Manage Mailbox Permissions by using PowerShell
Mailbox permission includes two categories:
- Full Access Permissions- Enable another recipient to see all of the mailbox content.
- Permission to send email using another recipient name (“Send As” and “Send on Behalf” ).
Some of the Mailbox permission can be assigned by the user himself
(by using the outlook or OWA interface) and the permissions to send
email, using other recipient name, could only be assigned by using the
PowerShell interface.
The considerable advantage of using PowerShell for managing Mailbox
Permissions is that the administrator can remotely create the required
setting for the user (assist users and prevent miss configurations) and
using the power of the PowerShell, to execute commands in Bulk Mode
(execute configuration settings for more than one Mailbox).
Mailbox permissions PowerShell commands basic structure
The basic structure of the PowerShell mailbox permissions command, is written by using the following syntax:
In our example, we want to enable Alice to get Full Access permission to hear manager mailbox. The -Identity
parameter, relates to the user who wants to “share” his mailbox
(provide other users the option to access the content of his mailbox)
and the –User parameter, represent the user who will get the access to the mailbox.
1. Assign Mailbox Permissions
1.1 – Assign “Full Access” permissions for a Mailbox
Add-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess -InheritanceType All
|
Add-MailboxPermission John -User Suzan -AccessRights FullAccess -InheritanceType All
|
>1.2 – Assign “Send As” Permissions for a Mailbox
Add-RecipientPermission <Identity> -AccessRights SendAs -Trustee <Identity>
|
Add-RecipientPermission John -AccessRights SendAs -Trustee Suzan
|
To avoid the need for confirmation, we can add the option: “-Confirm:$False”
Add-RecipientPermission John -Trustee Suzan -AccessRights SendAs -Confirm:$False
|
>1.3 – Assign “Send As” Permissions for a ALL Mailbox’s (BulkMode)
1
2
3
4
5
|
$MBXS = Get-Recipient -RecipientType UsermMilbox ForEach ($MBX in $MBXS)
{
Add-RecipientPermission $MBX.name -AccessRights SendAs –Trustee <User Principal Name> -Confirm:$False
}
Get-RecipientPermission | Where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid')} }
|
1
2
3
4
5
|
$MBXS = Get-Recipient -RecipientType UsermMilbox ForEach ($MBX in $MBXS)
{
Add-RecipientPermission $MBX.name -AccessRights SendAs –Trustee John@o365info.com -Confirm:$False
}
Get-RecipientPermission | Where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid')} }
|
>1.4 – Assign “Send As” Permissions for recipient for each member in a distribution group
1
2
3
4
5
6
|
$DL = Get-DistributionGroupMember
Foreach ($item in $DL)
{
Add-RecipientPermission $item.name -AccessRights SendAs
–Trustee <Identity> -Confirm:$False
}
|
1
2
3
4
5
|
$DL = Get-DistributionGroupMember DL-01
Foreach ($item in $DL)
{
Add-RecipientPermission $item.name -AccessRights SendAs –Trustee Suzan -Confirm:$False
}
|
>1.5 – Assign “Send As” Permissions for each member in a distribution group for a specific recipient
1
2
3
4
5
6
|
$DL = Get-DistributionGroupMember
Foreach ($item in $DL)
{
Add-RecipientPermission <Identity> -AccessRights SendAs
–Trustee $item.name -Confirm:$False
}
|
1
2
3
4
5
|
$DL = Get-DistributionGroupMember DL-01
Foreach ($item in $DL)
{
Add-RecipientPermission Suzan -AccessRights SendAs –Trustee $item.name -Confirm:$False
}
|
>1.6 – Assign “Send on Behalf” Permissions for a Mailbox
Set-Mailbox <Identity> -GrantSendOnBehalfTo <Identity>
|
Set-Mailbox -Identity John -GrantSendOnBehalfTo Suzan
|
>1.7 – Assign “Full Access” permissions for all Mailboxes (BulkMode)
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-MailboxPermission -User <Identity> -AccessRights FullAccess -InheritanceType All
|
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-MailboxPermission -User John -AccessRights FullAccess -InheritanceType All
|
2. Assign Full Access Permissions and AutoMap
>2.1 – Assign “Full Access” permissions to Distribution Group + AutoMap
1
2
3
4
5
|
$DL = Get-DistributionGroupMember <Distribution Group> | Select-Object -ExpandProperty Name
ForEach ($Member in $DL )
{
Add-MailboxPermission -Identity <Identity> -User $S -AccessRights FullAccess -InheritanceType All
}
|
1
2
3
4
5
|
$DL = Get-DistributionGroupMember "Assistants Group" | Select-Object -ExpandProperty Name
ForEach ($Member in $DL )
{
Add-MailboxPermission -Identity "FL1 Room1" -User $S -AccessRights FullAccess -InheritanceType All
}
|
Additional reading
2.2 – Assign “Full Access” permissions for all Mailboxes (BulkMode) and Disable AutoMap
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User <Identity> -AccessRights FullAccess -InheritanceType All –Automapping $False
|
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User John -AccessRights FullAccess -InheritanceType All –Automapping $False
|
2.3 – Assign “Full Access” permissions for Specific User and Disable AutoMap
Add-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess -InheritanceType All –AutoMapping $False
|
Add-MailboxPermission John -User Suzan -AccessRights FullAccess -InheritanceType All –AutoMapping $False
|
3. Display permissions for a Mailbox
3.1 – Display “Full Access” Permissions for a Mailbox
Get-MailboxPermission <Identity>
|
Get-MailboxPermission John
|
For improving the quality of the output we can use an additional PowerShell parameter that will “clean” the unnecessary information:
Get-MailboxPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | Select Identity,user,AccessRights
|
3.3 – Display “Send As” permission for a Mailbox
Get-RecipientPermission <Identity>
|
Get-RecipientPermission John
|
For improving the quality of the output we can use an additional PowerShell parameter that will “clean” the unnecessary information:
Get-RecipientPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee,AccessControlType,AccessRights
|
3.3 – Display “Send On Behalf” Permissions for Mailbox
Get-Mailbox <Identity>
|
1
|
Get-Mailbox John
|
For improving the quality of the output we can use an additional PowerShell parameter that will “clean” the unnecessary information:
Get-RecipientPermission John | Where { ($_.IsInherited -eq $False) -and -not ($_.Trustee -like “NT AUTHORITY\SELF”) } | Select Trustee, AccessControlType, AccessRights
|
3.4 – View all “Send As permissions” you’ve configured in your organization
Get-RecipientPermission | where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'Null sid')} | select Identity,Trustee,AccessRights
|
3.5 – Display a list of recipient’s that have FULL ACCESS permission on other recipient’s
$a = Get-Mailbox $a |Get-MailboxPermission | Where { ($_.IsInherited -eq $False) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.User -like '*Discovery Management*') } | Select Identity, user, AccessRights
|
4. Revoke Permissions
4.1 – Revoke “Full Access” Permissions
Remove-MailboxPermission <Identity> -User <Identity> -AccessRights FullAccess
|
Remove-MailboxPermission John -User Suzan -AccessRights FullAccess
|
To avoid the need for confirmation, we can add the option: “-Confirm:$False”
Remove-MailboxPermission John -User Suzan -AccessRights FullAccess -Confirm:$False
|
4.2 – Revoke “Send As” Permissions
Remove-RecipientPermission <Identity> -AccessRights SendAs -Trustee <Identity>
|
Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan
|
To avoid the need for confirmation, we can add the option: “-Confirm:$False”
Remove-RecipientPermission John -AccessRights SendAs -Trustee Suzan -Confirm:$False
|
Commenti
Posta un commento