Propagate mailbox folder permissions

I recently had the requirement where somebody required another person to access a specific folder in their mailbox. We didn’t want to grant full mailbox access. This normally isn’t a problem as we’d just set the permissions on the individual folders in Outlook, but the user in question had an extensive folder structure set up.

I found several tools that were capable of doing this, but I wasn’t going to pay USD$500+ for a tool I was going to use once. In addition to that, some tools didn’t work against Exchange 2010. That equates to a pretty bad investment for our company as we’re currently migrating from Exchange 2003 to Exchange 2010.

I also toyed with the following ideas:

  1. Doing it in Powershell: I’m no Powershell guru, so it would take some time – plus I’d need to move the user’s mailbox to Exchange 2010 before I could use Powershell
  2. Using EWS and write a desktop app in C# (Interesting, but too time consuming)

The Microsoft Exchange Server Public Folder DAV-based Administration Tool (PFDAVAdmin) can be used to do exactly this (and a myriad of other things). Note that the tool has also been renamed and updated to work with Exchange 2010 (including EX2010 SP1).

I’ll be working with the legacy WebDAV version in this example, as the mailbox in question still resides on the Exchange 2003 server.

Andrew Shugg raised a good point in the comments section:

Worth noting that the “classic” PFDAVadmin requires .NET Framework 1.1, and if you try to install that on a modern server system (e.g. Windows Server 2008, Windows SBS 2008) you’ll get warnings about it breaking things in IIS.

If possible, install PFDAVadmin and the .NET Framework 1.1 on a desktop system or non-critical server.

  1. Downloadand extract PFDAVAdmin
  2. Run the tool, PFDAVAdmin.exe
  3. Go to File, Connect, specify the connection details, and connect
    xufv0rrs.yqm
  4. Drill down to the mailbox in question, and then to Top of Information Store
  5. Locate the starting-level folder that you’re going to assign permissions to. Ensure that the permissions are correct at that level (right-click, Folder Permissions)
  6. Right-click on that same folder again, and select Propagate ACEs
  7. Select the ACEs (Access Control Entries) that you wish to propagate
    sfvwrggf.yez
  8. Leave the other settings on their defaults, so we’re Adding/Replacing the specific ACE on subfolders
  9. The tool will then run through all of the folders. In my case, this user had hundreds of folders that needed to be modified:
    p03qomj2.gv4

The same process can be used to remove the permissions later on.

Quite handy.

3 thoughts on “Propagate mailbox folder permissions

  1. Cool,that is handy to know.

    I always hated doing folder permissions,specially when all my users have extensive folder structures.

    Thanks.

    Like

  2. Worth noting that the “classic” PFDAVadmin requires .NET Framework 1.1, and if you try to install that on a modern server system (e.g. Windows Server 2008, Windows SBS 2008) you’ll get warnings about it breaking things in IIS.

    If possible, install PFDAVadmin and the .NET Framework 1.1 on a desktop system or non-critical server.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s