Friday, 13 January 2012

Auditing Outlook Folder Permissions

After it came to light that some users had set permissions on folders in their Outlook mailbox which were allowing others too much access, I had to create a report of who was sharing certain folders with other users, and who had changed the default permissions.

In Exchange 2010 this is fairly easy, thanks to the Get-MailboxFolderPermission cmdlet.

The trick however, is to find get the right folder to pass into the -Identity parameter. In a multi-national organisation, where local-language versions of Outlook are used, folders may have non-English names. Fortunately the Get-MailboxFolderStatistics cmdlet can be used to identify the correct folder name.

Below is the script I wrote to generate a report of all the rules on the calendar folder, for all regular mailboxes in the Exchange Organisation.

# Get the mailboxes
$Mailboxes = Get-Mailbox -Filter {RecipientTypeDetails -eq "UserMailbox"} -ResultSize Unlimited

# An array for the output
$Output = @()

# Loop through the mailboxes
ForEach ($Mailbox in $Mailboxes) {
 # Get the name of the calendar folder
 $Calendar = (($Mailbox.PrimarySmtpAddress.ToString())+ ":\" + (Get-MailboxFolderStatistics -Identity $Mailbox.DistinguishedName -FolderScope Calendar | Select-Object -First 1).Name)

 # Get the permissions on the folder
 $Permissions = Get-MailboxFolderPermission -Identity $Calendar

 # Loop through the permissions, populating the output array
 ForEach ($Permission in $Permissions) {
  $Permission | Add-Member -MemberType NoteProperty -Name "Mailbox" -value $Mailbox.DisplayName
  $Output = $Output + $Permission
 }
}

# Write the output to a CSV file
$Output | Select-Object Mailbox, User, {$_.AccessRights}, IsValid | Export-Csv -Path CalendarPermissions.csv -NoTypeInformation

Download Script

Once any undesirable permissions have been identified Remove-MailboxFolderPermission and Set-MailboxFolderPermission can be used to correct them.

- Ben

12 comments:

  1. Thanks real helpful! I had all Korean mailboxes failed when setting Calendar permisssions to Show F/B Details. What does the "-First 1" bit does? Is this in case there are multiple Calendar folders? I omitted this part and it worked fine in my case.

    ReplyDelete
  2. Could this be modified to do all folders instead of just the Inbox?

    ReplyDelete
  3. brilliant script, been trying to add primarysmtpaddress to the output, any ideas?

    ReplyDelete
  4. This is great. Is there a way to filter the output to NOT show "Default" and "Anonymous" entries? I really just need to see the customized (ie. user-created) entries.

    ReplyDelete
  5. Did anyone find a way to do all folders?

    ReplyDelete
    Replies
    1. Didnt figure out or write how to do all folders, but you can do a few at a time if you need inbox/sent items/etc permissions.

      You can change the two $Calendar attributes and "-FolderScope Calendar" to 'Inbox', 'Sent Items' and a few other attributes listed here: https://technet.microsoft.com/en-us/library/dd335061(v=exchg.160).aspx

      That's if you need to know who has permissions on other folders than Calendar. Run this script on an exchange server, via Exchange Shell.

      Delete
  6. Seems like the key to do all folders has to do with the FolderScope parameter plus I imagine a few extra tweaks and maybe an additional loop(s).

    ReplyDelete
  7. Thank you for this! This works great for our environment where a lot of permissions are set via Outlook.

    You can change the two $Calendar attributes and "-FolderScope Calendar" to 'Inbox', 'Sent Items' and a few other attributes listed here: https://technet.microsoft.com/en-us/library/dd335061(v=exchg.160).aspx

    That's if you need to know who has permissions on other folders than Calendar. Run this script on an exchange server, via Exchange Shell.

    ReplyDelete
  8. I use Outlook 2016 and Lync, cannot Access Exchange Server...

    ReplyDelete
  9. Microsoft Outlook is a great premier tool to manage the email and personal information of the user. Outlook calender not syncing with iPhone

    ReplyDelete
  10. Open your antivirus program and update it with the latest virus and malware definitions. Afterwards, run a full virus scan of your computer.microsoft support number

    ReplyDelete