blog.powershell.no

On Windows PowerShell and other admin-related topics

Managing calendar permissions in Exchange Server 2010

In legacy versions of Exchange Server we could use PFDAVAdmin to manage calendar permissions, or alternatively the 3rd party tool SetPerm.
With Exchange Server 2010 calendar permissions can be managed using the *-MailboxFolderPermission cmdlets. While these cmdlets can be used to manage permissions on any mailbox folder, we`ll focus on calendar permissions.

In fact we got 4 *-MailboxFolderPermission cmdlets in Exchange Server 2010:

Since I`ll be focusing on managing default permissions , which is an existing ACL on the calendar folder, we need to use the Set-MailboxFolderPermission cmdlet:

image

To grant “Reviewer”-permissions for the “Default” user, we would run the following:

image

Some companies have a policy that everyone must share their calendars with all users. Since it`s now possible to manage calendar permissions using PowerShell, I`ve written a script to accomplish this task; Set-CalendarPermissions.ps1.

While this script could be scheduled to run on a regular basis, a better approach for managing calendar permissions for new mailboxes are the use of the Scripting Agent which is a part of the Cmdlet Extension Agents, a very useful feature introduced in Exchange Server 2010.

Pat Richards has posted an excellent post on how to automatically modify new mailboxes using the Scripting Agent.

Advertisements

September 20, 2010 - Posted by | Exchange Server 2010, Exchange Server management, Scripting, Windows PowerShell |

23 Comments »

  1. YOU ARE THE MAN SIR!

    This totally worked, and I’ve tried about 10 different tricks to get this done.

    Comment by Arlow Farrell | December 23, 2010 | Reply

  2. Is there a way to use this to set custom permissions? I need to set the default permission on all clanders to be Reviewer but not full details. I need the Read Level to be Free/Busy time, Subject, location.

    Comment by William Goddard | February 8, 2011 | Reply

    • Hi,

      From the Exchange Management Shell, run “help Set-MailboxFolderPermission -Full”. On the AccessRights parameter you can see the available permissions that can be set using this cmdlet.

      Comment by Jan Egil Ring | February 8, 2011 | Reply

  3. […] around online I came across a script written by Jan Egil Ring that adds “Reviewer” permissions for the “Default” user on all […]

    Pingback by Set Calendar Permissions » My Life in IT | April 14, 2011 | Reply

  4. Thank you for this post! I’ve been looking for something like this for quite some time.

    Exchange PowerShell initially told me that Set-MailboxFolderPermission wasn’t a valid command. After some digging, I discovered that these commands were introduced with Exchange 2010 SP1–they’re not part of Exchange 2010 RTM. I hope that saves someone else some time.

    Comment by Joshua Smith | May 24, 2011 | Reply

  5. Hello,

    great blog, i have followed the instructions above and the permissions are successfully applied, however when i attempt to open another users calendar through OWA i received an error stating that “You don’t have permission to view this content. To get permission, contact the owner of the content” Permissions have been set successfully so unsure why i am receiving this error?

    I have tried everything i can think of, do you have any suggestions?

    Thank you

    Comment by Dave | June 21, 2011 | Reply

    • Hi,
      Maybe the permissions aren`t updated in the information store right away…does it work if you try after a couple of hours?

      Comment by Jan Egil Ring | June 21, 2011 | Reply

  6. Hello, thanks for the script. I have been looking for this for a couple of hours.

    All seem to work, but the only thing what’s happening now, after adding a shared calender to a user, a popup shows up in the right corner of the screen with the message “U’r not authorized to a create submap in this folder”. This message seems to return everytime a user clicks on his calender button in outlook.

    Any idea whats causing this?

    Thank you

    Comment by Richard | July 15, 2011 | Reply

    • I have this same problem. Running Exchange 2010 SP2 with Outlook 2007 Clients. The calendars still open to view the Free/Busy info, but every user still gets the “You do not have sufficient permission to perform this operation on this object”. I’m wondering if this is a compatbility issue between the two. Can’t seem to find any viable workaround. Thanks!

      Comment by Alex | March 7, 2012 | Reply

  7. Anyone know how to grant calendar access without granting access to the entire folder?

    Comment by Joe | July 19, 2011 | Reply

  8. “Anyone know how to grant calendar access without granting access to the entire folder?”

    The calendar *is* a folder I believe.

    Comment by whats4lunch | September 19, 2011 | Reply

  9. Thanks! 🙂

    Comment by Einar | October 24, 2011 | Reply

  10. can you provide any help on the cmdlet extension agents implementation of setting the default permissions to reviewer.
    basically i have done it but it only works if i create the mailbox directly on the mailbox server and not from any of my CAS servers and since i do not have any exchange servers with both the mamilbox and CAS role installed on a single server I have no idea how to get around this if infact there is a way. thanks

    Comment by Faisal Saleem | November 14, 2011 | Reply

    • Hi,
      Did you copy the ScriptingAgentConfig.xml file to all your Exchange-servers? More info here.

      Comment by Jan Egil Ring | December 4, 2011 | Reply

  11. Hi!
    When i use the script you refer to “Set-CalendarPermissions.ps1″ i get an error

    Unexpected token ‘in $mailboxes’ in expression or statement.
    At C:\scripts\TrioRightsOnCalendar-Try2.ps1:38 char:32
    + foreach ($mailbox in $mailboxes <<<< ) { 
    + CategoryInfo : ParserError: (in $mailboxes:String) [], ParseException
    + FullyQualifiedErrorId : UnexpectedToken
    "
    The script is run on a Exchange 2010 mailboxserver, Win 2008 R2 (Got 3 MB and 2 HT/CA.)

    I have changed the get $mailboxes to: Get-Mailbox -ResultSize Unlimited -Filter {(CustomAttribute8 -eq "TrioUser")} but i wont work when i use $mailboxes = Get-Mailbox -Database "SXXXXX"  either.

    Have tried google but cant figure it out, got any nice ideas? =)

    Comment by Sigge | November 22, 2011 | Reply

    • Hi,

      You can see the expected mailboxes returned when you run $mailboxes?
      What happens if you try to run a simple loop against $mailboxes? I.e.:
      foreach ($mailbox in $mailboxes) {
      $mailbox.name
      }

      Comment by Jan Egil Ring | December 4, 2011 | Reply

      • Hi, changed the script. Quite a bit, this is what i use now and it works. Thanx for the replay =)

        $mailboxes = Get-Mailbox -ResultSize Unlimited | Where-Object{$_.ObjectClass -eq “User” -and $_.CustomAttribute8 -ne “XXXXX”}
        $AccessRights = “publishingEditor”
        $CustomAtt = “XXXXX”

        #Loop through all mailboxes
        foreach ($mailbox in $mailboxes) {

        Write-Host “XXXXX $mailbox” -ForegroundColor Yellow

        #Retrieve name of the user`s calendar, depending on langugage (Love this one, saved looots of time)
        $calendar = (($mailbox.SamAccountName)+ “:\” + (Get-MailboxFolderStatistics -Identity $mailbox.SamAccountName -FolderScope Calendar | Select-Object -First 1).Name)

        #Check if calendar-permission for user “XXXXX” is set to the default permission of “publishingEditor”
        if (((Get-MailboxFolderPermission $calendar | Where-Object {$_.User -like “XXXXX”}).AccessRights) -ne “publishingEditor” ) {

        Write-Host “Updating calendar permission and adding Costum attribute for $mailbox…” -ForegroundColor Green

        #Set calendar-permission for user “XXXXX” to value defined in variable $AccessRights
        Add-MailboxFolderPermission -User “XXXXX” -AccessRights $AccessRights -Identity $calendar

        Thnx again.

        //Sigge

        Comment by Sigge | December 9, 2011

  12. Is there a script to Remove-MailboxFolderPermission recursively. I’m trying to remove all mailbox folder permissions for a user but havent found an easy way to do it in Powershell. We are using Exchange 2010 SP1

    Comment by Sonia | January 12, 2012 | Reply

  13. I have a question.

    A user removed Anonymous from his calender and now all meeting requests are going straight into his calender. He can decline/accept meetings from the calender but not in the original invite sent.

    will this fix my issues??

    Set-MailboxFolderPermission -Identify username:\Calender -user Anonymous -AccessRights None

    Comment by Chris Treacher | February 22, 2012 | Reply

  14. The script works perfectly on Calendar items, but could we get a similar script that shows, where one should change the script to correspond to a localized exchange environment ?. For instance in Denmark the outlook is localized so the Calendar is called Kalender instead.

    thank you.
    //SC

    Comment by Steen Christensen | March 7, 2012 | Reply

  15. Could we get a script for localized installations, where forinstance the Calender is called Kalender instead ? where would one have to make changes to your current script to reflect such changes ?That would really help out in localized environments. Great script though for English installations it works like a charm.

    Comment by Steen Christensen | March 8, 2012 | Reply

  16. […] You can’t set this in group policy, you would set it on the Exchange server. Here is an example: http://blog.powershell.no/2010/09/20/managing-calendar-permissions-in-exchange-server-2010/ […]

    Pingback by Group Policy and Outlook - Admins Goodies | April 21, 2012 | Reply

  17. Hi
    Many thanks for the script.
    I am a newbie and want to know how to include multiple mailboxdatabases to search were calendar permissions.

    Thanks

    Comment by Raji Aru | May 22, 2012 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: