custom user we have in our exchange that needs access to everyone’s mailbox.

        This does what the previous comment wanted but has the unwanted side affect of removing custom permissions that are less restrictive then the ‘reviewer’ . I use this script on a per user basis, but to run it on the whole exchange i need to figure out how to exclude removing permissions that are less restrictive than reviewer.

        not expecting you to write it, but where would i add such a line into this script? is it possible to write after the first IF which excludes users, then also have AND IF Access rights is equal to limiteddetails or availaibility only, then progress with the Remove-permission part.

        is it to complex. it would be essentially saying IF the name isnt one of these AND IF the access rights match the more restrictive seetings

        I’d probably add Reviewer to those that need to be removed, just to tidy things up, as as all people are covered by our Default = Reviewer

        1. Avatar photo
          Paul Cunningham

          Well, you could start by looking at the output of Get-MailboxFolderPermission and see if it gives you any way to filter different levels of permissions.

  10. Vicky

    Hi Paul,

    Thanks a Ton to all for help.

    I have tried

    Get-Mailbox -ResultSize Unlimited | Remove-MailboxPermission -user domainuser -AccessRights FullAccess -InheritanceType All -Confirm:$false

    But the following errorllowing coming up for all the mailboxes …

    WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, ControlType: Allow]
    and was ignored on object “CN=User Name,CN=Users,DC=companydomain,DC=com”.

    Checked the permission on couple of mailboxes and user hasn’t been removed.
    Any suggestions please?

    Many thanks

    Vicky

    1. Avatar photo
      Paul Cunningham

      Looks like you’re trying to remove a permission that is being inherited. That won’t work. You’ll need to find where it’s being inherited from (a parent object) and remove it there.

  11. Vicky

    Dear Paul,

    I am using the following command to remove the Full access permission for the UserA from all the mailboxes.
    But I am being prompted for each mailbox ! I have about 5000. So how can i go about it with out being prompted?

    Get-Mailbox | Remove-MailboxPermission -user domainuserA -AccessRights FullAccess -InheritanceType All

    Many thanks

    Vicky

    1. Avatar photo
      Paul Cunningham

      Look at the -Confirm switch, which most cmdlets have.

      e.g. Do-Thing -Confirm:$false

  12. Kevin

    Can the remove-mailboxfolderpermission cmdlet be used to remove a list of users who have access to an individual calendar?

    1. Avatar photo
      Paul Cunningham

      You could write a little script to use that cmdlet and loop through a list, sure.

  13. Peter Jonkers

    Is it also possible to delete all deleted users with this script for all the mailboxes. Removed users like S-1- etc etc
    I have a bulk of mailboxpermissions on mailboxes with deleted users.
    so search all mailboxes for users starting with “S-1-“and delete that user form any mailboxfolder.

    regards
    Peter Jonkers

    1. Ralph

      I also had that requirement – a large shared mailbox with thousands of subfolders, many of which had SIDs of previous staff in the permissions. I modified the script by removing the $user parameter from the inputs. Within the foreach loop, I added a nested loop:

      $users = Get-MailboxFolderPermission -Identity $identity
      Write-Host -ForegroundColor Red “Checking $identity”
      foreach ($user in $users)
      {
      if ($user.User -match “NT User:S-1”)
      {
      … mostly the same as the existing script
      }

      I had to change $user to $user.user elsewhere in the existing script as the $user object was a different type, I guess. Hope that helps someone.

  14. Prince Rozario

    A Question

    In our school we would like staff to be able to see any student calendar, we have achieved this by using FullAccess permission with the Add-MailboxFolderPermission command.

    In this case the staff will also be allowed to delete a student email. Is it possible to prevent this from happening? We only need staff to be able to see student calendar and emails not delete them.

    1. Avatar photo
      Paul Cunningham

      If you only add permissions to the Calendar folder they won’t be able to mess with emails.

  15. Alpesh

    Hello Paul,

    Thank you for the script. It really does the job. We had a user who has close to 100+ folders under his inbox and this script really did the job for us. However, there was another user who has equally same number of folders. Is there anyway I can specify multiple users to the -User parameter?

    Regards,
    Alpesh

    1. Avatar photo
      Paul Cunningham

      Short answer, yes. I’ve added an issue to my Github repo for that request.

      In the meantime, if you want to tackle it yourself, look into script parameters that accept multiple values, and then modifying that part of the script to loop through the users.

      1. Jhay

        I have same case as Alpesh, would you be able to show please 🙂 trying to go through script but I’m quite new in scripting. Thanks a lot Paul your site is awesome!!!

  16. Edward

    when i run the script, it runs okay but at the end i get a message – The operation couldn’t be performed because ‘hrh2:Calendar Logging’ couldn’t be found. Please can you advise

  17. MAK

    Hi Paul, Your posts are fabulous, I have recently came across an issue, I restored the mailboxes from a corrupted edb file. I created new DB and imports all the mailboxes. The problem i am having is the users are able to see the system folders now like (common view, exchange syncdata, freebusy data, etc). Is there any way we can hide these folders from the user mailboxes. Appreciate your feedback on this.

    Thanks
    MAK

    1. Avatar photo
      Paul Cunningham

      Sounds to me like whatever tool you used to export from the EDB it also exported the hidden/system folders. When you import those from a PST they are just treated as regular folders which are visible to the user.

      I don’t know of any easy way to clean that up.

  18. trank0

    Hi Paul, your web is awesome, your knowledge is infinite, pls, can you tell me where is stored those permissions?, may be in Active Directory on security tab or in the ADSI Editor?

    Thanks a lot.

  19. Al

    Hi Paul,
    Would it be possible to remove delete and send access from an outlook? one of the employees is under investigation but he needs to access his email to get evidence. but the company does not want the employee to send or delete any emails from his outlook. He should be able to view his emails and print, if necessary. Is it possible?

    1. Avatar photo
      Paul Cunningham

      Seems strange that an employee under investigation would be allowed to access the mailbox to collect evidence.

      But… you can place the mailbox on litigation hold if you want to preserve it from deletions.

  20. Nicolas

    You are the man! Thank you!

  21. Gilles

    Hello,

    I have an issue when users have folder names with date separated by ‘/’.

  22. Hyptnotoad

    Thank you so much. Very very helpful, used it several times now.

  23. Andrew Lee

    You are AWESOME!! I will try this out!

Leave a Reply