In a previous article I demonstrated how to use a PowerShell script to grant read-only permissions to an Exchange mailbox. The script achieves this by granting the “Reviewer” permission to each folder within the mailbox. In fact, it can be used to grant any mailbox folder permission or role (eg Owner, Editor, Contributor), not just read-only, and I have just made a minor update to the script to handle errors better.
One of the most common requests from people who use that script is how to *remove* permissions from mailbox folders.
Fortunately this is an easy task with just a few modifications to the original script. Naturally just as there is an Add-MailboxFolderPermission cmdlet for Exchange Server, there is also a Remove-MailboxFolderPermission cmdlet.
So we can use the same approach of traversing the mailbox folder hierarchy, checking for the user in question, and removing the permissions.
Here is a sample from the script that shows how this is performed:
$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)
foreach ($mailboxfolder in $mailboxfolders)
{
$folder = $mailboxfolder.FolderPath.Replace("/","")
if ($folder -match "Top of Information Store")
{
$folder = $folder.Replace(“Top of Information Store”,””)
}
$identity = "$($mailbox):$folder"
Write-Host "Checking $identity for permissions for user $user"
if (Get-MailboxFolderPermission -Identity $identity -User $user -ErrorAction SilentlyContinue)
{
try
{
Remove-MailboxFolderPermission -Identity $identity -User $User -Confirm:$false -ErrorAction STOP
Write-Host -ForegroundColor Green "Removed!"
}
catch
{
Write-Warning $_.Exception.Message
}
}
}
You can download the complete Remove-MailboxFolderPermissions.ps1 script from Github here.
And here is an example of the script in action, removing permissions for the user “Alan Reid” from the mailbox of “Alex Heyne”.
[PS] C:ScriptsMailboxFolderPermissions>.Remove-MailboxFolderPermissions.ps1 -Mailbox alex.heyne -user alan.reid
Checking alex.heyne: for permissions for user alan.reid
Removed!
Checking alex.heyne:Calendar for permissions for user alan.reid
Removed!
Checking alex.heyne:Contacts for permissions for user alan.reid
Removed!
Checking alex.heyne:Contacts{06967759-274D-40B2-A3EB-D7F9E73727D7} for permissions for user alan.reid
Removed!
Checking alex.heyne:ContactsGAL Contacts for permissions for user alan.reid
Removed!
Checking alex.heyne:ContactsRecipient Cache for permissions for user alan.reid
Removed!
Checking alex.heyne:Conversation Action Settings for permissions for user alan.reid
Removed!
Checking alex.heyne:Deleted Items for permissions for user alan.reid
Removed!
Checking alex.heyne:Drafts for permissions for user alan.reid
Removed!
Checking alex.heyne:Inbox for permissions for user alan.reid
Removed!
Checking alex.heyne:InboxCustomers for permissions for user alan.reid
Removed!
Checking alex.heyne:InboxMarketing Reports for permissions for user alan.reid
Removed!
Checking alex.heyne:InboxTeam Matters for permissions for user alan.reid
Removed!
Checking alex.heyne:Journal for permissions for user alan.reid
Removed!
Checking alex.heyne:Junk E-Mail for permissions for user alan.reid
Removed!
Checking alex.heyne:News Feed for permissions for user alan.reid
Removed!
Checking alex.heyne:Notes for permissions for user alan.reid
Removed!
Checking alex.heyne:Outbox for permissions for user alan.reid
Removed!
Checking alex.heyne:Quick Step Settings for permissions for user alan.reid
Removed!
Checking alex.heyne:RSS Feeds for permissions for user alan.reid
Removed!
Checking alex.heyne:Sent Items for permissions for user alan.reid
Removed!
Checking alex.heyne:Suggested Contacts for permissions for user alan.reid
Removed!
Checking alex.heyne:Tasks for permissions for user alan.reid
Removed!
Checking alex.heyne:Working Set for permissions for user alan.reid
Removed!
Checking alex.heyne:Calendar Logging for permissions for user alan.reid
Hi
I am looking for a way to avoid users from changing the default and anonymous folder permissions from none to owner by themselves, is there a policy we can set in place to avoid users from making this on OWA so then it replicates to the outlook client, is not to remove the Default and Anonymous but to disable users ability to do this via desktop client or webmail
Hi paul,
I’m concerned my former manager might be stalking me. I JUST found out he has had read-only access to my work outlook for the past 5 months that I’ve NOT been his employee. I’m in another department of our company. I feel violated. There is a request into our IT department removing his read-only access to my email which he claims “he forgot” he had. Is there a way to tell if he’s been accessing my email to see if he’s telling the truth or not?
Stop smoking so much giggly bush and you wont be so paranoid
Thanks a lot! This was very useful. I couldn’t thank you enough. Another great work!
if ($folder -match “Top of Information Store”) does only match to 20% of our mailboxes as we are a German company. How could I extend the script to remove the user also from “Oberste Ebene des Informationsspeichers”. At the moment I use two scripts. One for German and one for English. Can you assist?
Sorry, I only know english and don’t know how to translate the script for other languages.
Hi there Graham, this script works just as intended on primary mailboxes, but it does not seem to take into account archive mailboxes.
I tried to add “-archive” to the
$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox -archive | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)
and it seems to enumerate all the mailboxfolders in the archive, but it seems its unable to find the permission I have verified is present.
Graham? I meant Paul of course, apologies 🙂
Try running on the primary mailbox, wait 24 hours or so, and see if the archive mailbox reflects the changes after that. It’s been a while since I had to look at this but IIRC archive mailbox folders get the same permissions as the primary mailbox folders.
Hi Paul,
I find this script very useful however I am having issues removing Owner permission for one user.
Seem the script runs through all folders but permissions are not being removed – no error message.
The user has been deleted from AD so the entry is a legacy SID; “NT User:S-1-5-21-1604199630-1702588179-1845911597-5264”
Is there anything I need to change in the script to get this last user mailbox permission removed for the deleted user?
Many thanks!
I don’t know if the script will work for a deleted user. I suspect not.
Debugging the script reveals the script does not seem to identity NT user and just skips it.
If I manually type the cmdlet: Remove-MailboxFolderPermission -Identity user”:\folder name\subfolder name\subfolder name” -user “NT User:S-1-5-21-1604199630-1702588179-1845911597-5264” the permission is removed successfully hence the syntax is correct and the NT User can be found by PS.
Thanks for your input and if I find a solution will post it here.
Actually just found the root cause.
If the folder name has a special character eg. ?, /, & the script won’t make any changes it will just skip the folder.
Yeah I don’t know why people do that, but anyway, good find.
Hello David,
Were you able to find the solution for deleted users “NT User:S-1-5-21-1604199630-1702588179-1845911597-5264” using this script?
Thanks,
Raman
Issue fixed and the script is running fine now. The problem was caused by illegal characters. Changed line: 85
$folder = $mailboxfolder.FolderPath.Replace(“/”,”\”).Replace([char]63743,’/’);
and removed lines 86-89 inclusive.
I know this is old, but thanks a ton to both of you! This makes cleaning up dead user accounts so much easier!
Thanks a lot Paul. I removed the permission using ADSIedit from the Database properties.
Hi Paul
Your web is awesome
i have a question, if i want to delete all users from access to calendar and only default user will be on the access list
Do you mind to show it on the powershell ?
What have you tried so far?
I copied from you paul how to take the variable $mailbox from the command line and then:
$allmailboxes = Get-Mailbox -identity $mailbox
foreach ($allmailbox In $allmailboxes) {
Get-MailboxFolderPermission ($allmailbox.Name + “:Calendar”) | ForEach {
If (([string]$_.User -ne “Default”) -and ([string]$_.User -ne “Anonymous”) -and ([string]$_.User -ne “Retain Alerts”)) {
Remove-MailboxFolderPermission -Identity ($allmailbox.Name + “:Calendar”) -User $_.User -Confirm:$false -ErrorAction STOP
}
}
NOTE: retain alerts is a custom user we have in our exchange that needs access to everyone’s mailbox.
This does what the previous comment wanted but has the unwanted side affect of removing custom permissions that are less restrictive then the ‘reviewer’ . I use this script on a per user basis, but to run it on the whole exchange i need to figure out how to exclude removing permissions that are less restrictive than reviewer.
not expecting you to write it, but where would i add such a line into this script? is it possible to write after the first IF which excludes users, then also have AND IF Access rights is equal to limiteddetails or availaibility only, then progress with the Remove-permission part.
is it to complex. it would be essentially saying IF the name isnt one of these AND IF the access rights match the more restrictive seetings
I’d probably add Reviewer to those that need to be removed, just to tidy things up, as as all people are covered by our Default = Reviewer
Well, you could start by looking at the output of Get-MailboxFolderPermission and see if it gives you any way to filter different levels of permissions.
Hi Paul,
Thanks a Ton to all for help.
I have tried
Get-Mailbox -ResultSize Unlimited | Remove-MailboxPermission -user domainuser -AccessRights FullAccess -InheritanceType All -Confirm:$false
But the following errorllowing coming up for all the mailboxes …
WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, ControlType: Allow]
and was ignored on object “CN=User Name,CN=Users,DC=companydomain,DC=com”.
Checked the permission on couple of mailboxes and user hasn’t been removed.
Any suggestions please?
Many thanks
Vicky
Looks like you’re trying to remove a permission that is being inherited. That won’t work. You’ll need to find where it’s being inherited from (a parent object) and remove it there.
Dear Paul,
I am using the following command to remove the Full access permission for the UserA from all the mailboxes.
But I am being prompted for each mailbox ! I have about 5000. So how can i go about it with out being prompted?
Get-Mailbox | Remove-MailboxPermission -user domainuserA -AccessRights FullAccess -InheritanceType All
Many thanks
Vicky
Look at the -Confirm switch, which most cmdlets have.
e.g. Do-Thing -Confirm:$false
Hi,
I liked very much your script.
I used it as a base on Technet (linking the source – https://social.technet.microsoft.com/Forums/it-IT/faa654f8-3f36-4fd7-8ece-0643926a0b74/how-to-remove-users-calendar-rights?forum=exchange2010).
I thought it was correct to warn you.
Best regards.
Can the remove-mailboxfolderpermission cmdlet be used to remove a list of users who have access to an individual calendar?
You could write a little script to use that cmdlet and loop through a list, sure.
Is it also possible to delete all deleted users with this script for all the mailboxes. Removed users like S-1- etc etc
I have a bulk of mailboxpermissions on mailboxes with deleted users.
so search all mailboxes for users starting with “S-1-“and delete that user form any mailboxfolder.
regards
Peter Jonkers
I also had that requirement – a large shared mailbox with thousands of subfolders, many of which had SIDs of previous staff in the permissions. I modified the script by removing the $user parameter from the inputs. Within the foreach loop, I added a nested loop:
$users = Get-MailboxFolderPermission -Identity $identity
Write-Host -ForegroundColor Red “Checking $identity”
foreach ($user in $users)
{
if ($user.User -match “NT User:S-1”)
{
… mostly the same as the existing script
}
I had to change $user to $user.user elsewhere in the existing script as the $user object was a different type, I guess. Hope that helps someone.
A Question
In our school we would like staff to be able to see any student calendar, we have achieved this by using FullAccess permission with the Add-MailboxFolderPermission command.
In this case the staff will also be allowed to delete a student email. Is it possible to prevent this from happening? We only need staff to be able to see student calendar and emails not delete them.
If you only add permissions to the Calendar folder they won’t be able to mess with emails.
Hello Paul,
Thank you for the script. It really does the job. We had a user who has close to 100+ folders under his inbox and this script really did the job for us. However, there was another user who has equally same number of folders. Is there anyway I can specify multiple users to the -User parameter?
Regards,
Alpesh
Short answer, yes. I’ve added an issue to my Github repo for that request.
In the meantime, if you want to tackle it yourself, look into script parameters that accept multiple values, and then modifying that part of the script to loop through the users.
I have same case as Alpesh, would you be able to show please 🙂 trying to go through script but I’m quite new in scripting. Thanks a lot Paul your site is awesome!!!
when i run the script, it runs okay but at the end i get a message – The operation couldn’t be performed because ‘hrh2:Calendar Logging’ couldn’t be found. Please can you advise
Hi Paul, Your posts are fabulous, I have recently came across an issue, I restored the mailboxes from a corrupted edb file. I created new DB and imports all the mailboxes. The problem i am having is the users are able to see the system folders now like (common view, exchange syncdata, freebusy data, etc). Is there any way we can hide these folders from the user mailboxes. Appreciate your feedback on this.
Thanks
MAK
Sounds to me like whatever tool you used to export from the EDB it also exported the hidden/system folders. When you import those from a PST they are just treated as regular folders which are visible to the user.
I don’t know of any easy way to clean that up.
Hi Paul, your web is awesome, your knowledge is infinite, pls, can you tell me where is stored those permissions?, may be in Active Directory on security tab or in the ADSI Editor?
Thanks a lot.
Hi Paul,
Would it be possible to remove delete and send access from an outlook? one of the employees is under investigation but he needs to access his email to get evidence. but the company does not want the employee to send or delete any emails from his outlook. He should be able to view his emails and print, if necessary. Is it possible?
Seems strange that an employee under investigation would be allowed to access the mailbox to collect evidence.
But… you can place the mailbox on litigation hold if you want to preserve it from deletions.
You are the man! Thank you!
Hello,
I have an issue when users have folder names with date separated by ‘/’.
Thank you so much. Very very helpful, used it several times now.
You are AWESOME!! I will try this out!