A question that always comes around is the central assigned permissions for mailboxes
For example a receptionist application is using a service account that needs read access to everyones calendar to
show what’s up with the users today. Some of the application suppliers just wants to give the account
Organization Management membership or global admin for those who run Office365
So what permissions do we want to assign? Well to show the users calendar information it would probably only need read access in the calendar within the mailbox.
Well that’s easy, run a command in powershell and you will add the correct permission.
Add-MailboxFolderPermission -User "domainmyserviceacc" -AccessRights Reviewer -Identity Anna:Calendar
Well that’s nice but, I’ve got 3000 mailboxes……
No worries. You can still use a simple powershell command.
$mailboxes = Get-Mailbox -Resultsize Unlimited
Foreach ($Mailbox in $allmailbox) {Set-mailboxfolderpermission –identity ($Mailbox.alias+':calendar’) –user Default –Accessrights Reviewer
But…
There is two caveats though. The first is that it is only applied for current existing mailboxes and the second is languages.
When a users logs on for the first time the mailbox is created and so is the calendar. The calendar is also created in the language
that the users choose (if logged on through OWA). This will break the powershell command above. A Swedish user calendar
is named Kalender and in Russian is named Календарь. This will make the command fail unless You specify the correct
name for the calendar for example anders.green:Kalender
So to avoid both of them we let this script run in Task Scheduler :
$mailboxes = Get-Mailbox -OrganizationalUnit altitude365.com/MyUserAccounts -ResultSize unlimited
$Permission = "Reviewer"
foreach ($mbx in $mailboxes) {
$CalendarName = (($mbx.SamAccountName)+ ":" + (Get-MailboxFolderStatistics -Identity $mbx.SamAccountName -FolderScope Calendar | Select-Object -First 1).Name)
Add-MailboxFolderPermission -User "domainsvc_account" -AccessRights $Permission -Identity $CalendarName
}
The AccessRights parameter can be specified with the following roles:
- None FolderVisible
- Owner CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible,
EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems - PublishingEditor CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems,
EditAllItems, DeleteOwnedItems, DeleteAllItems - Editor CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems,
DeleteAllItems - PublishingAuthor CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems,
DeleteOwnedItems - Author CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
- NonEditingAuthor CreateItems, ReadItems, FolderVisible
- Reviewer ReadItems, FolderVisible
- Contributor CreateItems, FolderVisible
The following roles apply specifically to calendar folders:
- AvailabilityOnly View only availability data
- LimitedDetails View availability data with subject and location
