5 PowerShell Oneliners to Manage IMAP Permissions

You can manage user permissions in Exchange and other mail servers with the same commands by using the IMAP protocol instead of server-specific tools.  Here is how!

Jumping right in, these all use get-imap and set-imap from NetCmdlets:

#1 – Get ACL Here’s a one-liner to get the ACL for a specific folder in an account. In this particular case, my main INBOX has a subfolder named RESUMES, and I want to see who has what permissions to this folder.

 

PS C:\> get-imap -server $mymailserver -cred $mycred -folder INBOX.RESUMES -acl                                                  

Mailbox Rights User
------- ------ ----
INBOX.RESUMES lrswipcda lancer
INBOX.RESUMES lrswipcd sahils
INBOX.RESUMES lrswipcd derekm
INBOX.RESUMES lrswipcd johnh
INBOX.RESUMES lrswipcd robc
INBOX.RESUMES lrswipcd blakeb


PS C:\>

 

Of course, the permissions are:

l=look, r=read, s=keep, w=write, i=insert, p=post, c=create, d=delete, a=administer. For more information on those and what they mean, check the NetCmdlets documentation or the server documentation.


 

 

#2 – Set A Complete List of User Rights - Now I want to set the rights of the user derekm to a specific list of rights. In this case I want to set his rights to only l and r (look and read). I don’t want him to be able to insert, move, delete, etc, emails (resumes) from this folder. To set the list, I just specify the rights as a string, ie:

 

PS C:\> set-imap -server $mymailserver -cred $mycred -folder INBOX.RESUMES -acluser derekm –acl “lr”                                
PS C:\> get-imap -server $mymailserver -cred $mycred -folder INBOX.RESUMES -acl | ?{$_.User -eq "derekm"}

Mailbox Rights User
------- ------ ----
INBOX.RESUMES lr derekm


PS C:\>

 

Here, using set-imap I just specify the user that I want to modify the rights of (-acluser) and the rights I want that user to have (-acl).


 

 

#3 – Remove A Specific Right from a User – To remove a specific right from a user, I can do that by using the “-“ prefix. For example, If I decide that johnh should not have delete rights in the folder:

 

PS C:\> set-imap -server $mymailserver -cred $mycred -folder INBOX.RESUMES -acluser johnh -acl "-d"                    
PS C:\> get-imap -server $mymailserver -cred $mycred -folder INBOX.RESUMES -acl | ?{$_.User -eq "johnh"}

Mailbox Rights User
------- ------ ----
INBOX.RESUMES lrswipc johnh


PS C:\>

 

Now instead of setting a complete list of rights, as in #2, I’d just removed one specific right.


 

 

#4 – Add a Specific Right to a User – If I want to add a specific right to a user, I can do that by using the “+” prefix. For example, if I want to add the delete right back to johnh:

 

PS C:\> set-imap -server $mymailserver -cred $mycred -folder INBOX.RESUMES -acluser johnh -acl "+d"                    
PS C:\> get-imap -server $mymailserver -cred $mycred -folder INBOX.RESUMES -acl | ?{$_.User -eq "johnh"}

Mailbox Rights User
------- ------ ----
INBOX.RESUMES lrswipcd johnh


PS C:\> get-bufferhtml > C:\test.htm

 


#5 – Remove All Rights from a User – To completely remove all rights from a specific user, I have to explicitly remove all ri ghts (using the “-“ prefix). After this, they cannot do anything at all with the folder, or even see the messages in a folder. I’ll remove all of the rights from john:

 

PS C:\> set-imap -server $mymailserver -cred $mycred -folder INBOX.RESUMES -acluser johnh -acl "-lrswipcda"            
PS C:\> get-imap -server $mymailserver -cred $mycred -folder INBOX.RESUMES -acl

Mailbox Rights User
------- ------ ----
INBOX.RESUMES lrswipcda lancer
INBOX.RESUMES lrswipcd sahils
INBOX.RESUMES lr derekm
INBOX.RESUMES lrswipcd robc
INBOX.RESUMES lrswipcd blakeb


PS C:\>

 

Now you can see that john no longer has any rights in the INBOX.RESUMES folder.

In a nutshell, when setting rights, if the ACL parameter value starts with a plus, the rights are added to any existing rights for the identifier. If the ACL parameter value starts with a minus, the rights are removed from any existing rights for the identifier. If the ACL parameter value does not start with a plus or minus, the rights replace any existing rights for the identifier.

Hope this helps!

Technorati Tags: , , ,

Print | posted on Thursday, June 4, 2009 11:11 AM

Feedback

No comments posted yet.

Your comment:





 

Copyright © Lance Robinson

Design by Bartosz Brzezinski

Design by Phil Haack Based On A Design By Bartosz Brzezinski