Avatar of Garry Shape
Garry Shape
Flag for United States of America asked on

Schedule Exchange mailbox permissions?

Exchange Server 2010 - soon upgrading to 2013

So I get mad requests all the time in my environment for temporary mailbox permissions.
"Hey Tuesday Bob needs mailbox access to Susan"
"Hey Thursday, Susan needs access to Bob"

These requests are so annoying and it's a nightmare trying to add mailbox and send-as permissions manually every time.
I use Powershell and a csv file to help process it (identity, user columns, and adding permissions).

But is there a way to automate the processing of a script that will remove their permissions?

is there another program or web-based feature that makes scheduling easier for mailbox permission processing and permission-removal processing?
ExchangeMicrosoft Server OSPowershell

Avatar of undefined
Last Comment
Garry Shape

8/22/2022 - Mon
Joe Klimis

Hi

I have created the following, but i have been unable to test it as I don't currently have access to a suitable environment.

The script requires 3 parameters and can be invoked in the following way

 & '.\scriptname.ps1' -TargetMailbox sharedmbxUser -user managerMbxUser -Retraction 21-dec-2014

Open in new window


The script will
add the permissions
and create a scheduled job which will remove the permissions on the allotted date.

you will need to update "YourDomain\YourUser"  with suitable credentials, and will need to be created on an exchange server , or workstation with the tools installed.

let me know how you get on

Regards
Joe


#
#
#
Param([string]$TargetMailbox =$(throw "TargetMailbox ? "),
[string]$user =$(throw "User to give Access to. "),
[datetime]$Retraction = (get-date).adddays(30) #  remove after 30 days by default
)
#
#  set credentials to be used.
#
$creds = Get-Credential YourDomain\YourUser

#
# Adding Exchange Snap In to execute Exchange CmdLets in this script
#
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin

# add the permissions to the mailbox
Add-MailboxPermission    -Identity $TargetMailbox -User $user -AccessRights Fullaccess -InheritanceType all

#
# create a scheduled job and the specified date ti remove the permissions.
#
$RemoveCmd = "Remove-MailboxPermission -Identity $TargetMailbox -User $user -AccessRights Fullaccess -InheritanceType all"
$trigger = New-JobTrigger -Once -At $retraction

#
# setup the scheduled job
#
$sjo = New-ScheduledJobOption -RunElevated
$del_mailbox_perms={
param ([string]$removeCmd)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; invoke-expression $removeCmd"
}
#$name = "$(get-date $Retraction -format 'yyyymmdd')"
$name = "MailBox_Permission_remove_$($user)_from_$($Targetmailbox)"
Register-ScheduledJob -Name $name -ArgumentList $removeCmd -ScriptBlock $del_mailbox_perms   -Trigger $trigger `
 -Credential $creds `
 -ScheduledJobOption $sjo
 

Open in new window

Garry Shape

ASKER
Hi Joe, thanks, I'm assuming the code at the bottom is what would be saved as the scriptname.ps1 in your example, right?
Garry Shape

ASKER
Yeah it looks like the New-JobTrigger won't work for me because I'm on Exchange 2010. Don't think I can upgrade to Powershell 3 or 4 on that server.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Garry Shape

ASKER
Do you know how then, I could with a GUI script running these two commands:    
	Add-MailboxPermission $Identity -User $User -Access "FullAccess" -confirm: $false
	Add-ADPermission -Identity $Identity -User $User -AccessRights ExtendedRight -ExtendedRights "send as"

Open in new window


output the commands into the output console window so I can tell if they worked or not?
The commands run when I click the button I made to process it in the GUI (winforms), but I'm not sure how to get the output shown into the console.
Garry Shape

ASKER
I tried appending -verbose but it's way too much information
Garry Shape

ASKER
It looks like the output types for the cmdlets are ADAcePresentationObject and MailboxAcePresentationObject
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Garry Shape

ASKER
I guess I could append "| select IsValid" to get the boolean true/false and write-host or change GUI accordingly?
Garry Shape

ASKER
Hi disregard I used a Try Catch and it worked
ASKER CERTIFIED SOLUTION
Joe Klimis

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Garry Shape

ASKER
Well I'm using Sapien but now they got rid of the free Community edition and want me to pay over $300 to be able to create more than 5 elements on a form lol.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Garry Shape

ASKER
Thanks sorry one last question

For a combobox, I made the drop-down menu this command:

$displayNames = get-mailbox -ResultSize Unlimited | select Name | Sort Name
$ComboBox1.Items.AddRange($displayNames)

Open in new window


It loads ok but when I click the Combobox menu, I see all the display names, but everyone's display name has a "@{Name=" before their name, and a "}" at the end.
Do it looks like:
@{Name=John Smith}

instead of just John Smith like it should :( any ideas?