Managing calendar permissions in Exchange Server 2010
In legacy versions of Exchange Server we could use PFDAVAdmin to manage calendar permissions, or alternatively the 3rd party tool SetPerm.
With Exchange Server 2010 calendar permissions can be managed using the *-MailboxFolderPermission cmdlets. While these cmdlets can be used to manage permissions on any mailbox folder, we`ll focus on calendar permissions.
In fact we got 4 *-MailboxFolderPermission cmdlets in Exchange Server 2010:
- Add-MailboxFolderPermission
- Get-MailboxFolderPermission
- Remove-MailboxFolderPermission
- Set-MailboxFolderPermission
Since I`ll be focusing on managing default permissions , which is an existing ACL on the calendar folder, we need to use the Set-MailboxFolderPermission cmdlet:
To grant “Reviewer”-permissions for the “Default” user, we would run the following:
Some companies have a policy that everyone must share their calendars with all users. Since it`s now possible to manage calendar permissions using PowerShell, I`ve written a script to accomplish this task; Set-CalendarPermissions.ps1.
While this script could be scheduled to run on a regular basis, a better approach for managing calendar permissions for new mailboxes are the use of the Scripting Agent which is a part of the Cmdlet Extension Agents, a very useful feature introduced in Exchange Server 2010.
Pat Richards has posted an excellent post on how to automatically modify new mailboxes using the Scripting Agent.
22 Comments »
Leave a Reply
About
Jan Egil Ring works as a Senior Consultant on the Infrastructure Team at Crayon, Norway.
He mainly works with Microsoft server-products, and has a strong passion for Windows PowerShell. In addition to being a consultant, he is a Microsoft Certified Trainer.
He has obtained several certifications such as MCITP: Enterprise Administrator and MCITP: Enterprise Messaging Administrator. For more details see his MCP Virtual Business Card.
In January 2011, he was awarded the Microsoft Most Valuable Professional Award for his contributions in the Windows PowerShell technical community.
His engagements as a speaker includes TechDays in Norway, as well as a Microsoft Office 365 bootcamp for Microsoft partners in Norway.
He is a co-founder of the Norwegian Microsoft Technology User Group (MTUG), which is an assosication of local MTUG user groups in Norway.
His intentions with this blog is to share experiences based on various projects and troubleshooting, as well as sharing different resource links to technologies he works with.
Google Reader – My Shared Items- Kill cmd.exe Bartek Bielawski
- SCVMM 2012 Quick Tip: Finding which storage arrays a Hyper-V host can see hector.linares
- On Becoming a Senior Technical Individual Contributor jsnover
- Fix for "You must close all dialog boxes before you can close Exchange Management Console" in Exchange 2010 Jeff
- The Windows 8 Task Manager Steven Sinofsky
YOU ARE THE MAN SIR!
This totally worked, and I’ve tried about 10 different tricks to get this done.
Is there a way to use this to set custom permissions? I need to set the default permission on all clanders to be Reviewer but not full details. I need the Read Level to be Free/Busy time, Subject, location.
Hi,
From the Exchange Management Shell, run “help Set-MailboxFolderPermission -Full”. On the AccessRights parameter you can see the available permissions that can be set using this cmdlet.
[...] around online I came across a script written by Jan Egil Ring that adds “Reviewer” permissions for the “Default” user on all [...]
Pingback by Set Calendar Permissions » My Life in IT | April 14, 2011 |
Thank you for this post! I’ve been looking for something like this for quite some time.
Exchange PowerShell initially told me that Set-MailboxFolderPermission wasn’t a valid command. After some digging, I discovered that these commands were introduced with Exchange 2010 SP1–they’re not part of Exchange 2010 RTM. I hope that saves someone else some time.
Hello,
great blog, i have followed the instructions above and the permissions are successfully applied, however when i attempt to open another users calendar through OWA i received an error stating that “You don’t have permission to view this content. To get permission, contact the owner of the content” Permissions have been set successfully so unsure why i am receiving this error?
I have tried everything i can think of, do you have any suggestions?
Thank you
Hi,
Maybe the permissions aren`t updated in the information store right away…does it work if you try after a couple of hours?
Hello, thanks for the script. I have been looking for this for a couple of hours.
All seem to work, but the only thing what’s happening now, after adding a shared calender to a user, a popup shows up in the right corner of the screen with the message “U’r not authorized to a create submap in this folder”. This message seems to return everytime a user clicks on his calender button in outlook.
Any idea whats causing this?
Thank you
I have this same problem. Running Exchange 2010 SP2 with Outlook 2007 Clients. The calendars still open to view the Free/Busy info, but every user still gets the “You do not have sufficient permission to perform this operation on this object”. I’m wondering if this is a compatbility issue between the two. Can’t seem to find any viable workaround. Thanks!
Anyone know how to grant calendar access without granting access to the entire folder?
“Anyone know how to grant calendar access without granting access to the entire folder?”
The calendar *is* a folder I believe.
Thanks!
can you provide any help on the cmdlet extension agents implementation of setting the default permissions to reviewer.
basically i have done it but it only works if i create the mailbox directly on the mailbox server and not from any of my CAS servers and since i do not have any exchange servers with both the mamilbox and CAS role installed on a single server I have no idea how to get around this if infact there is a way. thanks
Hi,
Did you copy the ScriptingAgentConfig.xml file to all your Exchange-servers? More info here.
Hi!
When i use the script you refer to “Set-CalendarPermissions.ps1″ i get an error
”
Unexpected token ‘in $mailboxes’ in expression or statement.
At C:\scripts\TrioRightsOnCalendar-Try2.ps1:38 char:32
+ foreach ($mailbox in $mailboxes <<<< ) {
+ CategoryInfo : ParserError: (in $mailboxes:String) [], ParseException
+ FullyQualifiedErrorId : UnexpectedToken
"
The script is run on a Exchange 2010 mailboxserver, Win 2008 R2 (Got 3 MB and 2 HT/CA.)
I have changed the get $mailboxes to: Get-Mailbox -ResultSize Unlimited -Filter {(CustomAttribute8 -eq "TrioUser")} but i wont work when i use $mailboxes = Get-Mailbox -Database "SXXXXX" either.
Have tried google but cant figure it out, got any nice ideas? =)
Hi,
You can see the expected mailboxes returned when you run $mailboxes?
What happens if you try to run a simple loop against $mailboxes? I.e.:
foreach ($mailbox in $mailboxes) {
$mailbox.name
}
Hi, changed the script. Quite a bit, this is what i use now and it works. Thanx for the replay =)
$mailboxes = Get-Mailbox -ResultSize Unlimited | Where-Object{$_.ObjectClass -eq “User” -and $_.CustomAttribute8 -ne “XXXXX”}
$AccessRights = “publishingEditor”
$CustomAtt = “XXXXX”
#Loop through all mailboxes
foreach ($mailbox in $mailboxes) {
Write-Host “XXXXX $mailbox” -ForegroundColor Yellow
#Retrieve name of the user`s calendar, depending on langugage (Love this one, saved looots of time)
$calendar = (($mailbox.SamAccountName)+ “:\” + (Get-MailboxFolderStatistics -Identity $mailbox.SamAccountName -FolderScope Calendar | Select-Object -First 1).Name)
#Check if calendar-permission for user “XXXXX” is set to the default permission of “publishingEditor”
if (((Get-MailboxFolderPermission $calendar | Where-Object {$_.User -like “XXXXX”}).AccessRights) -ne “publishingEditor” ) {
Write-Host “Updating calendar permission and adding Costum attribute for $mailbox…” -ForegroundColor Green
#Set calendar-permission for user “XXXXX” to value defined in variable $AccessRights
Add-MailboxFolderPermission -User “XXXXX” -AccessRights $AccessRights -Identity $calendar
Thnx again.
//Sigge
Is there a script to Remove-MailboxFolderPermission recursively. I’m trying to remove all mailbox folder permissions for a user but havent found an easy way to do it in Powershell. We are using Exchange 2010 SP1
I have a question.
A user removed Anonymous from his calender and now all meeting requests are going straight into his calender. He can decline/accept meetings from the calender but not in the original invite sent.
will this fix my issues??
Set-MailboxFolderPermission -Identify username:\Calender -user Anonymous -AccessRights None
The script works perfectly on Calendar items, but could we get a similar script that shows, where one should change the script to correspond to a localized exchange environment ?. For instance in Denmark the outlook is localized so the Calendar is called Kalender instead.
thank you.
//SC
Could we get a script for localized installations, where forinstance the Calender is called Kalender instead ? where would one have to make changes to your current script to reflect such changes ?That would really help out in localized environments. Great script though for English installations it works like a charm.
[...] You can’t set this in group policy, you would set it on the Exchange server. Here is an example: http://blog.powershell.no/2010/09/20/managing-calendar-permissions-in-exchange-server-2010/ [...]
Pingback by Group Policy and Outlook - Admins Goodies | April 21, 2012 |