Exchange 2010 SP1 Mailbox Folder Permission

Sometimes in Microsoft Exchange environment we need to add user permission to other user mailbox.

We can add Full Access permission to mailbox like below:

Add-MailboxPermissions -Identity Mailbox1 -User JSmith -AccessRights FullAccess -InheritanceType all

But what if we don’t want to add permissions to all folders in mailbox but only to a one mailbox folder.

With Microsoft Exchange 2010 SP1 we can add permission to specified folder for user or Security Group, (Add-MailboxFolderPermission) we can remove (Remove-MailboxFolderPermission) and also we can change this permissions (Set-MailboxFolderPermission).

To add Reviewer permissions to User1 on Inbox folder of mailbox “John Smith” we can use:

Add-MailboxFolderPermission -identity j.smith@domain.com:\Inbox -User User1 -AccessRights ReadItems

Now we can check permissions to John Smith Inbox folder like below:

Get-MailboxFolderPermission -Identity j.smith@domain.com:\Inbox

We can change permissions for User1 to mailbox Inbox folder using Set-MailboxFolderPermission from Reviewer to FolderVisible:

Set-MailboxFolderPermission -Identity j.smith@domain.com:\Inbox -User User1 -AccessRights FolderVisible

To remove permissions to folder we will use Remove-MailboxFolderPermission and we don’t have to specify permission type:

Remove-MailboxFolderPermission -Identity j.smith@domain.com:\Inbox -User User1

The list of permissions that we can set using AccessRights parameter:

• ReadItems   The user has the right to read items within the specified folder.
• CreateItems   The user has the right to create items within the specified folder.
• EditOwnedItems   The user has the right to edit the items that the user owns in the specified folder.
• DeleteOwnedItems   The user has the right to delete items that the user owns in the specified folder.
• EditAllItems   The user has the right to edit all items in the specified folder.
• DeleteAllItems   The user has the right to delete all items in the specified folder.
• CreateSubfolders   The user has the right to create subfolders in the specified folder.
• FolderOwner   The user is the owner of the specified folder. The user has the right to view and move the folder and create subfolders. The user can’t read items, edit items, delete items, or create items.
• FolderContact   The user is the contact for the specified public folder.
• FolderVisible   The user can view the specified folder, but can’t read or edit items within the specified public folder.

The AccessRights parameter also specifies the permissions for the user with the following combination:

• None   FolderVisible
• Owner   CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
• PublishingEditor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
• Editor   CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
• PublishingAuthor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
• Author   CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
• NonEditingAuthor   CreateItems, ReadItems, FolderVisible
• Reviewer   ReadItems, FolderVisible
• Contributor   CreateItems, FolderVisible

The following roles apply specifically to calendar folders:

• AvailabilityOnly   View only availability data
• LimitedDetails   View availability data with subject and location

More informations about cmdlets:

• Add-MailboxFolderPermission
• Set-MailboxFolderPermission
• Remove-MailboxFolderPermission
• Get-MailboxFolderPermission