Powershell – Script to remove Exchange 2010 AutoMapping for all mailboxes

exchangeexchange-2010outlook-2007outlook-2010powershell

I have an Exchange 2010 SP3 server that's getting Application event error 9646 from MSExchangeIS:

Mapi session [ID] [AD User] exceeded the maximum of 500 objects of type "objtFolder"

Looking into this, the cause was found to be several users that have a lot of Full Access Permissions on other people's mailboxes.

Because of the way this changed in SP1 See Technet article HERE, They now automatically open all the users they have access to, rather than being able to add or open them only when needed.

Ideally, I'd like a script I can run to globally remove the -Automapping $true string for all users: This should leave them access to the mailbox when needed, but stop it from automatically opening, taking up MAPI sessions.

I tried the Microsoft Technet Script from the above URL, but that didn't appear to work as intended:

[PS]$FixAutoMapping = Get-MailboxPermission sharedmailbox|where {$_AccessRights -eq "FullAccess" -and $_IsInherited -eq $false}
The operation couldn't be performed because object sharedmailbox couldn't be found on '[Servername]'.
    + CategoryInfo          : InvalidData: (:) [Get-MailboxPermission], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : B485A4C7,Microsoft.Exchange.Management.RecipientTasks.GetMailboxPermission

I'm presuming that sharedmailbox is a specific example mailbox which Doesn't exist on my server: I need a script that searches through all the mailboxes, then changes Automapping $true to Automapping $false for any access permissions on the mailbox.

Is this possible to do?

Best Answer

That is incredibly easy. You simply need to retrieve a list of mailboxes and run the example against each of them:

# Get all mailboxes in the forest
$Mailboxes = Get-Mailbox -ResultSize unlimited -IgnoreDefaultScope
$ConfirmPreference = 'None'

# Iterate over each mailbox
foreach($Mailbox in $Mailboxes)
{
    try 
    {
        # Try to run the example fix against the current $Mailbox
        $FixAutoMapping = Get-MailboxPermission $Mailbox |where {$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}
        $FixAutoMapping | Remove-MailboxPermission
        $FixAutoMapping | ForEach {Add-MailboxPermission -Identity $_.Identity -User $_.User -AccessRights:FullAccess -AutoMapping $false} 
    }
    catch
    {
        # Inform about the error if unsuccessful
        Write-Host "Encountered error: $($Error[0].Exception) on mailbox $($Mailbox.DisplayName)" -ForegroundColor Red
    }
}

Related Solutions

Powershell – Can’t give ‘send-as’ permissions in Exchange 2010

I've finally fixed this.

Interestingly Send-As is an AD permission - not an exchange permission as you might have expected.

Anyway, these are the steps:

Make the target mailbox "shareable" using this command in Powershell on your Exchange Server:

Set-Mailbox user1 -type:shared

If you get this error (same as in my first post): AD Failure

You will need to find that user in AD and go to the properties >> Security >> Advanced:

AD Properties

You need to ENABLE the option to "Include inheritable permissions from this object's parent":

enter image description here

Once that is done you should be able to complete the folder share script.

Then actually grant the rights using this command:

Add-ADPermission user1 -User Ourdomain\User2 -ExtendedRights "Send As"

Hope that helps others who have the same problem.

Kieran

Shared Mailboxes in Exchange 2010

Exchange and Sharepoint provides tools; you customize them for your needs. You might think that these needs are universal and indeed they are but you'd be surprised how much they vary between organizations so your config is likely different than others. What you are really doing is mapping business processes to the technology and that can really only be done by you. You need to figure out what your users need and build a solution that works for them. This probably explains why you aren't finding docs for exactly what you want.

Public folders are viable for Exchange 2010 and for who knows how long. Microsoft initially tried to kill them off but there was a lot of backlash so they've backed off on that a bit. If you're not already using them, you'd be wise to skip them and find a solution that uses mailboxes or Sharepoint instead.

Really your 2 options are as you've mentioned: use a mailbox and give everyone access or use a Sharepoint site. Either can work. You don't mention if you already have Sharepoint or not. If you don't, it isn't an insignificant thing to build so I'd recommend sticking with your mailbox approach which is a common solution. Obviously you need to address your issues with the permissions problems but if that's your only issue, I'd simply focus on that specific technical problem and find a solution.

I wouldn't obsess over that comment in the Microsoft doc about using resource mailboxes or Sharepoint for collaboration. A resource mailbox wouldn't be appropriate for your specific use though Sharepoint might be.

Best Answer

Related Solutions

Powershell – Can’t give ‘send-as’ permissions in Exchange 2010

Shared Mailboxes in Exchange 2010

Related Topic