Powershell: Add or Remove access rights to shared mailboxes in Exchange 2010.

posted in: Exchange, Powershell | 0

I had a user that was unable to open existing shared mailboxes in Office 2013.
The user had upgraded Office from 2010 and was unable to expand the shared mailboxes afterwards.
To solve this we had to reassign permissions to the mailboxes.

I used the following command to get a list of mailboxes that the user had access to instead of checking each of them manually.

$Users = "username"
Get-MailboxPermission -Identity * -ResultSize Unlimited | Where-Object {$_.User -like $User} | select identity,user | Export-Csv c:\users.csv

I edited the CSV to be imported properly by Import-Csv.
When the CSV is ready I used the following script to remove the permissions for the users.
Note that this runs with the -confirm:$False parameter which means that it will not prompt before remove this permissions.
Be sure that you have the correct users and mailboxes in the CSV.

    <#
    .SYNOPSIS
    Removes access rights to another mailbox in Exchange 2010.
    .DESCRIPTION
    This is run on another system than the exchange server. Exchagne management tools are needed on the system.
    I run this script as a user that has admin rights on the exchange server.
    .PARAMETER ExchangeServer
    FQDN of the exchange server.
    .PARAMETER CSV
    Path to your CSV.
    .EXAMPLE
    Foreach-RemoveMailboxPermissions -ExchangeServer MyServer.domain.local -CSV C:\Users.csv
    .DISCLAIMER
    All scripts and other powershell references are offered AS IS with no warranty.
    These script and functions are tested in my environment and it is recommended that you test these scripts in a test environment before using in your production environment.
    #>

[CmdletBinding()]

Param(
    [Parameter(Mandatory=$True)]
    

[string]

$ExchangeServer, [Parameter(Mandatory=$True)]

[string]

$CSV ) BEGIN{ #Checks if the user is in the administrator group. Warns and stops if the user is not. If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` [Security.Principal.WindowsBuiltInRole] “Administrator”)) { Write-Warning “You are not running this as local administrator. Run it again in an elevated prompt.” Break } $Credentials = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ExchangeServer/PowerShell/ -Authentication Kerberos -Credential $Credentials $Mailboxes = Import-Csv $CSV Import-PSSession $Session } PROCESS{ foreach ($Mailbox in $Mailboxes){ Remove-MailboxPermission -Identity $Mailbox.Identity -User $Mailbox.User -AccessRights FullAccess -Confirm:$False } } END{ Remove-PSSession $Session }

To add the permissions again I ran this script.

    <#
    .SYNOPSIS
    Adds access rights to another mailbox in Exchange 2010.
    .DESCRIPTION
    This is run on another system than the exchange server. Exchagne management tools are needed on the system.
    I run this script as a user that has admin rights on the exchange server.
    .PARAMETER ExchangeServer
    FQDN of the exchange server.
    .PARAMETER CSV
    Path to your CSV.
    .EXAMPLE
    Foreach-AddMailboxPermissions -ExchangeServer MyServer.domain.local -CSV C:\Users.csv
    .DISCLAIMER
    All scripts and other powershell references are offered AS IS with no warranty.
    These script and functions are tested in my environment and it is recommended that you test these scripts in a test environment before using in your production environment.
    #>

[CmdletBinding()]

Param(
    [Parameter(Mandatory=$True)]
    

[string]

$ExchangeServer, [Parameter(Mandatory=$True)]

[string]

$CSV ) BEGIN{ #Checks if the user is in the administrator group. Warns and stops if the user is not. If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` [Security.Principal.WindowsBuiltInRole] “Administrator”)) { Write-Warning “You are not running this as local administrator. Run it again in an elevated prompt.” Break } $Credentials = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ExchangeServer/PowerShell/ -Authentication Kerberos -Credential $Credentials $Mailboxes = Import-Csv $CSV Import-PSSession $Session } PROCESS{ foreach ($Mailbox in $Mailboxes){ Add-MailboxPermission $Mailbox.Identity -User $Mailbox.User -AccessRights Fullaccess -InheritanceType all -AutoMapping $false } } END{ Remove-PSSession $Session }

The only difference between the script is the command in the foreach loop.

Remove-MailboxPermission -Identity $Mailbox.Identity -User $Mailbox.User -AccessRights FullAccess -Confirm:$False
Add-MailboxPermission $Mailbox.Identity -User $Mailbox.User -AccessRights Fullaccess -InheritanceType all -AutoMapping $false

This resolved the issue for my user and I can see multiple uses these script can have in my own environments.

Leave a Reply

Your email address will not be published. Required fields are marked *