Get-MapiPermission

Description

This cmdlet retrieves the list of permissions on a folder.

Syntax
Note: Parameters in orange are optional.
Get-MapiPermission
-FolderMapiObject
Parameters
FolderA Mapi.NET.Folder object for which the list of permissions is retrieved.
Remarks

This cmdlet is used to retrieve the list of MAPI permissions that exist on the specified folder.

Note that not all message stores support folder permissions.  For example, PST files do not support permissions.

Permissions on folders are stored as a table of properties where each row identifies a recipient from an address book, the permissions (as a numeric bitmask), and a few other properties.  The permissions table does not store all the properties of a user or group.  In order to get details for a permission entry, the EntryID of the permission should be passed to the related address book in order to retrieve properties from there.

Permissions on a folder are static once assigned, meaning that if the mailbox, user, or group is deleted, the permission entry remains on the folder, however it is in an "orphaned" state.  In such cases, the permission's EntryID may only contain a value of NT USER:DomainUsername or NT USER:<sid of the original user or group>.  It is possible to get this text from the EntryID in order to evaluate or to take action upon the value.  However, it is not possible to set a new permission in this style.

Permissions on Exchange mailbox and public folders are ultimately controlled by the PR_NT_SECURITY_DESCRIPTOR property on each folder.  This property holds a traditional Windows Security Descriptor structure and has the SIDs (Security Identifier) of the actual Active Directory user or group that has permission.  A such, if a user's account were to be deleted and recreated, the permission on the folder would be orphaned even though the user's mailbox may be the same.

Additionally, Exchange message stores support a 'Default' and 'Anonymous' permission.  These special permissions do not have an associated EntryID, but are identified instead by their special index number in the underlying MAPI permission table.

PowerMapi makes it easy to identify and manipulate these 2 permissions.  This cmdlet, Get-MapiPermission, will identify these permissions in the output and will have the US English names of 'Default' and 'Anonymous'.  The Set-MapiPermission has specific parameters to operate on these special permissions.

Note also that since permissions are stored on the folder, moving or copying the folder will also preserve the permissions table on the folder.