How to Grant Read-Only Access to an Exchange Mailbox

Brian asks about granting a user read-only access to the mailbox and calendar of another user in an Exchange Server organization.

This is a common scenario and the solution is reasonably simple though perhaps not obvious.

Let’s look at the scenario of Alan Reid trying to access the mailbox of Alex Heyne. With no access configured Alan gets an error message when he tries to open Alex’s inbox in Outlook.

exchange-read-access-mailbox-01

To meet the requirements of this scenario we need to grant Alan read-only access to Alex’s mailbox, not full access, and without making him a delegate.

It is worth noting that the mailbox owner can configure these permissions themselves using Outlook. But I will assume that if you’re reading this you have been asked to handle it for them :)

Where some admins get stuck is in the Exchange Management Console, which only presents the option to grant full access to a mailbox.

exchange-read-access-mailbox-02

Instead we need to use the Exchange Management Shell and run the Add-MailboxFolderPermission cmdlet.

The first step is to grant permissions (in this case “Reviewer”) to the “Top of Information Store”.

[PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\ -User Alan.Reid -AccessRights Reviewer

RunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6
FolderName   : Top of Information Store
User         : Alan Reid
AccessRights : {Reviewer}
Identity     : Alan Reid
IsValid      : True

Those permissions do not inherit down the mailbox folder hierarchy to existing folders (newly created folders will inherit the permissions of their parent folder though). So you still need to grant permissions for specific folders, for example the inbox:

[PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\Inbox -User Alan.Reid -AccessRights Reviewer

RunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6
FolderName   : Inbox
User         : Alan Reid
AccessRights : {Reviewer}
Identity     : Alan Reid
IsValid      : True

Or the calendar:

[PS] C:\>Add-MailboxFolderPermission -Identity alex.heyne:\Calendar -User Alan.Reid -AccessRights Reviewer

RunspaceId   : 2cc2f5f2-77a3-42b6-9221-83cf24c494c6
FolderName   : Calendar
User         : Alan Reid
AccessRights : {Reviewer}
Identity     : Alan Reid
IsValid      : True

This starts to get tedious if you want to grant permissions to the entire mailbox folder hierarchy. For that you would need to write a script.

Here is an example:

#Proof of concept code to apply mailbox
#folder permissions to all folders in
#a mailbox

[CmdletBinding()]
param (
	[Parameter( Mandatory=$true)]
	[string]$Mailbox,

	[Parameter( Mandatory=$true)]
	[string]$User,

  	[Parameter( Mandatory=$true)]
	[string]$Access
)

$exclusions = @("/Sync Issues",
                "/Sync Issues/Conflicts",
                "/Sync Issues/Local Failures",
                "/Sync Issues/Server Failures",
                "/Recoverable Items",
                "/Deletions",
                "/Purges",
                "/Versions"
                )

$mailboxfolders = @(Get-MailboxFolderStatistics $Mailbox | Where {!($exclusions -icontains $_.FolderPath)} | Select FolderPath)

foreach ($mailboxfolder in $mailboxfolders)
{
    $folder = $mailboxfolder.FolderPath.Replace("/","\")
    $identity = "$($mailbox):$folder"
    Write-Host "Adding $user to $identity with $access permissions"
    Add-MailboxFolderPermission -Identity $identity -User $user -AccessRights $Access
}

Save that code as a .ps1 file and run it in the Exchange Management Shell with the required parameters.

[PS] C:\Scripts>.\MailboxFolderPermissions.ps1 -Mailbox alex.heyne -User alan.reid -Access reviewer

So as you can see, granting read-only access to specific mailbox folders is quite simple, with just a little extra work required (or a script like the one above) to apply the permissions to all existing mailbox folders.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. Itworkedinthelab says:

    Thanks for sharing

  2. I had a problem where e-mails were being deleted from a shared mailbox inbox and was tasked to stop the e-mails from being deleted – GUI & retention policies did not work. I read that retention policies only work with powershell but could not get that right.
    This site helped with an easier way and it worked. I did not need to use script to populate the entire mailbox – just the top of the information stoe & inbox.
    There was a problem where I had the users that were supposed to be blocked in the ‘Manage Full Access Permission’ option – removing them then the powershell commands worked..
    Thank you

  3. I have to say that this is probably the most useful site on the Internet! Many times I’ve been stuck with an issue and you’ve written about the EXACT issue and always seem to have the right solution.

    Your blog is amazing and continually helps many an Exchange admin.

  4. Great article, any idea how to make the user with reviewer permissions not be able to mark email as read?

  5. Simon McAuley says:

    Hi Paul, great blog as usual. I’m trying to grant Reviewer Access only to a sub folder of a user’s inbox. No other folders or email should be seen or if they are no emails are shown. Is this possible or is the minimum access level you can set “Read Only” and therefore “Reviewer”

    • Simon McAuley says:

      Actually think I figured it out. You need to either move the sub folder onto the same level as the Inbox or you allow the user to see your inbox plus this folder.

      • “FolderVisible” would be the minimum required to let someone traverse a folder hierarchy without seeing the items within.

        • Simon McAuley says:

          Thanks Paul, didn’t even know “FolderVisible” was an option! In our scenario what your blog said was perfect as we don’t want them to be able to see any other folders.

  6. vince.whiston says:

    Is there a parameter to stop the items being marked as read when another user access them?

  7. Manuel Pombo says:

    Great tutorial and script.
    In my organization, however, it only works if I give the user FullAccess with Add-MailboxPermission. Anything less just returns a ConnectionFailedTransientException in OWA.
    Any idea why? Already installed CU3, but the issue remains.

  8. Again Good one Pual, thanks for sharing :)

  9. Great article.
    I have an issue.. I can set the Reviewer access, but it also lets me do a ‘replay’ on the message..
    It’s there a way to prevent the users from replying to the messages?

    Thanks

  10. Excellent article.

    So the user who received the reviewer access will always have to go to File | Open or is there a way that the inbox can be diplayed as an additional mailbox (similarly when you give full mailbox access) but with only the inbox showing?

    Thanks,

  11. Navneet Gupta says:

    Hi Paul,

    Thanks for this, but i am in the situation where you can pull me out.
    The thing is my requirement is exactly same, But i only need y user can see all the folder in inbox and inbox as well, except junk email,contacts,sent items etc and when i add the x account in y outlook. i cannot able to expand the folders. that is because on the root account i haven’t take permission. So please tell how can take permission on root as well as all folders in inbox including inbox folder.except all i want to put in exclusions…

    I used below command : but still my requirement not succeed.

    ForEach($f in (Get-MailboxFolderStatistics X | Where { $_.FolderPath.Contains(“/Clients”) -eq $True } ) ) {
    $fname = “X:” + $f.FolderPath.Replace(“/”,”\”);
    Add-MailboxFolderPermission $fname -User Y -AccessRights Reviewer }

    Any help really appreciated
    Thanks,

  12. OK, I have researched a new issue, per request from Administration.
    Exchange 2013 with Outlook 2010.
    The user has a mailbox on the Exchange 2013 server.
    This user likes to change the appointments made by the scheduling staff.
    Is there a way to make the user’s own calendar read-only?

    I only come to the conclusion that the answer is no.

  13. Matthew Procter says:

    Paul,

    This works great for Exchange 2010. How can you do the same in Ex2007?

    Cheers

    Matthew

  14. Thanks Paul,

    This issue was causing me a problem and a headache had a few users who wanted to grant view only access to the inbox sub folders without giving them access to the inbox itself. Needless to say script has been saved and I have since joined and will no doubt be catching up on more of your articles.

    Mark

  15. Paul – first and foremost – thank you for providing MANY useful scripts and advice over the years… I have the need to remove the read-only permissions that were set by your example script above. Kindly reply back with a solution/reverse script, it would be most appreciated.

    Thanks in advance

  16. aldwin nabua says:

    Hi Paul,

    Im trying to reverse the code but i’m receiving error.

    A positional parameter cannot be found that accepts argument ‘-AccessRights’.
    + CategoryInfo : InvalidArgument: (:) [Remove-MailboxFolderPermission], Para
    + FullyQualifiedErrorId : PositionalParameterNotFound,Remove-MailboxFolderPermission

    can you help me out on this?

  17. Hello Paul,

    Can you point me in the right direction on how to give a user ‘Delegate’ access say with ‘Author’ rights to ALL folders and subfolders?
    This has been a thorn in my side for some time. When these requests come up, I have to go into each subfolder individually and apply permissions. I have one now with 100′s.!
    Your assistance or direction would be much appreciated, Thank you.

  18. Hi Paul,

    Thanks heaps for the article, very informative and straight to the point!

    There is one aspect that still a bit unclear to me – do I need to grant the users Reviewer acces rights on the Top of the IS before running the script or granting them Reviewer access on certain folders?

    I did it anyway, but it would be good to know for future reference!

    Thanks in advance for your answer!

    Cheers,

    Chris

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.