For the most part, navigating the Exchange Management Console has been very intuitive. The location of the Send Connectors, the Receive Connectors, the Mailboxes; they all make sense and are (within reason) easy to find. One seriously lacking administration feature is permissions. There is no built-in permissions-editing tool in the EMC.

Here I’ll show you a few things I found.

1) A tool which, in concept, is useful, but in practice, is dreadful.

2) A script that I made, which sets default permissions for calendars in all mailboxes.

3) A problem I found with sharing permissions in Outlook 2007.

ExFolders tool

I eventually discovered ExFolders, which is a “custom” tool developed by Microsoft specifically for editing permissions of mailboxes within an Exchange forest. Unfortunately it is quirky and very poorly documented. The user-interface isn’t very nice and I have never been able to figure out how to select multiple mailboxes (even though it is supposed to support multi-mailbox selection; that either says something about me, or about the intuitive-ness off the tool’s UI, or both. The entire purpose for me modifying mailbox permissions was to change the default calendar permissions so that everyone in the organization could see each other’s calendars.

One thing that caught my eye was that there is a specific option for “Set Calendar Permissions”, while there is a different option for editing permissions in general. What’s the difference, I ask? There appears to be some work-flow involved in the “Set Calendar Permissions” option, where in one dialog I add permissions (and change? not sure), while in the other I remove permissions (not sure what happens if you add and remove a permission in the same workflow, either).

That aside, when using the “Set Calendar Permissions” option, it seemed to apply the calendar permissions to all folders within the mailbox. I can’t imagine how you would want these permissions to apply on all of the folders. I figured it would have automatically choosen the folders that were explicitly calendar-related.

Scripting instead

Eventually, I reverted back to the ways of PowerShell rather than using the clunky ExFolders tool. I was able to come up with the following script that achieved what I wanted (default permissions for everyone so that they can see each others’ calendars). Here is the script:

$users = Get-mailbox
$users | ForEach-Object {
Set-MailboxFolderPermission $_":\Calendar" -User Default -AccessRights AvailabilityOnly
Remove-MailboxFolderPermission $_":\Calendar" -User "MYDOMAIN\MYGROUP" -Confirm:$False
Add-MailboxFolderPermission $_":\Calendar" -User "MYDOMAIN\MYGROUP" -AccessRights Reviewer
}

The script sets the access rights of default users to AvailabilityOnly, and to the Reviewer group to the “MYGROUP” custom security group.

Calendar Permissions

Outlook 2007 can’t view shared calendars when they are not given the Reviewer privilege. As soon as I ran my “defaults” script, everyone was able to see each others calendars, and the time, subject, location AND details. Immediately I heard back saying they didn’t want to be able to see details. So, when I switched the permission to AvailabilityOnly it stopped working.

I have yet to find a solution to this problem. I have found others experiencing this problem as well: http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/981b5faa-0d86-4a7d-9e48-25ef7acb504d. However, remember that I don’t experience this behavior when testing it in Outlook 2010. I run Outlook 2010 and most everyone else uses Outlook 2007 still. So naturally, people are saying they can’t see calendars while I can. Makes it very difficult to trouble-shoot.