Over the last year I have been using powershell more and more for managing office365. Not only are there many scripts readily available to make bulk adds/changes/removals a breeze, but there is a ton of stuff that you can only access via powershell. Since I started working with office365, Microsoft has put a lot of the necessary items in the web based control panels (such as disabling password expiration), but they frequently change it’s appearance and when you need to make one change to a few hundred accounts at once, powershell is the go to tool.
Today I had to setup public folders for a tenant that had never had public folders. This started me with a clean slate, but there a few gotchas that I had to correct through powershell.
1. Although public folders are “public” we did not want all users to be able to see them by default. Default and Anonymous permissions are invisible in the web interface, but easily reviewed and changed with powershell.
2. Microsoft busted something this year with mail-enabled public folders. You can mail enable it and it is going to reject all inbound mail, because the anonymous permissions do not allow anonymous writing to public folders.
3. maintain read status per user. This can be managed per mailbox, but to open each up is a pain, I wanted to disable for all at once and be done. I’m all about the time saving.
BASIC COMMAND
The following assumes you have created a public folder mailbox and at least one public folder, probably more if you googled and found this article!
You want to see all of your public folders? connect to powershell and run
Get-PublicFolder “\” -Recurse
I’m gonna use the above a bunch! Run alone and it will return you a list of all the public folders in the hierarchy. Pipe a command after it and that’s when the magic happens!
FIRST UP, PERMISSIONS!
If you are just starting and have only created your public folder mailbox, this is the section for you. If you have a whole hierarchy folders in place you don’t want to delete and re-create, skim this for future reference, then move on to “already have folders in place?”
Run the following to see the default permissions assigned to your public folder mailbox. These permissions propogate to any future public folders created.
Get-PublicFolderClientPermission -identity “\”
By default (at this moment, MS may change at any moment without notice) default will grant all users permission to view the folders/items, and anonymous will have no access.
If you already have a number of public folders, run the below to see all folders and client permissions
Get-PublicFolder -identity “\” -Recurse | Get-PublicFolderClientPermissions
to get this in a csv:
Get-PublicFolder -identity “\” -Recurse | Get-PublicFolderClientPermissions | Export-Csv C:\path\to\file.csv
To fix this so that by default no users have access, run the following:
Remove-PublicFolderClientPermission -identity “\” -user default
This sets the default level to none. I wouldn’t recommend adding anonymous permissions to the root, unless you plan to mail enable all public folders, if so, you can run:
Add-PublicFolderClientPermission -identity “\” -user anonymous -accessrights “CreateItems”
Oh, and by the way, none of these commands are case sensitive.
Already have folders in place? To remove the default permissions from all folders in the public folder mailbox, run the following:
Get-PublicFolder “\” -Recurse | Remove-PublicFolderClientPermission -identity “\” -user default
and to add anonymous access to all public folders for mail-enabling them (still gotta mail enable through another PS command or the console)
Get-PublicFolder “\” -Recurse | Add-PublicFolderClientPermission -identity “\” -user anonymous -accessrights “CreateItems”
The above addresses problems 1 and 2. You can then manage user permissions through the Exchange console, or using similar commands to the above, replacing the user and accessrights as required.
For item 3, If multiple people are monitoring an inbound public folder, it only makes sense to have read/unread monitored for the whole folder instead of each person. To get the current status of all folders run:
Get-PublicFolder “\” -Recurse | select Identity, PerUserReadStateEnabled
to change one folder at a time:
Set-PublicFolder -identity “\Foldername” -PerUserReadStateEnabled $false
to change one folder and it’s subfolders:
Get-PublicFolder “\FolderName” -Recurse | Set-PublicFolder -PerUserReadStateEnabled $False
to change all folders:
Get-PublicFolder “\” -Recurse | Set-PublicFolder -PerUserReadStateEnabled $False
Well, That’s all for today’s lesson. I’ll try to add more as I run into things, it’s been a bit hectic. I’ll also try to come back and clean this up and add screenshots, no promises though.
Oh, and if you need powershell basics and getting connected, there are a ton of good write ups available. May I suggest 365command.com (I would add connect-msolservice to the end of their instructions. It lets you run all of the commands without wondering which ones you can run from Azure powershell or MSOL powershell.:) )
Have a good holiday!
thegiamarie 