Exchange read-only mailbox rights
Couple of days I’ve got question from my friend if there is way to setup Exchange mailbox to be Read-only for other users in company. I never needed it, because when someone else needed to access other’s mailbox, I just set FullAccess rights on mailbox and everythin worked fine.
Testing scenario
Exchange 2010
Tester user called Tester with following content of mailbox:
Tester user called Tester02 wich wants to access whole mailbox of user Tester, but Read-only.
When I set Reviewer for user Tester02 on mailbox Tester under Outlook:
Problem
When I connect Tester’s mailbox into Tester02’s Outlook profile I can see following:
So I can see only Inbox. I don’t see any folder underneath it. We can check this permissions also using Powershell:
When we look on mailbox folder permissions underneath Inbox, for example “Inbox\My friends” folder, we can see following:
This means that mailbox folder permissions are not inherited. So we can set permission per folder. So let’s test to add permission to folder Inbox and subfolder “My friends”:
and now we can see also subfolders under account Tester02:
This means that using Outlook or powershell commandlet Add-MailboxFolderPermission can set permissions only on one folder and these settings are not inherited! This is really weird. I couldn’t find any setting to allow inheritance.
Another way to set permissions of mailbox folders is set permissions on whole mailbox. This can be set by users which have rights to manage exchange mailboxes. Let’s look on powershell cmd-let Add-MailboxPermission. This cmdlet allows you to set just following access rights: FullAccess, SendAs, ExternalAccount, DeleteItem, ReadPermision, ChangePermision and ChangeOwner. Neither one of these rights define Read-only access to mailbox.
Solution
So there is no easy way to share whole mailbox between users in read-only manner. Only way I can think of is to run some powershell script. For example:
Add-MailboxFolderPermission tester -User tester02 -AccessRights Reviewer
ForEach($folder in (Get-MailboxFolderStatistics -Identity tester) )
{
$fname = “tester:” + $folder.FolderPath.Replace(“/”,”\”);
Add-MailboxFolderPermission $fname -User tester02 -AccessRights Reviewer
}
where “tester” is account with shared mailbox and “tester02” is account which want to access shared mailbox.
After this powershell commands are done, Tester02 can see Tester’s mailbox:
But when user Tester creates new folder in his mailbox, user Tester02 will not see it unless user Tester sets permissions on new mailbox folder.
I hope guys from Microsoft will solve this issue in next release of Exchange. 🙂
It seems “Add-MailboxPermission -Identity $mailbox -AccessRights ReadPermission -User %targetUser” is broken, using “-InheritanceType All” makes no difference.
why would they give the AccessRight when it is not working? What is missing?