01-10-2012 02:06 PM
Synchronize folder permissions mailbox policy setting is turned to "On". Folder permissions are coming over to the archive ok, however, I am now getting complaints that the users don't want to see other user's archives. I used the PermissionBrowser and verified the folder permissions exist. Is there a recursive command or script that I can use to remove mailbox folder permissions in Exchange for ALL folders instead of removing folder permissions one by one?
Solved! Go to Solution.
02-03-2012 07:31 AM
if you do a permissions zap on a mailbox it will completely remove all permissions from the archive, and then when it synchronizes it will take whatever you tell it to sync, so in this case it will just sync the mailbox permissions and nothing else
If someone else needs access, you would have to assign them in the VAC and that would give them the read only for the entire archive
I suppose you could create a new provisioning group and a new policy that only synchronizes the permissions for a certain amount of users that are ok with this
01-10-2012 03:19 PM
01-10-2012 03:21 PM
Wouldn't it be easier to just turn Off the setting to Synchronize folder permissions?
You could look at the the Powershell script to remove folder permissions.
http://technet.microsoft.com/en-us/library/dd351181.aspx
01-10-2012 06:44 PM
if you turn sync permissions off though, it will still keep the old permissions, no?
01-10-2012 07:05 PM
LOL, that's true! So you would want to zap the permissions like you said.
02-03-2012 06:08 AM
That's the easy answer. Doesn't complete solve my question though.
1) Does it reset everyone's permissions that already have access to other user's archive?
2) What's best practice on assigning archive permissions with the folder sync off? Does system admin now have to manually add permissions everytime someone needs access to someone's archive?
02-03-2012 07:31 AM
if you do a permissions zap on a mailbox it will completely remove all permissions from the archive, and then when it synchronizes it will take whatever you tell it to sync, so in this case it will just sync the mailbox permissions and nothing else
If someone else needs access, you would have to assign them in the VAC and that would give them the read only for the entire archive
I suppose you could create a new provisioning group and a new policy that only synchronizes the permissions for a certain amount of users that are ok with this