Grant Full Access to manager for all subordinates' mailboxes

Script repository

This script provides a manager with full access to mailboxes of all his/her subordinates. To provide access to subordinates' mailboxes, you can create a custom command that runs the script. For more information, see Create a Custom Command.

Edit Remove

PowerShell

function GetAllSubordinates($directReportDN, $subordinateDNs, $mailboxParams)
{
    if($subordinateDNs.Contains($directReportDN))
    {
        return
    }

    $subordinateDNs.Add($directReportDN) | Out-Null
    
    # Bind to subordinate
    $user = $Context.BindToObjectByDN($directReportDN)
    
    # Check whether the user has mailbox
    if ($user.RecipientType -ieq "ADM_EXCHANGERECIPIENTTYPE_MAILBOXENABLED")
    {
        # Save the 'Full Mailbox Access' permission for the target user 
        # into the current subordinate mailbox
        $user.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
    }
    
    # Try to get subordinates of the current subordinate
    try
    {
        $directReportDNs = $user.GetEx("directReports")
    }
    catch
    {
        return
    }
    
    foreach ($directReportDN in $directReportDNs)
    {
        GetAllSubordinates $directReportDN $subordinateDNs $mailboxParams
    }
}

# Get direct subordinates
try
{
    $directReportDNs = $Context.TargetObject.GetEx("directReports")
}
catch
{
    $Context.LogMessage("The user doesn't have any direct reports.", "Warning") # TODO: modify me
    return
}

# Create 'Full Mailbox Access' permission for the target user
$mailboxParams = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxParameters"
$mailboxRights = $mailboxParams.MailboxRights

$objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
$objReference.ObjectDN = "%distinguishedName%"

$permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"(
    "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS",
    0,
    $objReference)

$permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
$permissionModification.Operation = "ADS_PROPERTY_APPEND"
$permissionModification.Permission = $permission

$mailboxRights.AddModification($permissionModification)
$mailboxParams.MailboxRights = $mailboxRights

# Set the 'Full Mailbox Access' permission on all the subordinate's mailboxes
$subordinateDNs = New-Object "System.Collections.Generic.HashSet[String]"
foreach ($directReportDN in $directReportDNs)
{
    GetAllSubordinates $directReportDN $subordinateDNs $mailboxParams
}

Comments 0

Script repository

Got questions?