Solved

Share calendars for read only company-wide exchange 2013 & outlook 2010

Posted on 2014-03-25
17
8,233 Views
Last Modified: 2016-06-27
Hello Experts,
Looking to see what the simplest way would be to allow all users company wide to have read only access into each others calendars. This should all people to see the details of any appointments that aren't marked as private.

If I could do this via the powershell it would be great if the command could be posted, trying to avoid having to do this in every single person's outlook manually.

Thanks,
0
Comment
Question by:ntmyflt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39953635
You'll need to change the permissions for the "Default" user for each mailbox.
The default read-only levels for Calendar Permissions are "AvailabilityOnly" which translates to 'Free/Busy' in Outlook.
The next level of access is "LimitedDetails" - which translates to "Free/Busy time, subject, location" in Outlook.  This is probably what you want and what has been put into the script below.
The highest level of read-only permissions is "Reviewer", which means you can see all details in the users calendar.

Powershell command for setting 'LimitedDetails' as Default for all user mailboxes:
Get-ADGroupMember -Identity "Company" | ForEach-Object { 
    $mb = Get-Mailbox -Identity $_.distinguishedName
    set-MailboxFolderPermission -Identity "${mb}:\Calendar" -User Default -AccessRights LimitedDetails
}

Open in new window

IF you want default access to be 'Reviewer' simply replace the term "LimitedDetails" at the end of line 3 in the command above.

To verify the setting for all users:
$Mailboxes = Get-Mailbox
foreach ($mailbox in $Mailboxes) {Get-MailboxFolderPermission -Identity ($mailbox.UserPrincipalName + ":\Calendar") | Format-Table @{Label = "Mailbox"; Expression = {($mailbox.UserPrincipalName)}}, @{Label = "Alias"; Expression = {($mailbox.Alias)}}, FolderName, User, AccessRights}

Open in new window

0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39953805
Scratch that command above. I wasn't thinking clearly. There is a better way to accomplish this. I'll explain myself below - but the proper way to do this is as follows:

1) Launch Exchange Management Console | Organization Configuration | Mailbox | Sharing Policies
2) Modify the "Deault Sharing Policy" and change it to "Calendar Sharing with free/busy information, plus subject and location", which equates to limited details.

Modify Default Calendar SharingChange Default to:
In the past, I had used the Powershell commands in my first comment to assign full calendar permissions to a single user (the administrator).  I just changed the command to assign the permissions to the 'default' user.  Once I submitted my first reply, I realized there was a better way...  so here you go.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39954047
@ jrhelgeson

You were correct with your first post. The PowerShell command is the way to go.
Sharing policies is for sharing with external people only, such as federated domains.

"You can use sharing policies to control how users in your organization can share calendar and contact information with users outside your Exchange organization. Sharing policies support the sharing of calendar and contact information with external federated organizations, external non-federated organizations, and individuals with Internet access"

http://technet.microsoft.com/en-us/library/dd351201(v=exchg.141).aspx

The one modification I would make though is to use a group rather than Default.
That way you can exclude people if required.
The other issue is that it does not apply to new mailboxes automatically and users can remove the permission. Therefore I usually script it, and then schedule the script to run at lesat once a day (sometimes more than once if there are some troublesome users who keep removing the permission).

Simon.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:ntmyflt
ID: 39954120
Hi Simon, for the group would you be referring to an active directory security group?

Something like this:
Get-ADGroupMember -Identity "Company" | ForEach-Object { 
    $mb = Get-Mailbox -Identity $_.distinguishedName
    set-MailboxFolderPermission -Identity "${mb}:\Calendar" -User AD-User-Group -AccessRights Reviewer 
} 

Open in new window

0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39954181
You'd need to change the command from 'set' to 'add':  from "set-MailboxFolderPermission" to "add-MailboxFolderPermission".  However, I have never been able to add a Group permission to a calendar.  Perhaps Simon could shed some light on this.

When running "Get-Help Add-MailboxFolderPermission" there is no parameter that will accept 'Group', and specifying a mail enabled group after "-user" results in an error.
[PS] C:\>Add-MailboxFolderPermission -identity jhelgeson:\Calendar -user "Contact" -AccessRights Reviewer
The user "contact" was found in Active Directory but isn't valid to use for permissions. Try an SMTP address instead.
    + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], InvalidInternalUserIdException
    + FullyQualifiedErrorId : AA545611,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

Open in new window

0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39954242
Simon: You are correct - it is for federation only. Unfortunately. So therefore the first Powershell command is the proper method to use.

It appears that the mailbox calendar permissions are stored within the Exchange Mailbox Database, and as such, only permissions for other mailboxes are able to be assigned to existing mailboxes.  Therefore AD Groups, even mailbox enabled ones, cannot have security propagation to user mailboxes, as the mailbox database is not a respecter of Active Directory Groups when it comes to granular access permissions within the mailbox.

It is possible to assign group permissions to the mailbox itself (such as Full-Access) but not for the granular access such as calendar permissions.
0
 

Author Comment

by:ntmyflt
ID: 39959115
Hey guys, thanks so much for all the comments here.
Instead of messing around with the default policy for the entire domain might it just be better to create a script that references each user that needs to have this permission and run it?

If that's the case would anyone know if it's possible and what the command would be to specify specific users who can should have their calendar shared company wide?

I'd much rather just create a script with all the usernames that need this.. it'll give us more flexibility in the future.
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39959263
I did this once, it turned into a nightmare.   Depending on the size of the organization, it creates tons of calendar scheduling permissions problems where you cannot cancel reminders, or meetings are canceled by the organizer but the recipients are not notified. Or the meeting is canceled but they still get reminders.  Then you run into people getting delays when looking at their calendar, or others calendars.

This is why I recommended increasing the level of access by just one notch - to LimitedDetails rather than reviewer.
0
 

Author Comment

by:ntmyflt
ID: 39959275
Thanks jrhelgeson,
So:

Get-ADGroupMember -Identity "Company" | ForEach-Object { 
    $mb = Get-Mailbox -Identity $_.distinguishedName
    set-MailboxFolderPermission -Identity "${mb}:\Calendar" -User Default -AccessRights Reviewer
}

Open in new window



Correct?
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39959405
Yes - if you want everyone to have reviewer access - including details.
0
 

Author Comment

by:ntmyflt
ID: 39959618
Sorry just 1 last question: The "Company" . is that a particular item? such as the server name?
0
 

Author Comment

by:ntmyflt
ID: 39959790
Ok tried running the command and as expected it's generating errors on the "company name" section

I've tried the domain and domain.local from active directory but still generating errors:

Get-ADGroupMember : Cannot find an object with identity: 'domain' under: 'DC=domain,DC=local'.
0
 

Accepted Solution

by:
ntmyflt earned 0 total points
ID: 39959961
Ok So I found a script online that does exactly what I need it to do and it worked flawlessly. We're running exchange 2013 and it works fine even though it was made for Exchange 2010.

Here's the script if anyone ever runs into this same situation and needs to give everyone at their organization reviewer perms on their calendar:

http://gallery.technet.microsoft.com/ScriptCenter/19b98a56-42aa-4695-b07c-335d8322b64e/

Actual Script:
<# 
 
 NAME: Set-CalendarPermissions.ps1 
 
 AUTHOR: Jan Egil Ring 
 EMAIL: jan.egil.ring@powershell.no 
 
 COMMENT: Script to set calendar-permission for mailboxes in Exchange Server 2010. 
          For a list of valid AccessRights, see http://technet.microsoft.com/en-us/library/ff522363.aspx 
          More information: http://blog.powershell.no/2010/09/20/managing-calendar-permissions-in-exchange-server-2010 
 
 You have a royalty-free right to use, modify, reproduce, and 
 distribute this script file in any way you find useful, provided that 
 you agree that the creator, owner above has no warranty, obligations, 
 or liability for such use. 
 
 VERSION HISTORY: 
 1.0 19.09.2010 - Initial release 
 
#> 
 
#requires -version 2 
 
#Load Exchange Server 2010 Management Shell if not loaded. You may delete/comment out this step if you are running the script from the Exchange Management Shell 
if (-not (Get-PSSnapin | Where-Object {$_.Name -like "Microsoft.Exchange.Management.PowerShell.E2010"})){ 
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 
} 
 
#Custom variables 
$mailboxes = Get-Mailbox -Database "Mailbox Database A" 
$AccessRights = "Reviewer" 
 
#Loop through all mailboxes 
foreach ($mailbox in $mailboxes) { 
 
#Retrieve name of the user`s calendar 
$calendar = (($mailbox.SamAccountName)+ ":\" + (Get-MailboxFolderStatistics -Identity $mailbox.SamAccountName -FolderScope Calendar | Select-Object -First 1).Name) 
 
#Check if calendar-permission for user "Default" is set to the default permission of "AvailabilityOnly" 
    if (((Get-MailboxFolderPermission $calendar  | Where-Object {$_.User -like "Default"}).AccessRights) -like "AvailabilityOnly" ) { 
 
    Write-Host "Updating calendar permission for $mailbox..." -ForegroundColor Yellow 
 
    #Set calendar-permission for user "Default" to value defined in variable $AccessRights 
    Set-MailboxFolderPermission -User "Default" -AccessRights $AccessRights -Identity $calendar 
    } 
}

Open in new window

0
 
LVL 15

Assisted Solution

by:jrhelgeson
jrhelgeson earned 500 total points
ID: 39960361
Sorry - it needs to be the name of the exchange server.  And yes, that script you posted does the exact same thing as the one I posted.
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39964433
This question should not be closed, points should be awarded. The commands I provided perform the exact same task as the solution ntmyflt found. Furthermore, I provided the proper direction to take in resolving this issue.
0
 

Author Closing Comment

by:ntmyflt
ID: 39974502
My comment is the only one which includes a valid command that will actually work.
0
 

Expert Comment

by:Member_2_7966170
ID: 41677534
Has anyone ever done the policy stated by JR? i did an exchange policy but the policy does not appear to be applying correctly....

I did the Powershell script to change existing calendars however i have to remember to do it when new people come on.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In-place Upgrading Dirsync to Azure AD Connect
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question