Thursday, 31 October 2013 10:29

Assign Read Only Mailbox Permission on Exchange 2010/2013, Powershell

Written by

We all are aware about the Mailbox ‘Full Access’ and ‘Send As’ permissions. What if we have to assign permissions in more granular level? Is it possible with Exchange Mailboxes? The answer is “Yes”, it is possible with a little administrative efforts.

We will make use of 2 PowerShell commands to achieve this goal,

Add-MailboxPermission and Add-MailboxFolderPermission.

There is a two-step approach to achieve the desired result.

Step 1 – Execute the Add-MailboxPermission command to delegate the read permission at mailbox level.

Step 2 – Execute Add-MailboxFolderPermission command to delegate the required permissions on specific folders inside the mailbox.


Add-MailboxPermission -Identity "Common Mailbox Name" –User   “Read Delegate Account Name”-AccessRights ReadPermission -InheritanceType All


Now try to access the mailbox by adding as an additional mailbox, you will receive an access permission warning when you try to expand the additional mailbox ReadTest. To grant access to expand and view folders, we will now execute the step 2 as mentioned earlier.


We will initially give permission at the Top Information Store (Root) folder, and then execute the permission on rest of the folders inside the mailbox.

Add-MailboxFolderPermission -Identity ReadTest -User ReadAdmin -AccessRights Reviewer


Now you will not receive the warning alert when try to expand the mailbox, but still will have no access to any folder. Execute the below cmdlet to assign the read permission to rest of folders under the mailbox.

foreach($item in (Get-MailboxFolderStatistics ReadTest |where { ($_.foldertype -ne "ConversationActions") -and ($_.foldertype -notlike "Recoverable*") -and ($_.FolderPath -notlike "/Sync*")})){$fname =ReadTest:” + $item.FolderPath.Replace(“/”,”\”); Add-MailboxFolderPermission $fname -User ReadAdmin -AccessRights Reviewer}

Replace the values marked in different color according to the user accounts.

You may execute the command by adding ‘–whatif’ at the end to verify what happens when you run the command. It will help to understand what action the command will perform on real execution.


Execute the command without the –whatif switch if everything looks okay.


You will now be able to access all the folders with Read Only permission. Try to delete a message, it will display access denied error(shown below).

However, the delegate will be able to change the status of the email between read and unread.

That's it, you have now customized the permission to restrict only read access, and hence users from deleting accidently and purposefully.

In Detail, you may assign any of the following permissions inside the folder level using the AccessRights parameter along with Add-MailboxFolderPermission

  • None -  FolderVisible
  • Owner -   CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingEditor -  CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • Editor - CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingAuthor - CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • Author - CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • NonEditingAuthor - CreateItems, ReadItems, FolderVisible
  • Reviewer - ReadItems, FolderVisible
  • Contributor - CreateItems, FolderVisible

The above permission can also assign manually from outlook client, remember the way we assign permission to Own created public folders.

Adding Permission to Reply and Forward along with only Read permission

Simply add “Send As” permission along with the Read Permission, using Add-MailboxPermission command.

Share your comments J


theme by reviewshub