• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint Online
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Videos
    • Interview Videos
    • How To Guide Videos
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / PowerShell Script to Remove Mailbox Folder Permissions

PowerShell Script to Remove Mailbox Folder Permissions

January 12, 2015 by Paul Cunningham 46 Comments

In a previous article I demonstrated how to use a PowerShell script to grant read-only permissions to an Exchange mailbox. The script achieves this by granting the “Reviewer” permission to each folder within the mailbox. In fact, it can be used to grant any mailbox folder permission or role (eg Owner, Editor, Contributor), not just read-only, and I have just made a minor update to the script to handle errors better.

One of the most common requests from people who use that script is how to *remove* permissions from mailbox folders.

Fortunately this is an easy task with just a few modifications to the original script. Naturally just as there is an Add-MailboxFolderPermission cmdlet for Exchange Server, there is also a Remove-MailboxFolderPermission cmdlet.

So we can use the same approach of traversing the mailbox folder hierarchy, checking for the user in question, and removing the permissions.

Here is a sample from the script that shows how this is performed:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)
 
foreach ($mailboxfolder in $mailboxfolders)
{
    $folder = $mailboxfolder.FolderPath.Replace("/","")
    if ($folder -match "Top of Information Store")
    {
       $folder = $folder.Replace(“Top of Information Store”,””)
    }
    $identity = "$($mailbox):$folder"
    Write-Host "Checking $identity for permissions for user $user"
    if (Get-MailboxFolderPermission -Identity $identity -User $user -ErrorAction SilentlyContinue)
    {
        try
        {
            Remove-MailboxFolderPermission -Identity $identity -User $User -Confirm:$false -ErrorAction STOP
            Write-Host -ForegroundColor Green "Removed!"
        }
        catch
        {
            Write-Warning $_.Exception.Message
        }
    }
}

You can download the complete Remove-MailboxFolderPermissions.ps1 script from Github here.

And here is an example of the script in action, removing permissions for the user “Alan Reid” from the mailbox of “Alex Heyne”.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
[PS] C:ScriptsMailboxFolderPermissions>.Remove-MailboxFolderPermissions.ps1 -Mailbox alex.heyne -user alan.reid
Checking alex.heyne: for permissions for user alan.reid
Removed!
Checking alex.heyne:Calendar for permissions for user alan.reid
Removed!
Checking alex.heyne:Contacts for permissions for user alan.reid
Removed!
Checking alex.heyne:Contacts{06967759-274D-40B2-A3EB-D7F9E73727D7} for permissions for user alan.reid
Removed!
Checking alex.heyne:ContactsGAL Contacts for permissions for user alan.reid
Removed!
Checking alex.heyne:ContactsRecipient Cache for permissions for user alan.reid
Removed!
Checking alex.heyne:Conversation Action Settings for permissions for user alan.reid
Removed!
Checking alex.heyne:Deleted Items for permissions for user alan.reid
Removed!
Checking alex.heyne:Drafts for permissions for user alan.reid
Removed!
Checking alex.heyne:Inbox for permissions for user alan.reid
Removed!
Checking alex.heyne:InboxCustomers for permissions for user alan.reid
Removed!
Checking alex.heyne:InboxMarketing Reports for permissions for user alan.reid
Removed!
Checking alex.heyne:InboxTeam Matters for permissions for user alan.reid
Removed!
Checking alex.heyne:Journal for permissions for user alan.reid
Removed!
Checking alex.heyne:Junk E-Mail for permissions for user alan.reid
Removed!
Checking alex.heyne:News Feed for permissions for user alan.reid
Removed!
Checking alex.heyne:Notes for permissions for user alan.reid
Removed!
Checking alex.heyne:Outbox for permissions for user alan.reid
Removed!
Checking alex.heyne:Quick Step Settings for permissions for user alan.reid
Removed!
Checking alex.heyne:RSS Feeds for permissions for user alan.reid
Removed!
Checking alex.heyne:Sent Items for permissions for user alan.reid
Removed!
Checking alex.heyne:Suggested Contacts for permissions for user alan.reid
Removed!
Checking alex.heyne:Tasks for permissions for user alan.reid
Removed!
Checking alex.heyne:Working Set for permissions for user alan.reid
Removed!
Checking alex.heyne:Calendar Logging for permissions for user alan.reid

Exchange Server Exchange 2010, Exchange 2013, Permissions, PowerShell, Scripts

Comments

  1. Charles Smith says

    March 29, 2021 at 3:56 pm

    Hi

    I am looking for a way to avoid users from changing the default and anonymous folder permissions from none to owner by themselves, is there a policy we can set in place to avoid users from making this on OWA so then it replicates to the outlook client, is not to remove the Default and Anonymous but to disable users ability to do this via desktop client or webmail

    Reply
  2. Janoah says

    August 10, 2019 at 2:38 pm

    Hi paul,
    I’m concerned my former manager might be stalking me. I JUST found out he has had read-only access to my work outlook for the past 5 months that I’ve NOT been his employee. I’m in another department of our company. I feel violated. There is a request into our IT department removing his read-only access to my email which he claims “he forgot” he had. Is there a way to tell if he’s been accessing my email to see if he’s telling the truth or not?

    Reply
    • Ya Mum says

      February 4, 2021 at 9:51 am

      Stop smoking so much giggly bush and you wont be so paranoid

      Reply
  3. Abdul K says

    November 6, 2018 at 8:52 pm

    Thanks a lot! This was very useful. I couldn’t thank you enough. Another great work!

    Reply
  4. christian says

    January 25, 2018 at 8:19 pm

    if ($folder -match “Top of Information Store”) does only match to 20% of our mailboxes as we are a German company. How could I extend the script to remove the user also from “Oberste Ebene des Informationsspeichers”. At the moment I use two scripts. One for German and one for English. Can you assist?

    Reply
    • Paul Cunningham says

      January 26, 2018 at 6:44 pm

      Sorry, I only know english and don’t know how to translate the script for other languages.

      Reply
  5. Rolf A. Vaglid says

    December 16, 2017 at 9:25 am

    Hi there Graham, this script works just as intended on primary mailboxes, but it does not seem to take into account archive mailboxes.
    I tried to add “-archive” to the
    $mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox -archive | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)
    and it seems to enumerate all the mailboxfolders in the archive, but it seems its unable to find the permission I have verified is present.

    Reply
    • Rolf A. Vaglid says

      December 16, 2017 at 9:27 am

      Graham? I meant Paul of course, apologies 🙂

      Reply
    • Paul Cunningham says

      December 17, 2017 at 8:28 am

      Try running on the primary mailbox, wait 24 hours or so, and see if the archive mailbox reflects the changes after that. It’s been a while since I had to look at this but IIRC archive mailbox folders get the same permissions as the primary mailbox folders.

      Reply
  6. David says

    March 23, 2017 at 12:54 am

    Hi Paul,

    I find this script very useful however I am having issues removing Owner permission for one user.
    Seem the script runs through all folders but permissions are not being removed – no error message.
    The user has been deleted from AD so the entry is a legacy SID; “NT User:S-1-5-21-1604199630-1702588179-1845911597-5264”
    Is there anything I need to change in the script to get this last user mailbox permission removed for the deleted user?

    Many thanks!

    Reply
    • Paul Cunningham says

      March 23, 2017 at 9:29 am

      I don’t know if the script will work for a deleted user. I suspect not.

      Reply
      • David says

        March 23, 2017 at 7:04 pm

        Debugging the script reveals the script does not seem to identity NT user and just skips it.
        If I manually type the cmdlet: Remove-MailboxFolderPermission -Identity user”:\folder name\subfolder name\subfolder name” -user “NT User:S-1-5-21-1604199630-1702588179-1845911597-5264” the permission is removed successfully hence the syntax is correct and the NT User can be found by PS.

        Thanks for your input and if I find a solution will post it here.

        Reply
        • David says

          March 23, 2017 at 8:27 pm

          Actually just found the root cause.
          If the folder name has a special character eg. ?, /, & the script won’t make any changes it will just skip the folder.

          Reply
          • Paul Cunningham says

            March 24, 2017 at 9:28 am

            Yeah I don’t know why people do that, but anyway, good find.

        • Raman says

          May 23, 2017 at 1:07 pm

          Hello David,
          Were you able to find the solution for deleted users “NT User:S-1-5-21-1604199630-1702588179-1845911597-5264” using this script?
          Thanks,
          Raman

          Reply
      • David says

        March 24, 2017 at 12:59 am

        Issue fixed and the script is running fine now. The problem was caused by illegal characters. Changed line: 85
        $folder = $mailboxfolder.FolderPath.Replace(“/”,”\”).Replace([char]63743,’/’);
        and removed lines 86-89 inclusive.

        Reply
        • Jackie says

          December 7, 2019 at 12:09 pm

          I know this is old, but thanks a ton to both of you! This makes cleaning up dead user accounts so much easier!

          Reply
  7. Vicky says

    October 7, 2016 at 8:59 am

    Thanks a lot Paul. I removed the permission using ADSIedit from the Database properties.

    Reply
  8. DNK says

    October 6, 2016 at 1:33 pm

    Hi Paul

    Your web is awesome
    i have a question, if i want to delete all users from access to calendar and only default user will be on the access list
    Do you mind to show it on the powershell ?

    Reply
    • Paul Cunningham says

      October 6, 2016 at 2:48 pm

      What have you tried so far?

      Reply
      • Jono Clifton says

        November 28, 2016 at 11:13 am

        I copied from you paul how to take the variable $mailbox from the command line and then:

        $allmailboxes = Get-Mailbox -identity $mailbox

        foreach ($allmailbox In $allmailboxes) {

        Get-MailboxFolderPermission ($allmailbox.Name + “:Calendar”) | ForEach {

        If (([string]$_.User -ne “Default”) -and ([string]$_.User -ne “Anonymous”) -and ([string]$_.User -ne “Retain Alerts”)) {

        Remove-MailboxFolderPermission -Identity ($allmailbox.Name + “:Calendar”) -User $_.User -Confirm:$false -ErrorAction STOP

        }

        }

        NOTE: retain alerts is a custom user we have in our exchange that needs access to everyone’s mailbox.

        This does what the previous comment wanted but has the unwanted side affect of removing custom permissions that are less restrictive then the ‘reviewer’ . I use this script on a per user basis, but to run it on the whole exchange i need to figure out how to exclude removing permissions that are less restrictive than reviewer.

        not expecting you to write it, but where would i add such a line into this script? is it possible to write after the first IF which excludes users, then also have AND IF Access rights is equal to limiteddetails or availaibility only, then progress with the Remove-permission part.

        is it to complex. it would be essentially saying IF the name isnt one of these AND IF the access rights match the more restrictive seetings

        I’d probably add Reviewer to those that need to be removed, just to tidy things up, as as all people are covered by our Default = Reviewer

        Reply
        • Paul Cunningham says

          November 28, 2016 at 11:32 am

          Well, you could start by looking at the output of Get-MailboxFolderPermission and see if it gives you any way to filter different levels of permissions.

          Reply
  9. Vicky says

    October 6, 2016 at 6:56 am

    Hi Paul,

    Thanks a Ton to all for help.

    I have tried

    Get-Mailbox -ResultSize Unlimited | Remove-MailboxPermission -user domainuser -AccessRights FullAccess -InheritanceType All -Confirm:$false

    But the following errorllowing coming up for all the mailboxes …

    WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, ControlType: Allow]
    and was ignored on object “CN=User Name,CN=Users,DC=companydomain,DC=com”.

    Checked the permission on couple of mailboxes and user hasn’t been removed.
    Any suggestions please?

    Many thanks

    Vicky

    Reply
    • Paul Cunningham says

      October 6, 2016 at 12:57 pm

      Looks like you’re trying to remove a permission that is being inherited. That won’t work. You’ll need to find where it’s being inherited from (a parent object) and remove it there.

      Reply
  10. Vicky says

    October 5, 2016 at 7:52 am

    Dear Paul,

    I am using the following command to remove the Full access permission for the UserA from all the mailboxes.
    But I am being prompted for each mailbox ! I have about 5000. So how can i go about it with out being prompted?

    Get-Mailbox | Remove-MailboxPermission -user domainuserA -AccessRights FullAccess -InheritanceType All

    Many thanks

    Vicky

    Reply
    • Paul Cunningham says

      October 5, 2016 at 10:07 am

      Look at the -Confirm switch, which most cmdlets have.

      e.g. Do-Thing -Confirm:$false

      Reply
  11. Rocco Ciaravolo says

    September 5, 2016 at 6:02 pm

    Hi,
    I liked very much your script.

    I used it as a base on Technet (linking the source – https://social.technet.microsoft.com/Forums/it-IT/faa654f8-3f36-4fd7-8ece-0643926a0b74/how-to-remove-users-calendar-rights?forum=exchange2010).

    I thought it was correct to warn you.

    Best regards.

    Reply
  12. Kevin says

    August 10, 2016 at 4:05 am

    Can the remove-mailboxfolderpermission cmdlet be used to remove a list of users who have access to an individual calendar?

    Reply
    • Paul Cunningham says

      October 5, 2016 at 10:06 am

      You could write a little script to use that cmdlet and loop through a list, sure.

      Reply
  13. Peter Jonkers says

    August 1, 2016 at 4:54 am

    Is it also possible to delete all deleted users with this script for all the mailboxes. Removed users like S-1- etc etc
    I have a bulk of mailboxpermissions on mailboxes with deleted users.
    so search all mailboxes for users starting with “S-1-“and delete that user form any mailboxfolder.

    regards
    Peter Jonkers

    Reply
    • Ralph says

      April 3, 2020 at 7:04 pm

      I also had that requirement – a large shared mailbox with thousands of subfolders, many of which had SIDs of previous staff in the permissions. I modified the script by removing the $user parameter from the inputs. Within the foreach loop, I added a nested loop:

      $users = Get-MailboxFolderPermission -Identity $identity
      Write-Host -ForegroundColor Red “Checking $identity”
      foreach ($user in $users)
      {
      if ($user.User -match “NT User:S-1”)
      {
      … mostly the same as the existing script
      }

      I had to change $user to $user.user elsewhere in the existing script as the $user object was a different type, I guess. Hope that helps someone.

      Reply
  14. Prince Rozario says

    February 26, 2016 at 8:46 pm

    A Question

    In our school we would like staff to be able to see any student calendar, we have achieved this by using FullAccess permission with the Add-MailboxFolderPermission command.

    In this case the staff will also be allowed to delete a student email. Is it possible to prevent this from happening? We only need staff to be able to see student calendar and emails not delete them.

    Reply
    • Paul Cunningham says

      March 2, 2016 at 8:31 pm

      If you only add permissions to the Calendar folder they won’t be able to mess with emails.

      Reply
  15. Alpesh says

    February 19, 2016 at 4:49 pm

    Hello Paul,

    Thank you for the script. It really does the job. We had a user who has close to 100+ folders under his inbox and this script really did the job for us. However, there was another user who has equally same number of folders. Is there anyway I can specify multiple users to the -User parameter?

    Regards,
    Alpesh

    Reply
    • Paul Cunningham says

      February 19, 2016 at 4:59 pm

      Short answer, yes. I’ve added an issue to my Github repo for that request.

      In the meantime, if you want to tackle it yourself, look into script parameters that accept multiple values, and then modifying that part of the script to loop through the users.

      Reply
      • Jhay says

        June 2, 2016 at 11:51 pm

        I have same case as Alpesh, would you be able to show please 🙂 trying to go through script but I’m quite new in scripting. Thanks a lot Paul your site is awesome!!!

        Reply
  16. Edward says

    December 6, 2015 at 4:38 pm

    when i run the script, it runs okay but at the end i get a message – The operation couldn’t be performed because ‘hrh2:Calendar Logging’ couldn’t be found. Please can you advise

    Reply
  17. MAK says

    October 8, 2015 at 7:18 pm

    Hi Paul, Your posts are fabulous, I have recently came across an issue, I restored the mailboxes from a corrupted edb file. I created new DB and imports all the mailboxes. The problem i am having is the users are able to see the system folders now like (common view, exchange syncdata, freebusy data, etc). Is there any way we can hide these folders from the user mailboxes. Appreciate your feedback on this.

    Thanks
    MAK

    Reply
    • Paul Cunningham says

      October 8, 2015 at 11:26 pm

      Sounds to me like whatever tool you used to export from the EDB it also exported the hidden/system folders. When you import those from a PST they are just treated as regular folders which are visible to the user.

      I don’t know of any easy way to clean that up.

      Reply
  18. trank0 says

    October 6, 2015 at 3:42 am

    Hi Paul, your web is awesome, your knowledge is infinite, pls, can you tell me where is stored those permissions?, may be in Active Directory on security tab or in the ADSI Editor?

    Thanks a lot.

    Reply
  19. Al says

    July 10, 2015 at 5:10 am

    Hi Paul,
    Would it be possible to remove delete and send access from an outlook? one of the employees is under investigation but he needs to access his email to get evidence. but the company does not want the employee to send or delete any emails from his outlook. He should be able to view his emails and print, if necessary. Is it possible?

    Reply
    • Paul Cunningham says

      July 10, 2015 at 10:38 am

      Seems strange that an employee under investigation would be allowed to access the mailbox to collect evidence.

      But… you can place the mailbox on litigation hold if you want to preserve it from deletions.

      Reply
  20. Nicolas says

    May 21, 2015 at 1:26 am

    You are the man! Thank you!

    Reply
  21. Gilles says

    May 7, 2015 at 12:15 am

    Hello,

    I have an issue when users have folder names with date separated by ‘/’.

    Reply
  22. Hyptnotoad says

    February 6, 2015 at 9:48 pm

    Thank you so much. Very very helpful, used it several times now.

    Reply
  23. Andrew Lee says

    January 13, 2015 at 12:10 pm

    You are AWESOME!! I will try this out!

    Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • Turn On MFA: Real-World Example of Fraud, Domain Stealing, and the Nearly Lost House Deposit
  • Changes in Microsoft 365 Apps Channels and Why You Should Care
  • A New Tool to Manage Exchange-related Attributes Without Exchange Server
  • Microsoft Launches Group Ownership Governance Policy
  • Making the Case for Identity Governance in Azure Active Directory

Copyright © 2022 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland