Add-MailboxFolderPermission error when the trying to grant permissions to mail-enabled user RRS feed

  • Question

  • Hello community,

    I'm new to Exchange and currently experiencing an issue using Add-FolderMailboxPermission cmdlet to grant a mail user (mail-enabled user) permissions to folders (Root folder, Inbox, Calendar,...)in the mailbox of a mailbox-enabled user. I read many posts in that forum and others related to distribution groups but this is not the issue I'm experiencing.

    In my lab (Exchange 2010 and 2013 on-premise in a resource forest) I'm executing the following command:

    Add-MailboxFolderPermission -Identity User1@z.com:\ -AccessRights 'FolderVisible' -User User2@z.com

    User1 is a mailbox-enabled user and User2 is a mail-enabled user.

    The cmdlet documentation specifies that -User parameter can be a user mailbox, a mail user or a mail-enabled security group.
    As a result of my testing, in the case -User is a user mailbox or a mail-enabled security group, the command succeeds without error and the permissions are granted as expected.
    But when -User is a mail-enabled user the command fails systematically.

    According to the documentation of the Add-FolderMailboxPermission cmdlet (https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxfolderpermission?view=exchange-ps) this action is possible unless there is an error in the documentation or I misunderstood something (Refer to the -User entry of the "Required Parameters" section).

    I'm receiving the following errors depending on the syntax I use to specify the mail-enabled user (User2 / the mail user):

    When User2 is specified as an Email Address
    [DBG]: PS C:\Test>> Add-MailboxFolderPermission -Identity User1@z.com:\ -AccessRights 'FolderVisible' -User User2@z.com
    The user "User2@z.com" is either not valid SMTP address, or there is no matching information.
        + CategoryInfo          : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidExternalUserIdException
        + FullyQualifiedErrorId : [Server=EXCSRV02,RequestId=82ef9282-d279-4d64-ac44-21ccb58d96cd,TimeStamp=05/07/2018 12:21:14] [FailureCategory=Cmdlet-InvalidExternalUserIdException] 1C24F1F8,Microsoft.Exchange.Management.St 
        + PSComputerName        : excsrv02.z.local

    When User2 is specified as a Name, DisplayName, Alias, DistinguishedName or GUID

    [DBG]: PS C:\Test>> Add-MailboxFolderPermission -Identity User1Firstname.User1Lastname@z.com:\  -AccessRights 'FolderVisible' -User "User2Firstname User2Lastname "
    The user "User2Firstname User2Lastname " was found in Active Directory but isn't valid to use for permissions. Try an SMTP address instead.
        + CategoryInfo          : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidInternalUserIdException
        + FullyQualifiedErrorId : [Server=EXCSRV02,RequestId=f021cd0c-28af-42f7-a1ca-41714e03a81e,TimeStamp=05/07/2018 12:22:25] [FailureCategory=Cmdlet-InvalidInternalUserIdException] 831D5E66,Microsoft.Exchange.Management.St 
        + PSComputerName        : excsrv02.z.local

    Doing the same action in Outlook 2013 on User1 mailbox generates the following error:
    One or more users cannot be added to the folder access list. Non-local users cannot be given rights on this server

    So I'm wondering if I have done something wrong or if the cmdlet documentation has an error and a mail-enabled user cannot be granted permissions on folders in the mailbox of a mailbox-enabled user.

    I would appreciate any help that can lighten my understanding and help me resolve this issue.


    • Edited by MarcusFPOne Wednesday, July 11, 2018 1:39 PM
    Wednesday, July 11, 2018 1:35 PM

All replies

  • Hello, 

    Not sure if this helps but...

    1. I make all of my Domain lab set ups with .local instead of a .Com or .Net since these could be valid entities on the Internet with MX records etc...

    2. If your environment has access to External DNS this could be your issue. 

    Tuesday, January 8, 2019 8:09 PM
  • If you try "get-mailuser -identity user2@z.com" do you find the correct user?

    Any possibility that the user is a member of some other AD domain in your forest? If so, try adding "-IgnoreDefaultScope".

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Tuesday, January 8, 2019 8:30 PM