How to Grant Read-Only Access to an Exchange Mailbox

Brian asks about granting a user read-only access to the mailbox and calendar of another user in an Exchange Server organization.

This is a common scenario and the solution is reasonably simple though perhaps not obvious.

Let’s look at the scenario of Alan Reid trying to access the mailbox of Alex Heyne. With no access configured Alan gets an error message when he tries to open Alex’s inbox in Outlook.


To meet the requirements of this scenario we need to grant Alan read-only access to Alex’s mailbox, not full access, and without making him a delegate.

It is worth noting that the mailbox owner can configure these permissions themselves using Outlook. But I will assume that if you’re reading this you have been asked to handle it for them :)

Where some admins get stuck is in the Exchange Management Console, which only presents the option to grant full access to a mailbox.


Instead we need to use the Exchange Management Shell and run the Add-MailboxFolderPermission cmdlet.

The first step is to grant permissions (in this case “Reviewer”) to the “Top of Information Store”.

[PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\ -User Alan.Reid -AccessRights Reviewer

RunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6
FolderName   : Top of Information Store
User         : Alan Reid
AccessRights : {Reviewer}
Identity     : Alan Reid
IsValid      : True

Those permissions do not inherit down the mailbox folder hierarchy to existing folders (newly created folders will inherit the permissions of their parent folder though). So you still need to grant permissions for specific folders, for example the inbox:

[PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\Inbox -User Alan.Reid -AccessRights Reviewer

RunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6
FolderName   : Inbox
User         : Alan Reid
AccessRights : {Reviewer}
Identity     : Alan Reid
IsValid      : True

Or the calendar:

[PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\Calendar -User Alan.Reid -AccessRights Reviewer

RunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6
FolderName   : Calendar
User         : Alan Reid
AccessRights : {Reviewer}
Identity     : Alan Reid
IsValid      : True

This starts to get tedious if you want to grant permissions to the entire mailbox folder hierarchy. For that you would need to write a script.

Here is an example:

#Proof of concept code to apply mailbox
#folder permissions to all folders in
#a mailbox

param (
	[Parameter( Mandatory=$true)]
	[Parameter( Mandatory=$true)]
  	[Parameter( Mandatory=$true)]

$exclusions = @("/Sync Issues",
                "/Sync Issues/Conflicts",
                "/Sync Issues/Local Failures",
                "/Sync Issues/Server Failures",
                "/Recoverable Items",

$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)

foreach ($mailboxfolder in $mailboxfolders)
    $folder = $mailboxfolder.FolderPath.Replace("/","\")
    if ($folder -match "Top of Information Store")
       $folder = $folder.Replace(“\Top of Information Store”,”\”)
    $identity = "$($mailbox):$folder"
    Write-Host "Adding $user to $identity with $access permissions"
    Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access -ErrorAction SilentlyContinue

You can download the full Add-MailboxFolderPermissions.ps1 script from Github here.

[PS] C:\Scripts>.\Add-MailboxFolderPermissions.ps1 -Mailbox alex.heyne -User alan.reid -Access reviewer

So as you can see, granting read-only access to specific mailbox folders is quite simple, with just a little extra work required (or a script like the one above) to apply the permissions to all existing mailbox folders.

If you’re looking for a script to remove mailbox folder permissions I have also published Remove-MailboxFolderPermissions.ps1.


  1. says

    I had a problem where e-mails were being deleted from a shared mailbox inbox and was tasked to stop the e-mails from being deleted – GUI & retention policies did not work. I read that retention policies only work with powershell but could not get that right.
    This site helped with an easier way and it worked. I did not need to use script to populate the entire mailbox – just the top of the information stoe & inbox.
    There was a problem where I had the users that were supposed to be blocked in the ‘Manage Full Access Permission’ option – removing them then the powershell commands worked..
    Thank you

  2. TechBajan says

    I have to say that this is probably the most useful site on the Internet! Many times I’ve been stuck with an issue and you’ve written about the EXACT issue and always seem to have the right solution.

    Your blog is amazing and continually helps many an Exchange admin.

  3. Simon McAuley says

    Hi Paul, great blog as usual. I’m trying to grant Reviewer Access only to a sub folder of a user’s inbox. No other folders or email should be seen or if they are no emails are shown. Is this possible or is the minimum access level you can set “Read Only” and therefore “Reviewer”

    • Simon McAuley says

      Actually think I figured it out. You need to either move the sub folder onto the same level as the Inbox or you allow the user to see your inbox plus this folder.

        • Simon McAuley says

          Thanks Paul, didn’t even know “FolderVisible” was an option! In our scenario what your blog said was perfect as we don’t want them to be able to see any other folders.

  4. Manuel Pombo says

    Great tutorial and script.
    In my organization, however, it only works if I give the user FullAccess with Add-MailboxPermission. Anything less just returns a ConnectionFailedTransientException in OWA.
    Any idea why? Already installed CU3, but the issue remains.

  5. Roberto says

    Great article.
    I have an issue.. I can set the Reviewer access, but it also lets me do a ‘replay’ on the message..
    It’s there a way to prevent the users from replying to the messages?


  6. Dimitri says

    Excellent article.

    So the user who received the reviewer access will always have to go to File | Open or is there a way that the inbox can be diplayed as an additional mailbox (similarly when you give full mailbox access) but with only the inbox showing?


  7. Navneet Gupta says

    Hi Paul,

    Thanks for this, but i am in the situation where you can pull me out.
    The thing is my requirement is exactly same, But i only need y user can see all the folder in inbox and inbox as well, except junk email,contacts,sent items etc and when i add the x account in y outlook. i cannot able to expand the folders. that is because on the root account i haven’t take permission. So please tell how can take permission on root as well as all folders in inbox including inbox folder.except all i want to put in exclusions…

    I used below command : but still my requirement not succeed.

    ForEach($f in (Get-MailboxFolderStatistics X | Where { $_.FolderPath.Contains(“/Clients”) -eq $True } ) ) {
    $fname = “X:” + $f.FolderPath.Replace(“/”,”\”);
    Add-MailboxFolderPermission $fname -User Y -AccessRights Reviewer }

    Any help really appreciated

  8. ByteMan says

    OK, I have researched a new issue, per request from Administration.
    Exchange 2013 with Outlook 2010.
    The user has a mailbox on the Exchange 2013 server.
    This user likes to change the appointments made by the scheduling staff.
    Is there a way to make the user’s own calendar read-only?

    I only come to the conclusion that the answer is no.

  9. Mark says

    Thanks Paul,

    This issue was causing me a problem and a headache had a few users who wanted to grant view only access to the inbox sub folders without giving them access to the inbox itself. Needless to say script has been saved and I have since joined and will no doubt be catching up on more of your articles.


  10. Ed says

    Paul – first and foremost – thank you for providing MANY useful scripts and advice over the years… I have the need to remove the read-only permissions that were set by your example script above. Kindly reply back with a solution/reverse script, it would be most appreciated.

    Thanks in advance

  11. aldwin nabua says

    Hi Paul,

    Im trying to reverse the code but i’m receiving error.

    A positional parameter cannot be found that accepts argument ‘-AccessRights’.
    + CategoryInfo : InvalidArgument: (:) [Remove-MailboxFolderPermission], Para
    + FullyQualifiedErrorId : PositionalParameterNotFound,Remove-MailboxFolderPermission

    can you help me out on this?

  12. Brett says

    Hello Paul,

    Can you point me in the right direction on how to give a user ‘Delegate’ access say with ‘Author’ rights to ALL folders and subfolders?
    This has been a thorn in my side for some time. When these requests come up, I have to go into each subfolder individually and apply permissions. I have one now with 100’s.!
    Your assistance or direction would be much appreciated, Thank you.

  13. Chris says

    Hi Paul,

    Thanks heaps for the article, very informative and straight to the point!

    There is one aspect that still a bit unclear to me – do I need to grant the users Reviewer acces rights on the Top of the IS before running the script or granting them Reviewer access on certain folders?

    I did it anyway, but it would be good to know for future reference!

    Thanks in advance for your answer!



  14. Rod says

    Great article, do you know how the command should look like if I were grant Read-Only permission for the user itself.
    E.g so the user cannot delete nor change a contact from his own contact list.

    I tried this with no luck
    Add-MailboxFolderPermission -Identity john.doe:\ -User john.doe -AccessRights Reviewer
    Add-MailboxFolderPermission -Identity john.doe:\Calendar -User john.doe -AccessRights Reviewer

  15. Jeremy says

    Too bad there is no way to give Read Only permissions and have it appear in the users folder list automatically. We have 20+ people who need read only and are computer challenged :(

  16. Tim says

    Hi Paul.

    Sorry to bother you.

    I have an organization where they need 50-70 users added as reviewer to a mailbox (We’ll call it eData)

    I am not 100% certain which fields of text I am supposed to change.

    Am I supposed to change:

    param (
    [Parameter( Mandatory=$true)]

    [Parameter( Mandatory=$true)]

    [Parameter( Mandatory=$true)]

    to something or am I supposed to change

    foreach ($mailboxfolder in $mailboxfolders)
    $folder = $mailboxfolder.FolderPath.Replace(“/”,”\”)
    $identity = “$($mailbox):$folder”
    Write-Host “Adding $user to $identity with $access permissions”
    Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access


    I just don’t want to mess up a mail server related to a medical related organization.


      • says

        The short answer is that the Add-MailboxFolderPermission command would need to be looped through a list of users instead of just run against a single user.

        I’ll try and find time to expand the sample code to demonstrate that but for now that should give you enough to Google/Bing on.

  17. felix says

    Hi Paul,

    I want to have access to someone’s emails and would only like to have READ only permission, I do not want to accidentally delete any mails. So from my outlook, I go to Files–>Account Settings–>Account Settings..–>E-mail ..New and add the email of the user, I am the admin so I have his Windows login credentials. After this, the user’s mail box is added under my outlook. Now I want to set READ only permission on this mail box, how can i do this?

    I have tried right click on the mail box, Properties–>Permission add myself and give permission level as Reviewer BUT this does not seem to work. I can still delete mails under his inbox.

    Please advise.

    thanks, Felix -2014

  18. says

    “I am the admin so I have his Windows login credentials”

    No, wrong approach.

    Adding the email account using their credentials means you are authenticating as them, which gives you full access to the mailbox.

    Grant yourself read only access (following the steps shown in the article above), then add their mailbox as a secondary mailbox in your Outlook profile, not as a secondary email account.

    The steps to perform that in Outlook are available here if you need more details:

    • John Gordon says

      In my situation, as the Exchange 2010 Admin I need to periodically manage meetings for our senior people. Most of the instructions come from the Outlook client direction, but I would like to be able to do that centrally either through a PS script or the management interface.

      Could a script be written that would
      -Grant access
      -Change Meeting and send updates to all participants
      -Remove access

      I would prefer not to log in to their accounts directly.

      Any help is appreciated.

      • says

        1) Yes, simple PowerShell script could be written to grant access. Really it is a one-liner anyway.
        2) Yes, not with Exchange management cmdlets but with Exchange Web Services
        3) Yes

        But I think you may be over-thinking this. If your job involves managing calendars for other people just make yourself a delegate for those mailboxes and you’ll have calendar management permissions.

        • John Gordon says

          I was able to do this by granting the Editor permission

          Add-MailboxFolderPermission -Identity USERID:\Calendar -User USERGRANTTOID -AccessRights Editor

          .. then opening the calendar in my Outlook and doing the change/update.

          I then removed the permission using the Remove-MailboxFolderPermission command.

          Would you be able to post an example script that I could customize to my environment, or is that beyond the scope of this thread?

        • says

          A PowerShell script is basically just a series of PowerShell commands. You’ve already worked out the commands you need to run, so turning that into a script is a pretty trivial task. If it is your first time writing a PowerShell script then it will also be a good learning exercise.

  19. Jason says

    I’m going to 2nd the question about granting the mailbox owner read only access. I have been asked for this a few times and so far the only thing I’ve come up with is connect the mailbox to another AD object, then grant the original user’s AD object read only access using Paul’s process above.


    Also want to give Paul a great thanks for this site, very useful, very profesional.

    • says

      Exchange isn’t designed to limit a user’s access to their own mailbox. You can lock down protocols but that isn’t what you’re asking here.

      Your solution would work.

  20. joakim says

    Nice tips.
    If I grant preview rights as you describe. will previous added users with granted full access still work or will this mess upp theirs access to the mailbox?
    I, mean do I need to do the same for all users in powershell?

    Have a nice weekend.


  21. felix says

    Hi Paul,

    I have successfully moved a user mailbox from server 2010 – 2013 and after that his outlook is disconnected, unable to connect to the exchange server. I have tried some tips but still no luck, any idea?

    thanks, felix

  22. felix says

    Hi Paul,

    I have a outlook 2010 client having disconnected from exchange 2010 server, ie keeps prompting for outlook password (same as the domain credentials) and even he enters his correct password, it keeps prompting (even after resetting the password). What I did was created another outlook profile under control panel, mail and then restart the outlook and now it can get connected to the exchange server, but the issue is, the user’s emails in inbox and folders on his initial profile are not updated (synchronized) with this new profile. When we connect using the initial profile, the mails and the folders are all there but are not updated in his new profile here. His outlook is cached.

    Any workaround or fix to this issue please.

    thanks, felix

  23. felix says

    Hi Paul,

    thanks for your response. This is happeneing to both users still in exch 2010 and 2013.

    nice weekend.

      • Ken says

        was actually looking for something similar to the script .ps1 script above but what it does is to remove.

        thank you

        • says

          Yep, I understand that. I’m encouraging you to tackle it as a learning exercise :-)

          The script example above is pretty simple. If you look at the code you can see the step where it gets the folder list, then you can see where it loops through each folder adding the permissions. The same process could be used to remove permissions as well, by changing from an Add-* to a Remove-*.

          You might need to copy/paste the code into the PowerShell ISE to see it properly with all of the normal syntax highlighting.

          Give it a test run on a test mailbox before trying against any prod mailboxes.

  24. Aditya Mendiratta says

    is this possible to give someone read-only access to another user’s mailbox only for OWA and not for outlook ?

  25. Jonathan Smyth says

    Hi, your script was a godsend for me – previously we were just giving people full access permission to leavers’ mailboxes because it was such a pain to grant reviewer access.

    The only issue I had with your PowerShell script was that it threw an error when applying a permission to the Top of Information Store. That’s because the script was trying to run the command
    Add-MailboxFolderPermission -Identity alex.heyne:\Top of Information Store -User Alan.Reid -AccessRights Reviewer
    where it should be
    Add-MailboxFolderPermission -Identity alex.heyne:\ -User Alan.Reid -AccessRights Reviewer

    So I modified your script as follows:

    #Proof of concept code to apply mailbox
    #folder permissions to all folders in
    #a mailbox (including Top of Information Store)

    param (
    [Parameter( Mandatory=$true)]

    [Parameter( Mandatory=$true)]

    [Parameter( Mandatory=$true)]

    $exclusions = @(“/Sync Issues”,
    “/Sync Issues/Conflicts”,
    “/Sync Issues/Local Failures”,
    “/Sync Issues/Server Failures”,
    “/Recoverable Items”,

    $mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)

    foreach ($mailboxfolder in $mailboxfolders)
    $folder1 = $mailboxfolder.FolderPath.Replace(“/”,”\”)
    $folder2 = $folder1.Replace(“\Top of Information Store”,”\”)
    $identity = “$($mailbox):$folder2″
    Write-Host “Adding $user to $identity with $access permissions”
    Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access

    and this does the trick. Thanks again!

  26. Andrew Lee says

    Your script just save my day!.

    I just would like to know how do i remove the permission from all folders when i’m requested to remove the user as Reviewer?

    can i use the same script but change the following?
    Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access -ErrorAction SilentlyContinue


    Remove-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access -ErrorAction SilentlyContinue

  27. Mohammed Maulana says

    Hey Paul,

    Thanks for this amazing post. Your posts always help many exchange admins out there. I have got a request from one of my users and the request is, User A has full access to User B’s mailbox but User B does not want User A to create any calendar entry. Is this possible? I tried giving below command but it did not work.

    add-mailfolderpermissions -identity user B:\contacts -user A -accessright reviewer

    Can you please help me here?

  28. Scory says

    Hi! I am sorry for my english. Is it possible to grant read-only permissions to another users’s archive mailbox? I granted neccessary rights through Outlook (top of archive mailbox and Inbox folder) then I filled msExchDelegateListLink attribute to make autodiscover possible to display this archive mailbox in Outlook, but I can’t expand archive mailbox, I got an error “Cannot expand the folder. The set of folders cannot be opened”. Thank you!

  29. Praveen Kumar says


    Thanks for the script, its much useful. Its really a great job!!!

    Can you please add one more script for revoking the permission as well? i used to receive request for adding and removing as well :) Hope its simple for you.

  30. Kyle Barina says

    Thanks for the script! I had to modify it slightly:

    $folder = $mailboxfolder.FolderPath.Replace(“/”,”\”)
    $folder = $folder.Replace([char]63743,”/”)

    PowerShell was replacing [char]63743 with a ? and I was getting errors on those entries.

    • shaptoni says

      Super script, thanks
      I have one issue in that if a folder has a / or \ the permissions are not granted:
      WARNING: The operation couldn’t be performed because ‘user:\Inbox\Test ?’ couldn’t be found.
      WARNING: The operation couldn’t be performed because ‘user:\Inbox\Test \’ couldn’t be found.
      WARNING: The operation couldn’t be performed because ‘user:\Test ?’ couldn’t be found.
      WARNING: The operation couldn’t be performed because ‘user:\Test \’ couldn’t be found.
      I have modified the folder.replace and folderpath.replace but cant get it to work
      can anyone fix this?

      • Duncan Bachen says

        Are you sure the problem might not be the space after “test”. unsure if that’s the way you typed it, or if that was a copy/paste

        • shaptoni says

          Thanks for the response, I have tried it with the space removed but I get the same result. Does it work for you?

  31. Milton Lopez says

    Great one again, Paul, thanks.

    Could you please clarify what type of AD groups should be used to grant permissions to shared mailboxes (Security vs. Distribution, Global, vs. Universal)?

    There seems to be some issues with Security groups, particularly for mailboxes that were first created in previous versions of Exchange. For example, there is a discussion on this that started in 2011 and it is still open:

    • says

      There’s two simple rules to remember:

      1) When applying permissions it has to be a Security group. It can be a mail-enabled Security group (and therefore act as a distribution list as well), as long as it is a Security group.
      2) When doing anything groups-related with Exchange it has to be a Universal group.

      So the answer is always to use a Universal Security Group.

  32. Duncan Bachen says

    The problem that I’ve run into is that add-mailboxpermission allows you to supply a Security Group, but add-mailboxfolderpermission does not. It has to be a user.

    This seems to be a change from 2010 to 2013, and there are plenty of folks who are supplying syntax for add-mailboxfolderpermission saying you can supply a group, but it doesn’t work.

    It even says so in the techNet syntax:

    The User parameter specifies who’s granted permission to view or modify the folder contents of the user specified in the Identity parameter. This parameter accepts only users and distribution lists that have SMTP addresses. Security Groups are not allowed. The following values are acceptable:
    SMTP address

    Holds true for both Domain Local or Universal, no SG works.

    Hoping there was a workaround, because managing a group mailbox is really difficult without group membership. I can’t add and remove every single person.

    • Duncan Bachen says

      What I was able to do was to first make the security group be universal. Then I mail-enabled it. Once it was a mail-enabled security group, you could refer to it by it’s SMTP address.

      I hid the group from the Exchange GAL.

      For my purposes, I was trying to grant the group reviewer access so that they could only read messages in a certain box.

      The end users in the group can now read the messages. if they delete them, they aren’t stopped, so it looks like they are deleted in the GUI, but as soon as you go back to the folder, the messages are there as if they hadn’t been deleted.

      • Frank says

        Thanks Duncan. This saved my day (and probably my work).

        I’m not a highly experienced Exchange guy as you are but I’ve found that MS documentation in Technet is so unrealistic and poorly applied to day-to-day battles that admins face. Reason why I’m loving this blogs and their participants.

  33. Jerry Loyd says

    Does anyone have experience with this on Office 365? The same instructions all work, but what I’m seeing is that “FolderVisible” ended up giving FullAccess to the user who just wanted to see one subfolder.

    After that, every attempt to remove all access is just not working. It’s like once the deed is done, you can’t undo it.

  34. Frank says

    Hi Paul,

    Thanks again for such a handy script. I had the same issue trying to add a Universal SG to the folder permissions.

    I was pulling my hair out with >100 users abusing me they can’t open their Social mailbox while I was running over and over the script saying the permissions were added successfully but they weren’t.

    Then I realised that the script had SilentlyContinue on the ErrorAction switch and it wasn’t reported the error. I mail-enabled the SG, re-ran the script and became the hero of the day in the Server department. :)

  35. Jay says

    Hello –

    Good stuff as always Paul!

    I tried adding in the -automapping $ True parameter into the script but, get back a warning that the position parameter cannot be found that accepts the argument. ‘-AutoMapping’ Below is where I added the parameter, is this possible to do achieve one nice thing about full access is automapping and not having to track down end users and walk them through how to add the mailbox manually.

    Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access -Automapping $true -ErrorAction STOP
    Write-Warning $_.Exception.Message

    # End

Leave a Reply

Your email address will not be published. Required fields are marked *