I recently had the requirement where somebody required another person to access a specific folder in their mailbox. We didn’t want to grant full mailbox access. This normally isn’t a problem as we’d just set the permissions on the individual folders in Outlook, but the user in question had an extensive folder structure set up.
I found several tools that were capable of doing this, but I wasn’t going to pay USD$500+ for a tool I was going to use once. In addition to that, some tools didn’t work against Exchange 2010. That equates to a pretty bad investment for our company as we’re currently migrating from Exchange 2003 to Exchange 2010.
I also toyed with the following ideas:
- Doing it in Powershell: I’m no Powershell guru, so it would take some time – plus I’d need to move the user’s mailbox to Exchange 2010 before I could use Powershell
- Using EWS and write a desktop app in C# (Interesting, but too time consuming)
The Microsoft Exchange Server Public Folder DAV-based Administration Tool (PFDAVAdmin) can be used to do exactly this (and a myriad of other things). Note that the tool has also been renamed and updated to work with Exchange 2010 (including EX2010 SP1).
I’ll be working with the legacy WebDAV version in this example, as the mailbox in question still resides on the Exchange 2003 server.
Andrew Shugg raised a good point in the comments section:
Worth noting that the “classic” PFDAVadmin requires .NET Framework 1.1, and if you try to install that on a modern server system (e.g. Windows Server 2008, Windows SBS 2008) you’ll get warnings about it breaking things in IIS.
If possible, install PFDAVadmin and the .NET Framework 1.1 on a desktop system or non-critical server.
- Downloadand extract PFDAVAdmin
- Run the tool, PFDAVAdmin.exe
- Go to File, Connect, specify the connection details, and connect
- Drill down to the mailbox in question, and then to Top of Information Store
- Locate the starting-level folder that you’re going to assign permissions to. Ensure that the permissions are correct at that level (right-click, Folder Permissions)
- Right-click on that same folder again, and select Propagate ACEs
- Select the ACEs (Access Control Entries) that you wish to propagate
- Leave the other settings on their defaults, so we’re Adding/Replacing the specific ACE on subfolders
- The tool will then run through all of the folders. In my case, this user had hundreds of folders that needed to be modified:
The same process can be used to remove the permissions later on.