Shared Mailbox Enable Color Categorization for user

%3CLINGO-SUB%20id%3D%22lingo-sub-1455966%22%20slang%3D%22en-US%22%3EShared%20Mailbox%20Enable%20Color%20Categorization%20for%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1455966%22%20slang%3D%22en-US%22%3E%3CP%3EHy!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20shared%20mailbox%20what%20is%20connected%20to%203%20user.%20They%20want%20to%20mark%20the%20inbox%20mail%20with%20colors%2C%20to%20see%20who%20managed%20it.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20question%20is%20that%20i%20tried%20a%20few%20level%20of%20permissions%20in%20powershell%20but%20no%20luck.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20is%20they%20dont%20want%20to%20use%20full%20acces%2C%20because%20they%20affraid%20of%20the%20exedentaly%20delete%20of%20the%20emails.%3C%2FP%3E%3CP%3EIs%20there%20any%20permission%20level%20for%20the%20users%20%2C%20to%20use%20the%20color%20markers%2C%20and%20the%20fast%20action%20menu%2C%20but%20they%20have%20no%20permission%20to%20delete%20the%20mail.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20help!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebolvar%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1455966%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1456255%22%20slang%3D%22en-US%22%3ERe%3A%20Shared%20Mailbox%20Enable%20Color%20Categorization%20for%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1456255%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F502119%22%20target%3D%22_blank%22%3E%40bolvar%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20look%20at%20doing%20the%20following%20permissions%20-%20I%20don't%20think%20any%20of%20the%20ready-made%20roles%20will%20meet%20your%20requirements.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3ECreateItems%3A%20The%20user%20can%20create%20items%20in%20the%20specified%20folder.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3ECreateSubfolders%3A%20The%20user%20can%20create%20subfolders%20in%20the%20specified%20folder.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EEditAllItems%3A%20The%20user%20can%20edit%20all%20items%20in%20the%20specified%20folder.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EFolderOwner%3A%20The%20user%20is%20the%20owner%20of%20the%20specified%20folder.%20The%20user%20can%20view%20the%20folder%2C%20move%20the%20folder%2C%20and%20create%20subfolders.%20The%20user%20can't%20read%20items%2C%20edit%20items%2C%20delete%20items%2C%20or%20create%20items.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EReadItems%3A%20The%20user%20can%20read%20items%20within%20the%20specified%20folder.%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fset-mailboxfolderpermission%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fset-mailboxfolderpermission%3Fview%3Dexchange-ps%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1456568%22%20slang%3D%22en-US%22%3ERe%3A%20Shared%20Mailbox%20Enable%20Color%20Categorization%20for%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1456568%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383653%22%20target%3D%22_blank%22%3E%40HidMov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20i%20found%20the%20article%2C%20and%20i%20tried%20editallitems%2C%20but%20its%20not%20worked.%3C%2FP%3E%3CP%3ENow%20the%20users%20have%20reviewer%20permission.%3C%2FP%3E%3CP%3EMaybe%20i%20made%20something%20wrong%2C%20i%20will%20try%20it%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebolvar%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1463299%22%20slang%3D%22en-US%22%3ERe%3A%20Shared%20Mailbox%20Enable%20Color%20Categorization%20for%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1463299%22%20slang%3D%22en-US%22%3E%3CP%3ETried%20a%20few%20solutions%20but%20i%20think%20there%20is%20no%20option%20to%20prevent%20users%20to%20delete%20accidentally%20a%20massage%20%3A%2F.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20roles%20for%20the%20shared%20mailbox%20even%20described%3A%3C%2FP%3E%3CP%3Ehe%20AccessRights%20parameter%20specifies%20the%20permission%20that%20you%20want%20to%20assign%20to%20the%20user%20on%20the%20mailbox.%20Valid%20values%20are%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3EChangeOwner%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EChangePermission%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EDeleteItem%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EExternalAccount%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EFullAccess%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EReadPermission%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EChangePermission%20and%20ChangeOwner%20was%20able%20to%20delete.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1501319%22%20slang%3D%22en-US%22%3ERe%3A%20Shared%20Mailbox%20Enable%20Color%20Categorization%20for%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1501319%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F502119%22%20target%3D%22_blank%22%3E%40bolvar%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%2C%20been%20meaning%20to%20reply%20to%20this%20but%20things%20have%20been%20very%20busy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20case%20you%20haven't%20managed%20to%20resolve%20this%20yourself%2C%20I%20do%20have%20a%20solution%20but%20it's%20not%20very%20elegant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Add-MailboxPermission%20cmdlet%20adds%20permissions%20to%20the%20entire%20mailbox%20-%20the%20permissions%20are%20the%20ones%20you%20listed%20out%20which%20don't%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Add-MailboxFolderPermission%20adds%20permissions%20to%20individual%20folders%20within%20a%20mailbox%2C%20but%20the%20permissions%20it%20can%20add%20are%20much%20more%20useful%20and%20granular.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Remove%20the%20FullAccess%20permmission%20you%20have%20set%20up%20for%20the%20user%20from%20the%20shared%20mailbox%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ERemove-MailBoxPermission%20-identity%20SharedMailbox%20-user%20user%40domain.com%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20After%20some%20time%20the%20mailbox%20will%20be%20removed%20from%20the%20users%20Outlook.%20Now%20we're%20going%20to%20add%20the%20mailbox%20back%20in%2C%20but%20only%20individual%20folders.%20Start%20with%20the%20Top%20of%20the%20Information%20Store%20-%20the%20user%20will%20just%20need%20the%20FolderVisible%20permission%20for%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EAdd-MailboxFolderPermission%20-identity%20SharedMailbox%20-user%20user%40domain.com%20-AccessRights%20FolderVisible%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20Next%20add%20permissions%20to%20the%20inbox%20allowing%20them%20to%20edit%20and%20create%2C%20but%20not%20delete.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EAdd-MailboxFolderPermission%20-identity%20SharedMailbox%3A%5CInbox%20-user%20user%40domain.com%20-AccessRights%20FolderVisible%2C%20CreateItems%2C%20EditAllItems%2C%20ReadItems%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.%20Any%20other%20folders%20you%20need%20them%20to%20access%20will%20need%20to%20be%20added%20manually%20-%20so%20adding%20in%20a%20subfolder%20in%20the%20Inbox%20called%20%22Orders%22%20would%20need%20the%20following%20added%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EAdd-MailboxFolderPermission%20-identity%20SharedMailbox%3A%5CInbox%5COrders%20-user%20user%40domain.com%20-AccessRights%20FolderVisible%2C%20CreateItems%2C%20EditAllItems%2C%20ReadItems%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E5.%20Finally%2C%20because%20Automapping%20doesn't%20work%20with%20Add-MailboxFolderPermission%20you%20will%20need%20to%20manually%20add%20the%20mailbox%20to%20the%20users%20Outlook%20by%20going%20to%20File%20%26gt%3B%20Info%20%26gt%3B%20Account%20Settings%20%26gt%3B%20Change%20%26gt%3B%20More%20Settings%20%26gt%3B%20Advanced%20%26gt%3B%20Open%20These%20Additional%20Mailboxes%20%26gt%3B%20Add%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20may%20or%20may%20not%20be%20appropriate%20for%20your%20organisations%20set%20up%2C%20but%20hopefully%20this%20is%20useful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EMark%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hy!

 

I have a shared mailbox what is connected to 3 user. They want to mark the inbox mail with colors, to see who managed it. 

The question is that i tried a few level of permissions in powershell but no luck. 

The problem is they dont want to use full acces, because they affraid of the exedentaly delete of the emails.

Is there any permission level for the users , to use the color markers, and the fast action menu, but they have no permission to delete the mail.

 

Thanks for the help!

 

bolvar

4 Replies

Hi @bolvar 

 

I'd look at doing the following permissions - I don't think any of the ready-made roles will meet your requirements.

 

  • CreateItems: The user can create items in the specified folder.

  • CreateSubfolders: The user can create subfolders in the specified folder.

  • EditAllItems: The user can edit all items in the specified folder.

  • FolderOwner: The user is the owner of the specified folder. The user can view the folder, move the folder, and create subfolders. The user can't read items, edit items, delete items, or create items.

  • ReadItems: The user can read items within the specified folder.

https://docs.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchang...

 

Hope this helps,

Highlighted

@HidMov 

Thanks i found the article, and i tried editallitems, but its not worked.

Now the users have reviewer permission.

Maybe i made something wrong, i will try it again.

 

bolvar

Highlighted

Tried a few solutions but i think there is no option to prevent users to delete accidentally a massage :/.

 

The roles for the shared mailbox even described:

he AccessRights parameter specifies the permission that you want to assign to the user on the mailbox. Valid values are:

  • ChangeOwner

  • ChangePermission

  • DeleteItem

  • ExternalAccount

  • FullAccess

  • ReadPermission

ChangePermission and ChangeOwner was able to delete.

 

 

Highlighted

Hi @bolvar 

 

Sorry, been meaning to reply to this but things have been very busy.

 

In case you haven't managed to resolve this yourself, I do have a solution but it's not very elegant.

 

The Add-MailboxPermission cmdlet adds permissions to the entire mailbox - the permissions are the ones you listed out which don't help.

 

The Add-MailboxFolderPermission adds permissions to individual folders within a mailbox, but the permissions it can add are much more useful and granular.

 

1. Remove the FullAccess permmission you have set up for the user from the shared mailbox

 

Remove-MailBoxPermission -identity SharedMailbox -user user@domain.com

 

2. After some time the mailbox will be removed from the users Outlook. Now we're going to add the mailbox back in, but only individual folders. Start with the Top of the Information Store - the user will just need the FolderVisible permission for this:

 

Add-MailboxFolderPermission -identity SharedMailbox -user user@domain.com -AccessRights FolderVisible

 

3. Next add permissions to the inbox allowing them to edit and create, but not delete.

 

Add-MailboxFolderPermission -identity SharedMailbox:\Inbox -user user@domain.com -AccessRights FolderVisible, CreateItems, EditAllItems, ReadItems

 

4. Any other folders you need them to access will need to be added manually - so adding in a subfolder in the Inbox called "Orders" would need the following added

 

Add-MailboxFolderPermission -identity SharedMailbox:\Inbox\Orders -user user@domain.com -AccessRights FolderVisible, CreateItems, EditAllItems, ReadItems

 

5. Finally, because Automapping doesn't work with Add-MailboxFolderPermission you will need to manually add the mailbox to the users Outlook by going to File > Info > Account Settings > Change > More Settings > Advanced > Open These Additional Mailboxes > Add 

 

 

This may or may not be appropriate for your organisations set up, but hopefully this is useful.

 

Thanks,

Mark