Script repository

Grant temporary full mailbox access to user

Updated on: Jan 18, 2026, Views: 3793

Exchange

To grant and automatically revoke temporary full mailbox access:

  1. Create a business rule, custom command or scheduled task executing Script 1 or Script 2. The script grants full mailbox access to the user and adds a record specifying when to revoke the permission.
  2. Create a scheduled task that runs Script 3. It will revoke the full mailbox access from the user.

Script 1: Grant full mailbox access using account properties

The script grants full mailbox access to the user and adds a record specifying when to revoke the permission.

Parameters

  • $userListProperty - the name of the property that stores a list of users with temporary full mailbox access and the times when to revoke the permission.
  • $mailboxDNProperty - the name of the property that stores the distinguished name (DN) of the mailbox to grant permissions over.
  • $durationInHoursProperty - the name of the property that stores duration for full mailbox access (in hours).
$userListProperty = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
$mailboxDNProperty = "assistant" # TODO: modify me
$durationInHoursProperty = "adm-CustomAttributeInt1" # TODO: modify me

function ClearProperties($propertyName)
{
    $Context.TargetObject.Put($propertyName, $NULL)
    $Context.TargetObject.SetInfoEx(@($propertyName))
}

# Get duration
try
{
    $durationInHours = $Context.TargetObject.Get($durationInHoursProperty)
}
catch
{
    $Context.LogMessage("Duration not specified", "Warning")
    return
}
ClearProperties $durationInHoursProperty

# Get mailbox DN
try
{
    $mailboxDN = $Context.TargetObject.Get($mailboxDNProperty)
}
catch
{
    $Context.LogMessage("Mailbox not specified", "Warning")
    return
}
ClearProperties $mailboxDNProperty

# Get user sid
$sidBytes = $Context.TargetObject.Get("objectSID")
$userSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
$userSidValue = $userSid.Value

# Build user record
$endDate = [System.Datetime]::Now.AddHours($durationInHours)
$userRecord = $endDate.ToString("MM/dd/yyyy hh mm tt") + " SID=$userSidValue"

# Get mailbox records
$mailbox = $Context.BindToObjectByDN($mailboxDN)
try
{
    $records = $mailbox.GetEx($userListProperty)
}
catch
{
    $records = @()
}

# Check if the user already has access to the mailbox
$addNewRecord = $True
for ($i = 0; $i -lt $records.Length; $i++)
{
    $sid = ($records[$i] | Select-String -Pattern "(?<=SID=).+").Matches[0].Value
    if ($sid -ne $userSidValue)
    {
        continue
    }
    # The user already has access to this mailbox, update date
    $records[$i] = $userRecord
    $addNewRecord = $False
    break
}

if ($addNewRecord)
{
    # Add a information on when to remove access to the mailbox
    $records += $userRecord
    
    # Add Full Mailbox Access permission for the user
    $mailboxParams = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxParameters"
    
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectDN = "%distinguishedName%"

    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objReference

    $permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
    $permissionModification.Operation = "ADS_PROPERTY_APPEND"
    $permissionModification.Permission = $permission

    $mailboxRights = $mailboxParams.MailboxRights
    
    $mailboxRights.AddModification($permissionModification)
    $mailboxParams.MailboxRights = $mailboxRights
    
    # Save the changes
    $mailbox.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
}

# Update mailbox records
$mailbox.PutEx("ADS_PROPERTY_UPDATE", $userListProperty, $records)
$mailbox.SetInfo()

Script 2: Grant full mailbox access using custom command parameters

The script grants full mailbox access to the user and adds a record specifying when to revoke the permission.

Parameters

  • $userListProperty - the name of the property that stores a list of users with temporary full mailbox access and the times when to revoke the permission.
  • $mailboxDNParameter - the name of the custom command parameter used to select the mailbox to grant permissions over. The name should be specified with the param- prefix. The parameter must be of Directory object picker type.
  • $endDateParameter - the name of the custom command parameter used to select the date to grant permissions until. The name should be specified with the param- prefix. The parameter must be of Date/time picker type.
$userListProperty = "adm-CustomAttributeTextMultiValue1" # TODO: modify me
$mailboxDNParameter = "param-mailbox" # TODO: modify me
$endDateParameter = "param-endDate" # TODO: modify me

# Get parameters values
$mailboxDN = $Context.GetParameterValue($mailboxDNParameter)
$endDateString = $Context.GetParameterValue($endDateParameter) 

# Get user sid
$sidBytes = $Context.TargetObject.Get("objectSID")
$userSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
$userSidValue = $userSid.Value

# Build user record
$endDate = (Get-Date $endDateString).ToString("MM/dd/yyyy") + " 12 00 AM"
$userRecord = "$endDate SID=$userSidValue"

# Get mailbox records
$mailbox = $Context.BindToObjectByDN($mailboxDN)
try
{
    $records = $mailbox.GetEx($userListProperty)
}
catch
{
    $records = @()
}

# Check if the user already has access to the mailbox
$addNewRecord = $True
for ($i = 0; $i -lt $records.Length; $i++)
{
    $sid = ($records[$i] | Select-String -Pattern "(?<=SID=).+").Matches[0].Value
    if ($sid -ne $userSidValue)
    {
        continue
    }
    # The user already has access to this mailbox, update date
    $records[$i] = $userRecord
    $addNewRecord = $False
    break
}

if ($addNewRecord)
{
    # Add a information on when to remove access to the mailbox
    $records += $userRecord
    
    # Add Full Mailbox Access permission for the user
    $mailboxParams = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxParameters"
    
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectDN = "%distinguishedName%"

    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objReference

    $permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
    $permissionModification.Operation = "ADS_PROPERTY_APPEND"
    $permissionModification.Permission = $permission

    $mailboxRights = $mailboxParams.MailboxRights
    
    $mailboxRights.AddModification($permissionModification)
    $mailboxParams.MailboxRights = $mailboxRights
    
    # Save the changes
    $mailbox.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
}

# Update mailbox records
$mailbox.PutEx("ADS_PROPERTY_UPDATE", $userListProperty, $records)
$mailbox.SetInfo()

Script 3: Revoke full mailbox access

The script revokes the full mailbox access from the user.

In the script, the $userListProperty varibale specifies the name of the property that stores the list of users with temporary full mailbox access and the times when to revoke the permission. It must be the same as $userListProperty in Script 1/Script 2.

$userListProperty = "adm-CustomAttributeTextMultiValue1" # TODO: modify me

# Get mailbox records
try
{
    $records = $Context.TargetObject.GetEx($userListProperty)
}
catch
{
    return # No records
}

$currentDate = [DateTime]::Now
$sidsToRemove = New-Object "System.Collections.Generic.HashSet[System.String]"
for ($i = 0; $i -lt $records.Length; $i++)
{
    # Get user's ADS sid and date when to remove Full Mailbox Access permission
    $sid = ($records[$i] | Select-String -Pattern "(?<=SID=).+").Matches[0].Value
    $date = ($records[$i] | Select-String -Pattern "d{2}/d{2}/d{4}sd{2}sd{2}s.{2}" -AllMatches).Matches | %%{[DateTime]::ParseExact($_.Value, "MM/dd/yyyy hh mm tt", $NULL)}
    
    if ($date -le $currentDate)
    {
        [void]$sidsToRemove.Add($sid)
        $records[$i] = $NULL
    }
}

if ($sidsToRemove.Count -ne 0)
{
    # Get Exchange properties
    $mailboxParams = $Context.TargetObject.GetMailParameters()
    
    # Remove permissions
    $mailboxRights = $mailboxParams.MailboxRights
    foreach ($sid in $sidsToRemove)
    {
        $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
        $objReference.ObjectSid = $sid
       
        $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
        $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
        $permission.Trustee = $objReference
        
        $mailboxRights.RemovePermission($permission)
    }
    $mailboxParams.MailboxRights = $mailboxRights
    $Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
    
    # Update list of users with temporary full access
    [System.String[]]$records = $records | ?{$_}
    $Context.TargetObject.PutEx("ADS_PROPERTY_UPDATE", $userListProperty, $records)
    $Context.TargetObject.SetInfo()
}

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.