Video Screencast Help

Remove mailbox folder permissions (Exchange 2010 SP1/Evault 9.0.2)

Created: 10 Jan 2012 • Updated: 17 Feb 2012 | 6 comments
This issue has been solved. See solution.

Synchronize folder permissions mailbox policy setting is turned to "On". Folder permissions are coming over to the archive ok, however, I am now getting complaints that the users don't want to see other user's archives. I used the PermissionBrowser and verified the folder permissions exist. Is there a recursive command or script that I can use to remove mailbox folder permissions in Exchange for ALL folders instead of removing folder permissions one by one?

Comments 6 CommentsJump to latest comment

JesusWept3's picture

Change ArchiveName to be ALL and it will zap all user permissions
You will have to synch with folder hierarchy and permissions checked or wait for a regular archiving run to occur to get the permissions back, if you keep the folder permissions option to On the permissions will come right back, so set it to off

TonySterling's picture

Wouldn't it be easier to just turn Off the setting to Synchronize folder permissions?

You could look at the the Powershell script to remove folder permissions.

JesusWept3's picture

if you turn sync permissions off though, it will still keep the old permissions, no?

TonySterling's picture

LOL, that's true!  So you would want to zap the permissions like you said. smiley

smlopes's picture

That's the easy answer. Doesn't complete solve my question though.

1) Does it reset everyone's permissions that already have access to other user's archive?

2) What's best practice on assigning archive permissions with the folder sync off? Does system admin now have to manually add permissions everytime someone needs access to someone's archive?

JesusWept3's picture

if you do a permissions zap on a mailbox it will completely remove all permissions from the archive, and then when it synchronizes it will take whatever you tell it to sync, so in this case it will just sync the mailbox permissions and nothing else

If someone else needs access, you would have to assign them in the VAC and that would give them the read only for the entire archive

I suppose you could create a new provisioning group and a new policy that only synchronizes the permissions for a certain amount of users that are ok with this