You can manage user permissions in Exchange and other mail servers with the same commands by using the IMAP protocol instead of server-specific tools. Here is how!
Jumping right in, these all use get-imap and set-imap from NetCmdlets:
#1 – Get ACL Here’s a one-liner to get the ACL for a specific folder in an account. In this particular case, my main INBOX has a subfolder named RESUMES, and I want to see who has what permissions to this folder.
Of course, the permissions are:
l=look, r=read, s=keep, w=write, i=insert, p=post, c=create, d=delete, a=administer. For more information on those and what they mean, check the NetCmdlets documentation or the server documentation.
#2 – Set A Complete List of User Rights - Now I want to set the rights of the user derekm to a specific list of rights. In this case I want to set his rights to only l and r (look and read). I don’t want him to be able to insert, move, delete, etc, emails (resumes) from this folder. To set the list, I just specify the rights as a string, ie:
Here, using set-imap I just specify the user that I want to modify the rights of (-acluser) and the rights I want that user to have (-acl).
#3 – Remove A Specific Right from a User – To remove a specific right from a user, I can do that by using the “-“ prefix. For example, If I decide that johnh should not have delete rights in the folder:
Now instead of setting a complete list of rights, as in #2, I’d just removed one specific right.
#4 – Add a Specific Right to a User – If I want to add a specific right to a user, I can do that by using the “+” prefix. For example, if I want to add the delete right back to johnh:
#5 – Remove All Rights from a User – To completely remove all rights from a specific user, I have to explicitly remove all ri ghts (using the “-“ prefix). After this, they cannot do anything at all with the folder, or even see the messages in a folder. I’ll remove all of the rights from john:
Now you can see that john no longer has any rights in the INBOX.RESUMES folder.
In a nutshell, when setting rights, if the ACL parameter value starts with a plus, the rights are added to any existing rights for the identifier. If the ACL parameter value starts with a minus, the rights are removed from any existing rights for the identifier. If the ACL parameter value does not start with a plus or minus, the rights replace any existing rights for the identifier.
Hope this helps!