none
How to reset an Exchange 2010 mailbox folder to defaults? RRS feed

  • Question

  • I need to be able to reset the permissions for the Conversation History folder that Lync creates to defaults, i.e. Default = none and Anonymous = none, removing any other permissions that are there.

    I believe I can do this via EXFolders on a one-time basis but I want to script this for regular use.

    Problem we have is that a lot of users have reviewer access at top level of other users mailboxes and because the Conversation History folder was created later that permission has flowed down to it. This means that those reviewer level users can see any stored IM's which is bad for security.

    Don't want to remove the top-level rights because the reviewers usually need the folder list rights so they can open the mailbox.

    Currently we have turned off storing previous IM's in the folder but we want to turn it back on. 

    I can't see an easy way to remove all non-default permissions from the folder, i.e. I can't do Remove-MailboxFolderPermission -identity "xyz:\Conversation History" -User *

    I guess I need a script to read the existing permissions and loop through removing each one individually but I don't have the skills.

    Thanks

    Neill

    Thursday, August 8, 2013 12:38 PM

All replies

  • Hi,

    I moved your thread to the development forum so that more professional who are familiar with scripts can share their insights for your question.

    Thanks,


    Simon Wu
    TechNet Community Support

    Friday, August 9, 2013 4:58 PM
    Moderator
  • If you want to use Remove-MailboxFolderPermission see the example of clearing permissions in http://sysadmeanderings.blogspot.com.au/2013/01/powershell-recursively-set-outlook.html

    You can also do this using Exchange Web Services via the EWS Managed API like

    ## Get the Mailbox to Access from the 1st commandline argument
    
    $MailboxName = $args[0]
    
    ## Load Managed API dll  
    Add-Type -Path "C:\Program Files\Microsoft\Exchange\Web Services\2.0\Microsoft.Exchange.WebServices.dll"  
      
    ## Set Exchange Version  
    $ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP2  
      
    ## Create Exchange Service Object  
    $service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($ExchangeVersion)  
      
    ## Set Credentials to use two options are availible Option1 to use explict credentials or Option 2 use the Default (logged On) credentials  
      
    #Credentials Option 1 using UPN for the windows Account  
    $psCred = Get-Credential  
    $creds = New-Object System.Net.NetworkCredential($psCred.UserName.ToString(),$psCred.GetNetworkCredential().password.ToString())  
    $service.Credentials = $creds      
      
    #Credentials Option 2  
    #service.UseDefaultCredentials = $true  
      
    ## Choose to ignore any SSL Warning issues caused by Self Signed Certificates  
      
    ## Code From http://poshcode.org/624
    ## Create a compilation environment
    $Provider=New-Object Microsoft.CSharp.CSharpCodeProvider
    $Compiler=$Provider.CreateCompiler()
    $Params=New-Object System.CodeDom.Compiler.CompilerParameters
    $Params.GenerateExecutable=$False
    $Params.GenerateInMemory=$True
    $Params.IncludeDebugInformation=$False
    $Params.ReferencedAssemblies.Add("System.DLL") | Out-Null
    
    $TASource=@'
      namespace Local.ToolkitExtensions.Net.CertificatePolicy{
        public class TrustAll : System.Net.ICertificatePolicy {
          public TrustAll() { 
          }
          public bool CheckValidationResult(System.Net.ServicePoint sp,
            System.Security.Cryptography.X509Certificates.X509Certificate cert, 
            System.Net.WebRequest req, int problem) {
            return true;
          }
        }
      }
    '@ 
    $TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource)
    $TAAssembly=$TAResults.CompiledAssembly
    
    ## We now create an instance of the TrustAll and attach it to the ServicePointManager
    $TrustAll=$TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll")
    [System.Net.ServicePointManager]::CertificatePolicy=$TrustAll
    
    ## end code from http://poshcode.org/624
      
    ## Set the URL of the CAS (Client Access Server) to use two options are availbe to use Autodiscover to find the CAS URL or Hardcode the CAS to use  
      
    #CAS URL Option 1 Autodiscover  
    $service.AutodiscoverUrl($MailboxName,{$true})  
    "Using CAS Server : " + $Service.url   
       
    #CAS URL Option 2 Hardcoded  
      
    #$uri=[system.URI] "https://casservername/ews/exchange.asmx"  
    #$service.Url = $uri    
      
    ## Optional section for Exchange Impersonation  
      
    #$service.ImpersonatedUserId = new-object Microsoft.Exchange.WebServices.Data.ImpersonatedUserId([Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress, $MailboxName) 
    
    function FolderIdFromPath{
    	param (
    	        $FolderPath = "$( throw 'Folder Path is a mandatory Parameter' )"
    		  )
    	process{
    		## Find and Bind to Folder based on Path  
    		#Define the path to search should be seperated with \  
    		#Bind to the MSGFolder Root  
    		$folderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::MsgFolderRoot,$MailboxName)   
    		$tfTargetFolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service,$folderid)  
    		#Split the Search path into an array  
    		$fldArray = $FolderPath.Split("\") 
    		 #Loop through the Split Array and do a Search for each level of folder 
    		for ($lint = 1; $lint -lt $fldArray.Length; $lint++) { 
    	        #Perform search based on the displayname of each folder level 
    	        $fvFolderView = new-object Microsoft.Exchange.WebServices.Data.FolderView(1) 
    	        $SfSearchFilter = new-object Microsoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo([Microsoft.Exchange.WebServices.Data.FolderSchema]::DisplayName,$fldArray[$lint]) 
    	        $findFolderResults = $service.FindFolders($tfTargetFolder.Id,$SfSearchFilter,$fvFolderView) 
    	        if ($findFolderResults.TotalCount -gt 0){ 
    	            foreach($folder in $findFolderResults.Folders){ 
    	                $tfTargetFolder = $folder                
    	            } 
    	        } 
    	        else{ 
    	            "Error Folder Not Found"  
    	            $tfTargetFolder = $null  
    	            break  
    	        }     
    	    }  
    		if($tfTargetFolder -ne $null){
    			return $tfTargetFolder.Id.UniqueId.ToString()
    		}
    	}
    }
    
    $fldId = FolderIdFromPath -FolderPath "\Conversation History"
    if($fldId -ne $null){
    	"Conversation Folder Found"
    	$psPropset = new-object Microsoft.Exchange.WebServices.Data.PropertySet([Microsoft.Exchange.WebServices.Data.BasePropertySet]::FirstClassProperties)  
    	$psPropset.Add([Microsoft.Exchange.WebServices.Data.FolderSchema]::Permissions);
    	$SubFolderId =  new-object Microsoft.Exchange.WebServices.Data.FolderId($fldId)
    	# Bind to the Folder
    	$cnvHistory = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service,$SubFolderId,$psPropset)	
    	$cnvHistory.Permissions.Clear();
    	$cnvHistory.Update();
    	"Folder Permissions Cleared"
    }

    Cheers
    Glen

    Monday, August 12, 2013 7:00 AM
  • Thanks Glen.

    Will give it a try.

    Might have guessed you'd have something that would help. :-)

    Cheers

    Neill

    Monday, August 12, 2013 7:41 AM