Solved

Share calendars for read only company-wide exchange 2013 & outlook 2010

Posted on 2014-03-25
17
6,967 Views
Last Modified: 2016-06-27
Hello Experts,
Looking to see what the simplest way would be to allow all users company wide to have read only access into each others calendars. This should all people to see the details of any appointments that aren't marked as private.

If I could do this via the powershell it would be great if the command could be posted, trying to avoid having to do this in every single person's outlook manually.

Thanks,
0
Comment
Question by:ntmyflt
17 Comments
 
LVL 15

Expert Comment

by:jrhelgeson
Comment Utility
You'll need to change the permissions for the "Default" user for each mailbox.
The default read-only levels for Calendar Permissions are "AvailabilityOnly" which translates to 'Free/Busy' in Outlook.
The next level of access is "LimitedDetails" - which translates to "Free/Busy time, subject, location" in Outlook.  This is probably what you want and what has been put into the script below.
The highest level of read-only permissions is "Reviewer", which means you can see all details in the users calendar.

Powershell command for setting 'LimitedDetails' as Default for all user mailboxes:
Get-ADGroupMember -Identity "Company" | ForEach-Object { 
    $mb = Get-Mailbox -Identity $_.distinguishedName
    set-MailboxFolderPermission -Identity "${mb}:\Calendar" -User Default -AccessRights LimitedDetails
}

Open in new window

IF you want default access to be 'Reviewer' simply replace the term "LimitedDetails" at the end of line 3 in the command above.

To verify the setting for all users:
$Mailboxes = Get-Mailbox
foreach ($mailbox in $Mailboxes) {Get-MailboxFolderPermission -Identity ($mailbox.UserPrincipalName + ":\Calendar") | Format-Table @{Label = "Mailbox"; Expression = {($mailbox.UserPrincipalName)}}, @{Label = "Alias"; Expression = {($mailbox.Alias)}}, FolderName, User, AccessRights}

Open in new window

0
 
LVL 15

Expert Comment

by:jrhelgeson
Comment Utility
Scratch that command above. I wasn't thinking clearly. There is a better way to accomplish this. I'll explain myself below - but the proper way to do this is as follows:

1) Launch Exchange Management Console | Organization Configuration | Mailbox | Sharing Policies
2) Modify the "Deault Sharing Policy" and change it to "Calendar Sharing with free/busy information, plus subject and location", which equates to limited details.

Modify Default Calendar SharingChange Default to:
In the past, I had used the Powershell commands in my first comment to assign full calendar permissions to a single user (the administrator).  I just changed the command to assign the permissions to the 'default' user.  Once I submitted my first reply, I realized there was a better way...  so here you go.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
@ jrhelgeson

You were correct with your first post. The PowerShell command is the way to go.
Sharing policies is for sharing with external people only, such as federated domains.

"You can use sharing policies to control how users in your organization can share calendar and contact information with users outside your Exchange organization. Sharing policies support the sharing of calendar and contact information with external federated organizations, external non-federated organizations, and individuals with Internet access"

http://technet.microsoft.com/en-us/library/dd351201(v=exchg.141).aspx

The one modification I would make though is to use a group rather than Default.
That way you can exclude people if required.
The other issue is that it does not apply to new mailboxes automatically and users can remove the permission. Therefore I usually script it, and then schedule the script to run at lesat once a day (sometimes more than once if there are some troublesome users who keep removing the permission).

Simon.
0
 

Author Comment

by:ntmyflt
Comment Utility
Hi Simon, for the group would you be referring to an active directory security group?

Something like this:
Get-ADGroupMember -Identity "Company" | ForEach-Object { 
    $mb = Get-Mailbox -Identity $_.distinguishedName
    set-MailboxFolderPermission -Identity "${mb}:\Calendar" -User AD-User-Group -AccessRights Reviewer 
} 

Open in new window

0
 
LVL 15

Expert Comment

by:jrhelgeson
Comment Utility
You'd need to change the command from 'set' to 'add':  from "set-MailboxFolderPermission" to "add-MailboxFolderPermission".  However, I have never been able to add a Group permission to a calendar.  Perhaps Simon could shed some light on this.

When running "Get-Help Add-MailboxFolderPermission" there is no parameter that will accept 'Group', and specifying a mail enabled group after "-user" results in an error.
[PS] C:\>Add-MailboxFolderPermission -identity jhelgeson:\Calendar -user "Contact" -AccessRights Reviewer
The user "contact" was found in Active Directory but isn't valid to use for permissions. Try an SMTP address instead.
    + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], InvalidInternalUserIdException
    + FullyQualifiedErrorId : AA545611,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

Open in new window

0
 
LVL 15

Expert Comment

by:jrhelgeson
Comment Utility
Simon: You are correct - it is for federation only. Unfortunately. So therefore the first Powershell command is the proper method to use.

It appears that the mailbox calendar permissions are stored within the Exchange Mailbox Database, and as such, only permissions for other mailboxes are able to be assigned to existing mailboxes.  Therefore AD Groups, even mailbox enabled ones, cannot have security propagation to user mailboxes, as the mailbox database is not a respecter of Active Directory Groups when it comes to granular access permissions within the mailbox.

It is possible to assign group permissions to the mailbox itself (such as Full-Access) but not for the granular access such as calendar permissions.
0
 

Author Comment

by:ntmyflt
Comment Utility
Hey guys, thanks so much for all the comments here.
Instead of messing around with the default policy for the entire domain might it just be better to create a script that references each user that needs to have this permission and run it?

If that's the case would anyone know if it's possible and what the command would be to specify specific users who can should have their calendar shared company wide?

I'd much rather just create a script with all the usernames that need this.. it'll give us more flexibility in the future.
0
 
LVL 15

Expert Comment

by:jrhelgeson
Comment Utility
I did this once, it turned into a nightmare.   Depending on the size of the organization, it creates tons of calendar scheduling permissions problems where you cannot cancel reminders, or meetings are canceled by the organizer but the recipients are not notified. Or the meeting is canceled but they still get reminders.  Then you run into people getting delays when looking at their calendar, or others calendars.

This is why I recommended increasing the level of access by just one notch - to LimitedDetails rather than reviewer.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:ntmyflt
Comment Utility
Thanks jrhelgeson,
So:

Get-ADGroupMember -Identity "Company" | ForEach-Object { 
    $mb = Get-Mailbox -Identity $_.distinguishedName
    set-MailboxFolderPermission -Identity "${mb}:\Calendar" -User Default -AccessRights Reviewer
}

Open in new window



Correct?
0
 
LVL 15

Expert Comment

by:jrhelgeson
Comment Utility
Yes - if you want everyone to have reviewer access - including details.
0
 

Author Comment

by:ntmyflt
Comment Utility
Sorry just 1 last question: The "Company" . is that a particular item? such as the server name?
0
 

Author Comment

by:ntmyflt
Comment Utility
Ok tried running the command and as expected it's generating errors on the "company name" section

I've tried the domain and domain.local from active directory but still generating errors:

Get-ADGroupMember : Cannot find an object with identity: 'domain' under: 'DC=domain,DC=local'.
0
 

Accepted Solution

by:
ntmyflt earned 0 total points
Comment Utility
Ok So I found a script online that does exactly what I need it to do and it worked flawlessly. We're running exchange 2013 and it works fine even though it was made for Exchange 2010.

Here's the script if anyone ever runs into this same situation and needs to give everyone at their organization reviewer perms on their calendar:

http://gallery.technet.microsoft.com/ScriptCenter/19b98a56-42aa-4695-b07c-335d8322b64e/

Actual Script:
<# 
 
 NAME: Set-CalendarPermissions.ps1 
 
 AUTHOR: Jan Egil Ring 
 EMAIL: jan.egil.ring@powershell.no 
 
 COMMENT: Script to set calendar-permission for mailboxes in Exchange Server 2010. 
          For a list of valid AccessRights, see http://technet.microsoft.com/en-us/library/ff522363.aspx 
          More information: http://blog.powershell.no/2010/09/20/managing-calendar-permissions-in-exchange-server-2010 
 
 You have a royalty-free right to use, modify, reproduce, and 
 distribute this script file in any way you find useful, provided that 
 you agree that the creator, owner above has no warranty, obligations, 
 or liability for such use. 
 
 VERSION HISTORY: 
 1.0 19.09.2010 - Initial release 
 
#> 
 
#requires -version 2 
 
#Load Exchange Server 2010 Management Shell if not loaded. You may delete/comment out this step if you are running the script from the Exchange Management Shell 
if (-not (Get-PSSnapin | Where-Object {$_.Name -like "Microsoft.Exchange.Management.PowerShell.E2010"})){ 
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 
} 
 
#Custom variables 
$mailboxes = Get-Mailbox -Database "Mailbox Database A" 
$AccessRights = "Reviewer" 
 
#Loop through all mailboxes 
foreach ($mailbox in $mailboxes) { 
 
#Retrieve name of the user`s calendar 
$calendar = (($mailbox.SamAccountName)+ ":\" + (Get-MailboxFolderStatistics -Identity $mailbox.SamAccountName -FolderScope Calendar | Select-Object -First 1).Name) 
 
#Check if calendar-permission for user "Default" is set to the default permission of "AvailabilityOnly" 
    if (((Get-MailboxFolderPermission $calendar  | Where-Object {$_.User -like "Default"}).AccessRights) -like "AvailabilityOnly" ) { 
 
    Write-Host "Updating calendar permission for $mailbox..." -ForegroundColor Yellow 
 
    #Set calendar-permission for user "Default" to value defined in variable $AccessRights 
    Set-MailboxFolderPermission -User "Default" -AccessRights $AccessRights -Identity $calendar 
    } 
}

Open in new window

0
 
LVL 15

Assisted Solution

by:jrhelgeson
jrhelgeson earned 500 total points
Comment Utility
Sorry - it needs to be the name of the exchange server.  And yes, that script you posted does the exact same thing as the one I posted.
0
 
LVL 15

Expert Comment

by:jrhelgeson
Comment Utility
This question should not be closed, points should be awarded. The commands I provided perform the exact same task as the solution ntmyflt found. Furthermore, I provided the proper direction to take in resolving this issue.
0
 

Author Closing Comment

by:ntmyflt
Comment Utility
My comment is the only one which includes a valid command that will actually work.
0
 

Expert Comment

by:Member_2_7966170
Comment Utility
Has anyone ever done the policy stated by JR? i did an exchange policy but the policy does not appear to be applying correctly....

I did the Powershell script to change existing calendars however i have to remember to do it when new people come on.
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

Suggested Solutions

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now