Power Shell or Exchange PS to Get Mailbox Folder Permissions for Calendar but only from one Particular OU.

Hello All,

I've spent hours trying to work this out myself but knowing nothing of PS, I'm going to use a lifeline.

I have one OU that has 150+ ConfRooms in it. ( get-mailboxfolderpermission -Identity first.last:\calendar works for one mailbox but not 100's )
I need to get mailbox folder permissions from the calendar of those ConfRoom's ( -OrganizationalUnit "OU=ROOMS,OU=MANAGEDRESOURCES,DC=CORP,DC=DOMAIN,DC=COM" )
I would like to pipe to csv ( -export-csv "c:\temp\MailBoxFolderPermissions.csv )

My goal is to get a list of folder permissions ( calendar ) to see if all have Default user assigned as Reviewer. If not, I'll need to update the mailboxes that are not set with default reviewer.

And maybe this is a silly question but is there a way to set the default reviewer at the Rooms OU level so that any mailbox created/moved into that OU gets the permissions?

I hope that makes sense.

Thanks in advance!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Amit KumarCommented:
Please try this.

get-mailbox | where {$_.Organizationalunit -eq "yourdomain.local/users/TopLevel"} | %{Get-MailboxFolderPermission -identity $_:\calendar | select User, FolderName, AccessRight} | export-csv c:\permission.csv

Open in new window

Jian An LimSolutions ArchitectCommented:
run the following command to set the default to have reviewer access on specific OU

get-mailbox | where {$_.Organizationalunit -eq "yourdomain.local/users/TopLevel"} | % {Set-MailboxFolderPermission ‘$_:\calendar’ -User default -AccessRights Reviewer
;Set-MailboxFolderPermission ‘$_:\non_ipm_subtree\freebusy data’ -User default -AccessRights Reviewer }
BrianAuthor Commented:
Thanks guys,

I will try both of them tomorrow and get back to you.

Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

BrianAuthor Commented:
Hi Amit,
I tried running the code in EPS. Got the following

Pipeline not executed because a pipeline is already executing. Pipelines cannot be executed concurrently.
    + CategoryInfo          : OperationStopped: (Microsoft.Power...tHelperRunspace:ExecutionCmdletHelperRunspace) [], PSInvalidOperationException
    + FullyQualifiedErrorId : RemotePipelineExecutionFailed

I see that this happens in Exchange 2010 and that the  solution is to create varibles and break out the sections of code to the variables but I cannot get the syntax right.

Tried something like:
>$mailbox = get-mailbox | where {$_.Organizationalunit -eq "domainname.com/managed objects/rooms"}
$mailbox | %{Get-MailboxFolderPermission -identity $_:\calendar | select User, FolderName, AccessRight} | export-csv c:\permission.csv

but then get :
$mailbox | %{Get-MailboxFolderPermission -identity $_:\calendar | select User, FolderName, AccessRight} | export-csv c:\permission.csv

PowerShell is kickin' my rear end.......
Amit KumarCommented:
Please try below one.

1. get all mailboxes in variable, mention OU name as Distinguish Name, you can find it from OU properties, just use advance view feature in Active Directory user console.

$mbx = get-mailbox -resultsize unlimited -OrganizationalUnit "OU=Regions,DC=domain,DC=local"

2. once variable is stored run below command to get access rights:

$mbx | %{Get-MailboxFolderPermission -Identity ($mbx.alias+':\Calendar')} | select User, FolderName,{$_.Accessrights} | Export-Csv C:\accessrights.csv

I have tested this in my env. and working fine.
BrianAuthor Commented:
Thank Amit,

The grabbing of the variable works. I run:

$mbx = get-mailbox -resultsize unlimited -OrganizationalUnit "OU=rooms,OU=managed objects,DC=corp,DC=domain,DC=com"

 but upon running the Get-MailboxFolderPermissons set, i get:

The specified mailbox "corp.domain.com/Managed Objects/ADM Accounts/IT/First Last ADM" doesn't exist. Reason: corp.domain.com/Managed Objects/ADM Accounts/IT/First Last ADM isn't a mail
box user.
    + CategoryInfo          : NotSpecified: (0:Int32) [Get-MailboxFolderPermission], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : CB6B0BF6,Microsoft.Exchange.Management.StoreTasks.GetMailboxFolderPermission

Not sure why the second 1/2 of the script is looking in a different OU than what I specified in the variable section.

Permissions related? I'm running the Exchange PS as administrator
Amit KumarCommented:
Please export $mbx variable to an csv file and check what is the data:

$mbx | select * | export-csv c:\users.csv

or you can run:

get-mailbox -resultsize unlimited -OrganizationalUnit "OU=rooms,OU=managed objects,DC=corp,DC=domain,DC=com" | select * | export-csv c:\users.csv
BrianAuthor Commented:
The data in the csv looks good. It was retrieved from the correct OU ( rooms ). Fields which I suspect are needed seem to be there:

RunsapceID, UserPrincipleName, Alias, OU, DisplayName, LegacyExchangeDN, PrimarySMTPAddress, WindowsEmailAddress, Name, DistinguishedName, Identity, GUID. The csv looks good.
Amit KumarCommented:
so above previous command should not give you diff. OU's result. please try again.
BrianAuthor Commented:
So. I'm perplexed. I set the variable using the given 1st line. If I export the variable, I get what looks like a good csv.
When I run the second command, I receive that weird error. I had another admin start Exchange PS using his credentials and upon running the second cmd, we get the same error, but instead of my name in the "first last adm" line, we get his.

I'm not sure why its trying to look in corp.domain.com/Managed Objects/ADM Accounts/IT/First Last ADM or look for a mailbox of the running user but it is ( and there are no mailbox for our adm accounts ). The CSV file from the variable contains only mailboxes from the /Managed Objects/Rooms OU and does not contain anything from the /ADM Accounts.

Anyone have any ideas?
Amit KumarCommented:
Not sure why it is happening, if command is stopping because of this then run commands as below mentioned sequence in powershell, it will silent your errors and will continue to next with results

$ErrorActionPreference = silentlycontinue

$mbx = get-mailbox -resultsize unlimited -OrganizationalUnit "OU=Regions,DC=domain,DC=local"

$mbx | %{Get-MailboxFolderPermission -Identity ($mbx.alias+':\Calendar')} | select User, FolderName,{$_.Accessrights} | Export-Csv C:\accessrights.csv
BrianAuthor Commented:
The command isn't stopping per-se, it just displays the error dozens of times and then finishes at the prompt. The csv gets created, but it is 0 bytes and empty.

I tried using the Slientlycontinue command. The get-mailboxfolderpermission still creates the csv but is still empty.
Amit KumarCommented:
Please try with samaccountname below, may be alias is not working for you.

$mbx = get-mailbox -resultsize unlimited -OrganizationalUnit "OU=Regions,DC=domain,DC=local"

$mbx | %{Get-MailboxFolderPermission -Identity ($mbx.samaccountname+':\Calendar')} | select User, FolderName,{$_.Accessrights} | Export-Csv C:\accessrights.csv
BrianAuthor Commented:
Hey Amit,

Sorry but its still coming back with that error.  I'm at a loss here. I'll try more troubleshooting if you are willing but I hate to keep wasting your time.
Amit KumarCommented:
Not sure, this command I have tested in my env and working perfect.
BrianAuthor Commented:
OK. Thank you for your help. I am at a loss here. I don't know why it wont work in our environment. Question is... what should I do for points? While your solution may work, I cant verify. What is typical in this situation?
Jian An LimSolutions ArchitectCommented:
mark your solution say it haven't confirm and allocate partial points to the relevant contributor will do.
Amit KumarCommented:
Dont be in loss just choose any of your comment accept that as solution with giving 0 points
BrianAuthor Commented:
Well.. I was trying to solve the issue with the error via PS. Thinking about the error I was getting,  I thought I would just mail enable administrator account. Then I ran your PS commands and they run successfully. I get a csv that displays user, foldername and access rights to the Calendar folder. What the csv doesn't show is the Room name. I tried to add "displayname" to the:

$mbx | %{Get-MailboxFolderPermission -Identity ($mbx.alias+':\Calendar')} | select DisplayName, User, FolderName,{$_.Accessrights} | Export-Csv C:\temp\accessrights.csv

but the "displayname" column in the csv is blank. I have no way to correlate the folder with the room. Any isngihts into getting the alias, samaccountname or displayname to show up in the csv?


Amit KumarCommented:
This is quite different because display name can be achieved by get-mailbox and weird part of powershell is that get-mailboxfolderpermission cmdlet can't supply it's variable to a new PS object

I am sorry I can't help in it so much, I tried by best to achieve this but no success.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BrianAuthor Commented:
The help was much appreciated. Although I didn't get all the information I needed from the help, it did get me started. Awarding points to both Amit and limjianan.
Amit KumarCommented:
Hi... I got it working, please find below code, copy this code in a PS1 file and run this. You need to change OU path accordingly. You will be able to get display name.

$Mailboxes = Get-Mailbox -Resultsize unlimited -OrganizationalUnit "OU=Regions,DC=domain,DC=local"
$AllCalPerms = @()
$CalPermAttribs = "" | Select Mailbox,Identity,User,AccessRights

$Mailboxes | ForEach-Object {
    foreach ($CalPermAccessRights in Get-MailboxFolderPermission –identity $Path) {
       $CalPermAttribs.Mailbox = $Name
       $CalPermAttribs.Identity = $CalPermAccessRights.Identity
       $CalPermAttribs.User = $CalPermAccessRights.User
       $CalPermAttribs.AccessRights = $CalPermAccessRights.AccessRights
       $AllCalPerms += $CalPermAttribs | Select Mailbox,Identity,User,@{l='AccessRights';e={$_.AccessRights}}
$AllCalPerms | Export-Csv -Path C:\Permission.csv -NoTypeInformation

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.