Exchange Folder Permissions - query users access to all calendars

I'm trying to get a script working without any success which I'm hoping someone will already have a similar one for I could take.

Basically it needs to run a command like get-mailboxfolderpermissions -identity user:\calendar -user username >> c:\results.text

Basically I need it to check all accounts in the exchange server for a specific account with permissions over its calendar. So in essence check all folder calendar permissions for all mailboxes and if it matches -user, then wrote back to a file the calendar samaccountname they have access to.

Seems long winded but the only way in outlook 2010 to check what permissions a user has over all other calendars that are not provided via full access or inherited permissions.

Ideas appreciated.

Thanks


  • Edited by Tarrley Tuesday, September 01, 2015 7:00 PM More descriptive
  • Moved by Bill_Stewart Wednesday, September 02, 2015 1:58 PM Move to more appropriate forum
September 1st, 2015 6:45pm

What is it that you are trying to ask? Just ask a plain question.  Don't try to explain it.

Free Windows Admin Tool Kit Click here and download it now
September 1st, 2015 7:14pm

Use Get-Mailbox and pipe into ForEach-Object. Run your permission check inside the loop. This should only take a few lines to complete

As always, you can check the repository for starting points:

http://gallery.technet.microsoft.com/scriptcenter

September 1st, 2015 7:15pm

This is all good and thank you, however it doesn't return the account the permission is then set on.

Basically I want to be able to enter username1 and have a list of any calendar mailbox folder that username has access to. 

Free Windows Admin Tool Kit Click here and download it now
September 1st, 2015 7:17pm

This is all good and thank you, however it doesn't return the account the permission is then set on.

Basically I want to be able to enter username1 and have a list of any calendar mailbox folder that username has access to. 

I'm not sure what you mean by this. You can return whatever you want if you find a match.

We'll likely need to see your script and what's wrong with it before we can offer more concrete help.

September 1st, 2015 7:20pm

You are asking about "effective access" by user.  There is no tool for doing that in Exchange 2010.  You must check every group and all subgroups for the user account.

Free Windows Admin Tool Kit Click here and download it now
September 1st, 2015 7:29pm

I went digging in my script vault and found something that you can use as a starter:

$userToCheck = Read-Host 'Enter username'

$mbxs = Get-Mailbox

foreach ($mbx in $mbxs) {

    $calendarPermissions = Get-MailboxFolderPermission "$($mbx.Name):\Calendar"

    foreach ($permissionEntry in $calendarPermissions) {

        If ($permissionEntry.User.ADRecipient.SamAccountName -eq $userToCheck) {

            Write-Host "User $userToCheck has permission on $($mbx.Name) calendar"

        }

    }

}

This gets you 99% of the way.

September 1st, 2015 7:44pm

OK, that does work however if you have mailboxes in different languages as it's matching the name Calendar, it won't work for other languages that use variations such as Calendrier (French).

Without having to define each variation of the word calendar and adding this as another action, is there anyway for this script to apply to anything matching FolderType Calendar, rather than name?

Thanks

Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2015 8:12am

OK, in line with the above, is there a way to hide the errors where it cannot find a folder called Calendar from appearing as an error on the host? I've tried adding an ErrorActionPreference but still see errors such as the below due to the calendar naming not being English.

The operation couldn't be performed because 'username:\Calendar' couldn't be found.
    + CategoryInfo          : NotSpecified: (:) [Get-MailboxFolderPermission], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : BB9413F1,Microsoft.Exchange.Management.StoreTasks.GetMailboxFolderPermission

$ErrorActionPreference = "SilentlyContinue"
$userToCheck = Read-Host 'Enter username'
$Filename = Read-Host 'Enter Filename to create'
$data = Get-Mailbox -ResultSize Unlimited

foreach ($mbx in $data) {

    $calendarPermissions = Get-MailboxFolderPermission "$($mbx.Name):\Calendar"

    foreach ($permissionEntry in $calendarPermissions) {

        If ($permissionEntry.User.ADRecipient.SamAccountName -eq $userToCheck) {

           Write-Host "User $userToCheck has permission on $($mbx.Name) calendar" | Out-File c:\$filename.txt
        }

    }

}



  • Edited by Tarrley Wednesday, September 02, 2015 9:29 AM update block
September 2nd, 2015 9:28am

Sorry, missed this thread yesterday.

This adjustment works for suppressing the one error I was getting (I have two mailboxes with the same name, so I get a failure due to the mailbox not being unique):

$userToCheck = Read-Host 'Enter username'

$mbxs = Get-Mailbox

foreach ($mbx in $mbxs) {

    $calendarPermissions = Get-MailboxFolderPermission "$($mbx.Name):\Calendar" -ErrorAction SilentlyContinue

    foreach ($permissionEntry in $calendarPermissions) {

        If ($permissionEntry.User.ADRecipient.SamAccountName -eq $userToCheck) {

            Write-Host "User $userToCheck has permission on $($mbx.Name) calendar"

        }

    }

}

I don't have any additional languages to test with either, so I'm not sure how to best handle that angle. There is likely (I'm guessing) some sort of universal identifier that you could use, instead of appending the :\Calendar string. The Exchange forums are a good place to ask about this specific detail.

Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2015 7:55am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics