Select Page

Exchange – Get All Mailbox Folder Permissions

by | Oct 29, 2021 | Exchange, PowerShell | 0 comments

Pokeball
As an IT professional—or as my daughter would call it: doing computer nerd things with your friends—we’re into some weird stuff. And by weird, you know I mean amazing and super neato. There’s something about the smell of a freshly created file share that just can’t be put into words. You know what I mean, right? Right?? Guys??? It’s okay, you’re just in denial. Let me trying something we all will agree with. In the Exchange world, there’s a large amount of endorphins released when you retrieve mailbox folder permissions. But what’s better than getting one mailbox folder permission? Why, getting all mailbox folder permissions of course! Microsoft goes hard and makes it a bit challenging to do this out of the box. So grab your fanny packs trainers, we gotta catch ’em all!

\\\Basic Pokeball

Professor Oak (or Professor Magnolia for all of you young whipper snappers) has given us a couple of standard, out-of-the-box pokeballs to get us started on our adventure. These are the 2 cmdlets: Get-MailboxFolderPermission and Get-MailboxFolderStatistics. Before we get carried away with the complex game of Paper, Rock, Electric-type Pokémon, let’s take a super in-depth dive of each one.

Get-MailboxFolderPermission returns permissions set on a specific folder in a mailbox.

Get-MailboxFolderStatistics returns a list of folders within a mailbox.

Okay, so maybe there was a “No Diving” sign in the shallow end of the pool….but this is all of the info we could fit into our Pokédex. These cmdlets can do more and get more, but for our purposes in this post we’ll keep it simple. Since you have your sights on becoming the next great Pokémon master, your first task is taking down some punk in a gym. Just to clarify, it’s preferable if the punk isn’t from a Planet Fitness or Gold’s Gym. To beat this gym leader, for some reason you need to get a list of permissions set on all folders (including sub folders) for a mailbox. This is clearly where my analogy breaks down but per the usual I’ll continue to beat this dead horse until it dies, again.

\\\Mailboxchu’s Accuracy Sharply Rose!

So what we want to do is use these 2 cmdlets together and let them evolve into something that’s pretty much the same but with wings or a flower on its back. In general, we want to write a function to get a list of all folders and subfolders in a mailbox and then get the permissions for each. Let’s get started!

First, let’s breakdown the core parts of our function. This gets a list of folders and selects a few properties that we can use:

$AllFolders = Get-MailboxFolderStatistics EmailAddress | Select Name, FolderPath, Foldertype, Identity
Next, we loop through each of the folders to get the permissions set.
$IndivPermission = Get-MailboxFolderPermission PathToFolder
We’ll end up doing a couple of other things like adding the individual permissions to an array called $AllPermissions, adding in some verbose logging for our benefit, and removing any permissions where the AccessRights is set to “None”. There’s also one small Snorlax that doesn’t allow us to easily pipe between these two cmdlets: the folder path.
style="display:block" data-ad-client="ca-pub-3397982927006466" data-ad-slot="6462285589" data-ad-format="auto" data-full-width-responsive="true">

\\\Oh Squirtle

For all of their infinite wisdom, I’m not sure why MS did it this way. If anybody has any ideas about this I’m all ears! Getting the folder path from Get-MailboxFolderStatistics is super-effective! But the folder path returned is in this format:

Email Address\Folder Name

That’s great and all, but when you have to define the folder path in the Get-MailboxFolderPermission cmdlet, it needs to be in this format:

EmailAddress:\Folder Name

Talk about a colonoscopy! Team Rocket must have been behind this. There’s no way Microsoft would do this to us…

style="display:block; text-align:center;" data-ad-layout="in-article" data-ad-format="fluid" data-ad-client="ca-pub-3397982927006466" data-ad-slot="6946690681">

\\\Reggie, I choose you!

To fix this (there are multiple ways to accomplish this), I opted to use my Lvl 52 RegExasaur to split the folder path into 2 parts at the first backslash. Then I combine the 2 parts with a “:\” in between to be used with the Get-MailboxFolderPermission cmdlet.

The RegEx we’ll use is ^(.*?)\\
Breaking that down, it’s:

^ Matches the beginning of the string

(.*?) Get any characters grouped together before the character we specify. In our case, we want to get everything before the first backslash.

\\ The first backslash is the escaping character for RegEx, and then we’re actually looking for a backslash.

We can use this RegEx with our -Split attack to do big damage to those annoying bug Pokémon we keep finding in the darn tall grass. Does anybody mow anymore??

\\\The PokeMAN

Putting it all together, our all-star lineup of 6 Pokemon looks like this:

function Get-MailboxFolderPermissions_All{
    [cmdletbinding()]
    param(
        $Mailbox
    )
    Begin{}
    Process{
        $AllFolders = Get-MailboxFolderStatistics $Mailbox | select Name, FolderPath, Foldertype, Identity
        Write-Verbose "Total Folder Count: $($AllFolders.count)"
        $AllPermissions = @()
        foreach($F in $AllFolders){
            $Path = $F.Identity -split '^(.*?)\\'
            $FullPath = $Path[1] + ':\' + $Path[2]
            try{
                $IndivPermission = Get-MailboxFolderPermission $FullPath -ErrorAction Stop
                $AllPermissions += $IndivPermission
                Write-Verbose "$($F.Name) permission found!"
            }catch{
                Write-Verbose "$($F.Name) has no permissions set."
            }
        }
        $AllPermissions | where {$_.AccessRights -ne "None"}
    }
    End{}
}
And to use it, we do a lil somethin’ like this:
Get-MailboxFolderPermissions_All -"I CHOOSE YOU!!!"
Err, sorry. Got a little carried away. It’s actually:
Get-MailboxFolderPermissions_All EmailAddress
And if we want to see all of the HP, SP, and other random stats, just add the -Verbose parameter.

Well, there you have it. That’s how you catch all of those mailbox folder permissions. Just call me Ash money, baby!

Pokemon Trainer Todd

OTHER POSTS YOU WANT TO READ

Index Scripts for Windows Search

So you just finished writing some code and you go to save your file. You summarize all of the important aspects this section of code contains into a nice, easy-to-read file name that your future self will immediately recognize. Fast forward to the future where you...

Array vs ArrayList (PowerShell)

For some tasks in life, being precise is a necessity. But most of us get away with rounding, paraphrasing, and hitting in the general vicinity most of the time. Depending on your personality, you may be one who strives for perfection and strains on every miniscule...

Spice Up HTML Emails with PowerShell – Part III

So far in this series we've fumbled our way around the kitchen and tried to wing it when sending HTML emails with PowerShell. It was clunky to say the least. We then went through our spice rack and built an HTML template, highlighting the nuances of each spicy element...

Spice up HTML Emails with PowerShell – Part II

In Part I of our scrumptious concoction we put our script into the oven to let it bake. But we forgot to add our secret sauce that's sure to leave our recipients drooling, which is clearly our goal. In this post we'll continue to spice up HTML emails with PowerShell...

Spice Up HTML Emails with PowerShell – Part I

I live in the South, specifically in God's country AKA TEXAS BABAY! There's plenty of amazing things about Texas and definitely some reasons to loathe being from Houston, but it's hard to knock our food. I mean, is there really even a debate between Whataburger vs...

Submit a Comment

Your email address will not be published. Required fields are marked *

%d bloggers like this: