Script repository

Grant Full Access over mailboxes of the user subordinates

Updated on: Jan 18, 2026, Views: 2937

Exchange

The script grants Full Access permissions to the user over mailboxes of their subordinates. To execute the script, create a business rule, custom command or scheduled task configured for the User object type.

function GetAllSubordinates($directReportDN, $subordinateDNs, $mailboxParams)
{
    if($subordinateDNs.Contains($directReportDN))
    {
        return
    }

    $subordinateDNs.Add($directReportDN) | Out-Null
    
    # Bind to subordinate.
    $user = $Context.BindToObjectByDN($directReportDN)
    
    # Check whether subordinate has mailbox.
    if ($user.RecipientType -ieq "ADM_EXCHANGERECIPIENTTYPE_MAILBOXENABLED")
    {
        # Grant 'Full Access' permission to the target user.
        $user.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
    }
    
    # Get subordinates of the current subordinate.
    try
    {
        $directReportDNs = $user.GetEx("directReports")
    }
    catch
    {
        return
    }
    
    foreach ($directReportDN in $directReportDNs)
    {
        GetAllSubordinates $directReportDN $subordinateDNs $mailboxParams
    }
}

# Get direct subordinates.
try
{
    $directReportDNs = $Context.TargetObject.GetEx("directReports")
}
catch
{
    $Context.LogMessage("The user doesn't have any direct reports.", "Warning") # TODO: modify me
    return
}

# Create 'Full Access' permission for the target user.
$mailboxParams = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxParameters"
$mailboxRights = $mailboxParams.MailboxRights

$objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
$objReference.ObjectDN = "%distinguishedName%"

$permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"(
    "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS",
    0,
    $objReference)

$permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
$permissionModification.Operation = "ADS_PROPERTY_APPEND"
$permissionModification.Permission = $permission

$mailboxRights.AddModification($permissionModification)
$mailboxParams.MailboxRights = $mailboxRights

# Set the 'Full Access' permission over all the subordinate mailboxes.
$subordinateDNs = New-Object "System.Collections.Generic.HashSet[String]"
foreach ($directReportDN in $directReportDNs)
{
    GetAllSubordinates $directReportDN $subordinateDNs $mailboxParams
}

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.