locked
Powershell - applying multiple permission changes on one mailbox RRS feed

  • Question

  • Hi,

    I keep encountering timing issues when using powershell with exchange.
    My current case is with the add-mailboxPermission cmdlet. If I try to make multiple permission changes to a single mailbox, only one of the changes will actually apply.

    e.g. If I run:
    Add-MailboxPermission -identity 'Mailbox11' -User 'mailbox Group11' -AccessRights FullAccess
    Add-MailboxPermission -identity 'Mailbox11' -User 'Security Team' -AccessRights FullAccess, ChangePermission

    One or the other will apply, but never both.
    If I put a sleep command between those two lines, both will work correctly. ([System.Threading.Thread]::Sleep(5000))


    I've also tried using a loop like this:
    $users = 'Mailbox Group11','Security Team' |foreach-object {Add-MailboxPermission  -Identity 'Mailbox11' -AccessRights fullaccess -user $_}

    Again, only one of the groups being added to the mailbox actually applies, the other change gets dropped.

    What is the correct way to resolve this issue? How can I make the shell wait for exchange to apply each change before moving to the next step? Using the sleep command is not satisfactory as I'm having to guess how long exchange might take - and I know from experience that the delay varies.

     

    Friday, July 15, 2011 1:22 AM

Answers

  • On Fri, 15 Jul 2011 01:22:09 +0000, Zustiur wrote:
     
    >
    >
    >Hi,
    >
    >I keep encountering timing issues when using powershell with exchange. My current case is with the add-mailboxPermission cmdlet. If I try to make multiple permission changes to a single mailbox, only one of the changes will actually apply.
    >
    >e.g. If I run: Add-MailboxPermission -identity 'Mailbox11' -User 'mailbox Group11' -AccessRights FullAccess Add-MailboxPermission -identity 'Mailbox11' -User 'Security Team' -AccessRights FullAccess, ChangePermission
    >
    >One or the other will apply, but never both. If I put a sleep command between those two lines, both will work correctly. ([System.Threading.Thread]::Sleep(5000))
    >
    >I've also tried using a loop like this: $users = 'Mailbox Group11','Security Team' |foreach-object {Add-MailboxPermission -Identity 'Mailbox11' -AccessRights fullaccess -user $_}
    >
    >Again, only one of the groups being added to the mailbox actually applies, the other change gets dropped.
    >
    >What is the correct way to resolve this issue? How can I make the shell wait for exchange to apply each change before moving to the next step? Using the sleep command is not satisfactory as I'm having to guess how long exchange might take - and I know from experience that the delay varies.
     
    If you have more than one DC in the domain use the
    "-DomainController <dc-name>" parameter on the cmdlets. If you don't
    then you have no control over which DC is going to be used. In your
    case, I'd guess that you made to changes in rapid succession to the
    same object on different DCs and the most recent change is the one
    that "stuck".
     
    This should work:
     
    Add-MailboxPermission -identity 'Mailbox11' -User 'mailbox Group11'
    -AccessRights FullAccess -DomainController DC1
     
    Add-MailboxPermission -identity 'Mailbox11' -User 'Security Team'
    -AccessRights FullAccess, ChangePermission -DomainController DC1
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Zustiur Tuesday, July 19, 2011 6:10 AM
    Saturday, July 16, 2011 1:56 AM

All replies

  • Can you run this command and check it

    Add-MailboxPermission -identity 'Mailbox11' -User 'Security Team' -AccessRights FullAccess, ChangePermission -WhatIf

    There is no other parameters to be passed to commit the second access rights

    Friday, July 15, 2011 7:31 AM
  • On Fri, 15 Jul 2011 01:22:09 +0000, Zustiur wrote:
     
    >
    >
    >Hi,
    >
    >I keep encountering timing issues when using powershell with exchange. My current case is with the add-mailboxPermission cmdlet. If I try to make multiple permission changes to a single mailbox, only one of the changes will actually apply.
    >
    >e.g. If I run: Add-MailboxPermission -identity 'Mailbox11' -User 'mailbox Group11' -AccessRights FullAccess Add-MailboxPermission -identity 'Mailbox11' -User 'Security Team' -AccessRights FullAccess, ChangePermission
    >
    >One or the other will apply, but never both. If I put a sleep command between those two lines, both will work correctly. ([System.Threading.Thread]::Sleep(5000))
    >
    >I've also tried using a loop like this: $users = 'Mailbox Group11','Security Team' |foreach-object {Add-MailboxPermission -Identity 'Mailbox11' -AccessRights fullaccess -user $_}
    >
    >Again, only one of the groups being added to the mailbox actually applies, the other change gets dropped.
    >
    >What is the correct way to resolve this issue? How can I make the shell wait for exchange to apply each change before moving to the next step? Using the sleep command is not satisfactory as I'm having to guess how long exchange might take - and I know from experience that the delay varies.
     
    If you have more than one DC in the domain use the
    "-DomainController <dc-name>" parameter on the cmdlets. If you don't
    then you have no control over which DC is going to be used. In your
    case, I'd guess that you made to changes in rapid succession to the
    same object on different DCs and the most recent change is the one
    that "stuck".
     
    This should work:
     
    Add-MailboxPermission -identity 'Mailbox11' -User 'mailbox Group11'
    -AccessRights FullAccess -DomainController DC1
     
    Add-MailboxPermission -identity 'Mailbox11' -User 'Security Team'
    -AccessRights FullAccess, ChangePermission -DomainController DC1
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Zustiur Tuesday, July 19, 2011 6:10 AM
    Saturday, July 16, 2011 1:56 AM
  • Hi Zustiur,

    Any updates?

    By the way, please also try to add two groups together using EMC(Manage Full Access Permission) to test.

    Monday, July 18, 2011 7:10 AM
  • The results of -WhatIf are as follows:

    What if: Adding Mailbox Permission on 'Mailbox11' for User 'mailbox Group 11' with AccessRights ''FullAccess''.

    What if: Adding Mailbox Permission on 'Mailbox11' for User 'Security Team' with AccessRights ''FullAccess', 'ChangePermission''.

    Tuesday, July 19, 2011 12:43 AM
  • Actually... Using EMC I have exactly the same problem - I can add multiple groups simultaneously and only one will actually apply.

    I note that the code supplied by EMC is the same except that it uses DN rather than display name for the identity.

    Add-MailboxPermission -Identity 'CN=Mailbox11,OU=Common Mailboxes,OU=DOJ Exchange,DC=intranet,DC=justice,DC=wa,DC=gov,DC=au' -User 'JUSTICE\mailbox Group11' -AccessRights 'FullAccess'

    I've tested this under different login credentials, and using a different work station, just to eliminate those causes.

    Tuesday, July 19, 2011 6:00 AM
  • After testing the other two suggestions, I tried this -

    Appending the -DomainController switch works perfectly. Thank you!!

    I would appreciate it if someone were to test on an entirely different network to see if EMC and powershell display this behaviour across the board, or if it's just our particular network. For reference there are 3 DCs on the same network segment as my workstation. It should also be noted that we're running Exchange 2007, not Exchange 2010.

    If I'm right in suspecting that this isn't isolated to my environment, then I intend to report it as an actual issue to Microsoft.

    Tuesday, July 19, 2011 6:10 AM