none
Granting access to shared calendar RRS feed

  • Question

  • Greetings,

    We created a shared mailbox in ECP 2013 to facilitate a shared folder for a group.

    We wanted to grant access via AD groups so that we don't have to do this per person.

    We used Exchange Powershell to grant an AD group read rights to the mailbox (which said it was successful).

    The we attempted using the Add-MailboxFolderPermission command to give a smaller group the ability to edit everything.

    The Add-MailboxFolderPermission command seems to only work with e-mail addresses as the person/group you're giving access to.  Is there a way to use an AD group to do this with?


    Alert from Microsoft Forum

    Friday, September 21, 2018 6:10 PM

All replies

  • Is the AD group a mail-enabled universal security group?

    The -User parameter supports specification of a group.

    https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxfolderpermission?view=exchange-ps


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Saturday, September 22, 2018 4:40 AM
    Moderator
  • I tried that. 

    Add-MailboxFolderPermission -Identity EmailOfMailbox:\Calendar -User EmailOfDistributionGroup -AccessRights EditAllItems

    Running the above gets me this error message:

    The user EmailOfDistributionGroup is either not valid SMTP address, or there is no matching information.I've verified the e-mail address, as well as copied and pasted the address from ECP into the script being executed and that gets me the same error message.

    Using AD groups with Add-MailboxPermission works fine.

    Using e-mail addresses with Add-MailboxFolderPermission is not working.

    We need to be able to assign permissions via groups, as there are simply too many users to manually add via Outlook or some other fashion.

     


    Alert from Microsoft Forum

    Wednesday, September 26, 2018 2:47 AM
  • For clarity, we deleted the original group that was made in AD, and created a new one (with a slightly different name) in ECP.  We verified the e-mail address and attempted to use it in the script, but received the error I mentioned in the previous comment.

    Any help would be greatly appreciated as this issue is hindering business productivity not being able to make and share team calendars.

    The mailbox holding the calendar was also created in ECP under Shared resources.

    Using the Add-MailboxPermission and an AD group, all staff can access and see the calendar, but can't add or edit it.

    I reran the Add-MailboxPermission script changing the AccessRights from ReadPermission to ChangePermission.

    No one can edit in the Calendar though.


    Alert from Microsoft Forum

    Wednesday, September 26, 2018 3:11 AM
  • Enter this and post the result.

    Get-DistributionGroup -Identity EmailOfDistributionGroup | FL
    And post the full unadulterated command and e-mail address.  When you obfuscate what you're doing, you make us have to guess at a solution.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Wednesday, September 26, 2018 5:48 AM
    Moderator
  • The info is below, and I of course appreciate any help.

    As for the obfuscation, security is always an issue when passing info out.

    ===============================================

    [PS] C:\Windows\system32>Get-DistributionGroup -Identity _ARCTeamCalendarEditorsGPUAARC@arcenter.org | FL

    RunspaceId                             : e42b6eaf-1d5f-4374-88ba-596d426d9c85
    GroupType                              : Universal
    SamAccountName                         : _ARC Team Calendar Editors (Achieving Reunification Center)
    BypassNestedModerationEnabled          : False
    ManagedBy                              : {}
    MemberJoinRestriction                  : Closed
    MemberDepartRestriction                : Closed
    ExpansionServer                        :
    ReportToManagerEnabled                 : False
    ReportToOriginatorEnabled              : True
    SendOofMessageToOriginatorEnabled      : False
    AcceptMessagesOnlyFrom                 : {}
    AcceptMessagesOnlyFromDLMembers        : {}
    AcceptMessagesOnlyFromSendersOrMembers : {}
    AddressListMembership                  : {\GPUAARC_GAL, \GPUAARC_GAL, \Groups(VLV), \All Groups(VLV), \All
                                             Recipients(VLV), \All Distribution Lists, \Default Global Address List}
    Alias                                  : _ARCTeamCalendarEditorsGPUAARC
    ArbitrationMailbox                     : core.thii/Users/SystemMailbox{1f05a927-a6ba-4d69-966f-7a83af8eb527}
    BypassModerationFromSendersOrMembers   : {}
    OrganizationalUnit                     : core.thii/Clients/GPUAARC/Groups
    CustomAttribute1                       :
    CustomAttribute10                      :
    CustomAttribute11                      :
    CustomAttribute12                      :
    CustomAttribute13                      :
    CustomAttribute14                      :
    CustomAttribute15                      :
    CustomAttribute2                       :
    CustomAttribute3                       :
    CustomAttribute4                       :
    CustomAttribute5                       :
    CustomAttribute6                       :
    CustomAttribute7                       :
    CustomAttribute8                       :
    CustomAttribute9                       :
    ExtensionCustomAttribute1              : {}
    ExtensionCustomAttribute2              : {}
    ExtensionCustomAttribute3              : {}
    ExtensionCustomAttribute4              : {}
    ExtensionCustomAttribute5              : {}
    DisplayName                            : _ARC Team Calendar Editors (Achieving Reunification Center)
    EmailAddresses                         : {smtp:_ARCTeamCalendarEditorsGPUAARC@core.thii,
                                             SMTP:_ARCTeamCalendarEditorsGPUAARC@arcenter.org}
    GrantSendOnBehalfTo                    : {}
    ExternalDirectoryObjectId              :
    HiddenFromAddressListsEnabled          : False
    LastExchangeChangedTime                :
    LegacyExchangeDN                       : /o=THII/ou=Exchange Administrative Group
                                             (FYDIBOHF23SPDLT)/cn=Recipients/cn=7f129daf6e65487dbbfd9773d905408a-_ARC Team
                                             Calendar
    MaxSendSize                            : Unlimited
    MaxReceiveSize                         : Unlimited
    ModeratedBy                            : {}
    ModerationEnabled                      : False
    PoliciesIncluded                       : {c2071e38-064f-4d8d-b05f-1daa0b199ffc, {26491cfc-9e50-4857-861b-0cb8df22b5d7}}
    PoliciesExcluded                       : {}
    EmailAddressPolicyEnabled              : True
    PrimarySmtpAddress                     : _ARCTeamCalendarEditorsGPUAARC@arcenter.org
    RecipientType                          : MailUniversalDistributionGroup
    RecipientTypeDetails                   : MailUniversalDistributionGroup
    RejectMessagesFrom                     : {}
    RejectMessagesFromDLMembers            : {}
    RejectMessagesFromSendersOrMembers     : {}
    RequireSenderAuthenticationEnabled     : True
    SimpleDisplayName                      :
    SendModerationNotifications            : Always
    UMDtmfMap                              : {emailAddress:27283262253632733486774782272,
                                             lastNameFirstName:27283262253632733486772244384647386434228466236837,
                                             firstNameLastName:27283262253632733486772244384647386434228466236837}
    WindowsEmailAddress                    : _ARCTeamCalendarEditorsGPUAARC@arcenter.org
    MailTip                                :
    MailTipTranslations                    : {}
    Identity                               : core.thii/Clients/GPUAARC/Groups/_ARC Team Calendar Editors (Achieving
                                             Reunification Center)
    IsValid                                : True
    ExchangeVersion                        : 0.10 (14.0.100.0)
    Name                                   : _ARC Team Calendar Editors (Achieving Reunification Center)
    DistinguishedName                      : CN=_ARC Team Calendar Editors (Achieving Reunification
                                             Center),OU=Groups,OU=GPUAARC,OU=Clients,DC=core,DC=thii
    Guid                                   : 9b904f4f-f6ba-4716-870b-cedb2b356c7c
    ObjectCategory                         : core.thii/Configuration/Schema/Group
    ObjectClass                            : {top, group}
    WhenChanged                            : 9/25/2018 11:28:51 PM
    WhenCreated                            : 9/25/2018 10:32:05 PM
    WhenChangedUTC                         : 9/26/2018 3:28:51 AM
    WhenCreatedUTC                         : 9/26/2018 2:32:05 AM
    OrganizationId                         :
    Id                                     : core.thii/Clients/GPUAARC/Groups/_ARC Team Calendar Editors (Achieving
                                             Reunification Center)
    OriginatingServer                      : thes.core.thii
    ObjectState                            : Changed
    [PS] C:\Windows\system32>


    Alert from Microsoft Forum

    Wednesday, September 26, 2018 12:52 PM
  • Okay, post the full unadulterated command you're entering, please.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, September 27, 2018 2:47 AM
    Moderator
  • Exactly as shown from Exchange PowerShell:

    [PS] C:\Windows\system32>Add-MailboxFolderPermission -Identity ARCTeamCalendar@arcenter.org:\Calendar -User _ARCTeamCalendarEditorsGPUAARC@arcenter.org -AccessRights EditAllItems

    The user "_ARCTeamCalendarEditorsGPUAARC@arcenter.org" is either not valid SMTP address, or there is no matching
    information.
        + CategoryInfo          : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidExternalUserIdException
        + FullyQualifiedErrorId : [Server=THES,RequestId=d25a78e0-be75-4085-a61e-b86abeeadf22,TimeStamp=9/27/2018 4:57:38
       AM] [FailureCategory=Cmdlet-InvalidExternalUserIdException] 331DA08,Microsoft.Exchange.Management.StoreTasks.AddMa
      ilboxFolderPermission
        + PSComputerName        : thes.core.thii


    Alert from Microsoft Forum

    Thursday, September 27, 2018 4:59 AM
  • Did you try this?

    Add-MailboxFolderPermission -Identity ARCTeamCalendar@arcenter.org:\Calendar -User "_ARC Team Calendar Editors (Achieving Reunification Center)" -AccessRights EditAllItems




    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!




    Sunday, September 30, 2018 2:50 AM
    Moderator
  • [PS] C:\Windows\system32>Add-MailboxFolderPermission -Identity ARCTeamCalendar@arcenter.org:\Calendar -User "_ARC Team C
    alendar Editors (Achieving Reunification Center)"

    **produces a prompt for AccessRights (which I can't find info on)**

    cmdlet Add-MailboxFolderPermission at command pipeline position 1
    Supply values for the following parameters:
    AccessRights[0]:

    **So I pressed Enter and it says**

    Cannot bind argument to parameter 'AccessRights' because it is an empty array.

        + CategoryInfo          : InvalidData: (:) [Add-MailboxFolderPermission], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyArrayNotAllowed,Add-MailboxFolderPermission
        + PSComputerName        : thes.core.thii

    ** so I retry the argument with the -AccessRights option

    [PS] C:\Windows\system32>Add-MailboxFolderPermission -Identity ARCTeamCalendar@arcenter.org:\Calendar -User "_ARC Team Calendar Editors (Achieving Reunification Center)"  -AccessRights EditAllItems

    ** which gives me the below error message

    The user "_ARC Team Calendar Editors (Achieving Reunification Center)" was found in Active Directory but isn't valid
    to use for permissions. Try an SMTP address instead.
        + CategoryInfo          : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidInternalUserIdException
        + FullyQualifiedErrorId : [Server=THES,RequestId=7858c352-6105-4a62-8760-9bb535485a84,TimeStamp=9/30/2018 11:37:33
        PM] [FailureCategory=Cmdlet-InvalidInternalUserIdException] 4B06927F,Microsoft.Exchange.Management.StoreTasks.Add
      MailboxFolderPermission
        + PSComputerName        : thes.core.thii

    [PS] C:\Windows\system32>


    Alert from Microsoft Forum

    Sunday, September 30, 2018 11:43 PM
  • Sorry, I left out the access rights.  I've corrected the command above, please try again.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, October 1, 2018 5:37 AM
    Moderator
  • It doesn't work with that option.

    [PS] C:\Windows\system32>Add-MailboxFolderPermission -Identity ARCTeamCalendar@arcenter.org:\Calendar -User "_ARC Team Calendar Editors (Achieving Reunification Center)" -AccessRights EditAllItems

    The user "_ARC Team Calendar Editors (Achieving Reunification Center)" was found in Active Directory but isn't valid to use for permissions. Try an SMTP address instead.
        + CategoryInfo          : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidInternalUserIdException
        + FullyQualifiedErrorId : [Server=THES,RequestId=aad49a4e-7523-4c3e-857e-960e4c995a88,TimeStamp=10/1/2018 10:40:52
        AM] [FailureCategory=Cmdlet-InvalidInternalUserIdException] 4B06927F,Microsoft.Exchange.Management.StoreTasks.Add
      MailboxFolderPermission
        + PSComputerName        : thes.core.thii

    ** just to make sure I simply removed the last option in the argument and is then asks for AccessRights as it did before

    [PS] C:\Windows\system32>Add-MailboxFolderPermission -Identity ARCTeamCalendar@arcenter.org:\Calendar -User "_ARC Team C

    alendar Editors (Achieving Reunification Center)"

    cmdlet Add-MailboxFolderPermission at command pipeline position 1
    Supply values for the following parameters:
    AccessRights[0]:
    Cannot bind argument to parameter 'AccessRights' because it is an empty array.
        + CategoryInfo          : InvalidData: (:) [Add-MailboxFolderPermission], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyArrayNotAllowed,Add-MailboxFolderPermission
        + PSComputerName        : thes.core.thii


    Alert from Microsoft Forum

    Monday, October 1, 2018 10:43 AM
  • Perhaps you might try recreating the group.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, October 2, 2018 5:16 AM
    Moderator
  • When using... 

    Add-MailboxPermission

    ...on the option...

    -AccessRights Fullaccess

    what is the -AccessRights option (other than Fullaccess) that would give someone rights to add, but only edit/delete their own items in a mailbox?


    Alert from Microsoft Forum

    Tuesday, October 2, 2018 12:21 PM
  • There really isn't any other useful option as far as I know.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, October 3, 2018 1:27 AM
    Moderator
  • I'm finding other blogs and threads with admins having similar issues with these two cmdlets.

    Are we going about it with the right methodology?

    1. Need all staff to be able to put items in the team calendar with ONLY the ability to edit and delete their own.  They can read all items in the calendar.

    2. Need small group with the ability to have all rights in the calendar.


    Alert from Microsoft Forum

    Wednesday, October 3, 2018 2:00 AM
  • Configure it in Outlook in the folder properties.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, October 3, 2018 2:09 AM
    Moderator
  • We were trying to get around that since you can't assign permissions to groups in Outlook.

    Having to do THE ENTIRE staff in the list INDIVIDUALLY is an administrative nightmare we're trying to avoid.

    Being able to simply add users to the appropriate groups that we would have to do anyway is much more efficient.


    Alert from Microsoft Forum

    Wednesday, October 3, 2018 2:11 AM
  • I can.  In fact I've been able to do it all the way back to Exchange 4.0, before there was Outlook, so I don't know what's wrong on your end.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, October 3, 2018 2:18 AM
    Moderator