Provide access to folders

Question

Hi All,

I have a mailbox user1(at)contoso.com that contains a MY - Projects folder with multiple subfolders. I granted Publishing Author permissions to user2(at)contoso.com on this folder.

However, permissions were not applied to some subfolders because their names contain special characters. MY - Projects Folder has 100 plus folders.

Now, I want to:

Update the permissions from Publishing Author to Publishing Editor

Ensure the permissions are correctly applied to all subfolders

Could someone please validate this script as i dont have testing environment.

$mbx   = "user1(at)contoso.com"
$user  = "user2(at)contoso.com"
$right = "PublishingEditor"
$match = "*MY - Projects*"  Write-Host "Retrieving folders matching '$match'..." -ForegroundColor Cyan

$folders = Get-MailboxFolderStatistics -Identity $mbx |
    Where-Object { $_.FolderPath -like $match }

Write-Host "Found $($folders.Count) folders. Processing permissions..." -ForegroundColor Cyan

$results = foreach ($f in $folders) {
    # Use the actual Identity property - best for special characters
    $rawIdentity = $f.Identity.ToString()
    
    # Replace the backslash after mailbox name with colon-backslash
    if ($rawIdentity -match "^([^\\]+)\\(.+)$") {
        $id = "$($Matches[1]):\$($Matches[2])"
    }
    else {
        $id = "$mbx`:\" + ($f.FolderPath -replace '^/', '' -replace '/', '\')
    }
    
    try {
        # Check if permission exists
        $existingPerm = Get-MailboxFolderPermission -Identity $id -User $user -ErrorAction Stop
        
        # Update existing permission
        Set-MailboxFolderPermission -Identity $id -User $user -AccessRights $right -ErrorAction Stop
        
        [PSCustomObject]@{
            FolderPath     = $f.FolderPath
            Identity       = $id
            Action         = "Updated"
            OldPermission  = $existingPerm.AccessRights -join ','
            NewPermission  = $right
            Status         = "Success"
            Error          = $null
        }
    }
    catch {
        $errMsg = $_.Exception.Message
        
        # Check if permission doesn't exist
        if ($errMsg -match "isn't found|can't be found|doesn't exist|ManagementObjectNotFoundException") {
            try {
                # Add new permission
                Add-MailboxFolderPermission -Identity $id -User $user -AccessRights $right -ErrorAction Stop
                
                [PSCustomObject]@{
                    FolderPath     = $f.FolderPath
                    Identity       = $id
                    Action         = "Added"
                    OldPermission  = "None"
                    NewPermission  = $right
                    Status         = "Success"
                    Error          = $null
                }
            }
            catch {
                [PSCustomObject]@{
                    FolderPath     = $f.FolderPath
                    Identity       = $id
                    Action         = "Add Failed"
                    OldPermission  = "None"
                    NewPermission  = $right
                    Status         = "FAILED"
                    Error          = $_.Exception.Message
                }
            }
        }
        else {
            # Other errors
            [PSCustomObject]@{
                FolderPath     = $f.FolderPath
                Identity       = $id
                Action         = "Check Failed"
                OldPermission  = "Unknown"
                NewPermission  = $right
                Status         = "FAILED"
                Error          = $errMsg
            }
        }
    }
}

# Display summary
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Processing Summary" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host "Total folders processed: " -NoNewline; Write-Host $results.Count -ForegroundColor White
Write-Host "Successful operations:   " -NoNewline; Write-Host ($results | Where-Object {$_.Status -eq 'Success'}).Count -ForegroundColor Green
Write-Host "Failed operations:       " -NoNewline; Write-Host ($results | Where-Object {$_.Status -eq 'FAILED'}).Count -ForegroundColor Red

# Show failures in detail
$failures = $results | Where-Object { $_.Status -eq "FAILED" }
if ($failures) {
    Write-Host "`nFailed Folders:" -ForegroundColor Red
    Write-Host "========================================" -ForegroundColor Red
    $failures | Format-Table FolderPath, Action, Error -AutoSize -Wrap
}
else {
    Write-Host "`nAll folders processed successfully! ✓" -ForegroundColor Green
}

# Export results
$outputPath = "C:\temp\ProjectsFolder_Results.csv"
$results | Export-Csv $outputPath -NoTypeInformation -Encoding UTF8

Write-Host "`nResults exported to: $outputPath" -ForegroundColor Green

Answer 1

Hi Rising Flight,

Welcome to Microsoft Q&A Forum!

Have a good day and I hope you're doing well!

I completely understand the challenge you are facing. Handling permissions for nested folders containing special characters (like #, &, [], or extended characters) is a notorious pain point in Exchange PowerShell, as standard path parsing often fails. 

I replicated your exact scenario in my own tenant to validate your script. 

1. I created a MY - Projects structure in a test mailbox. 
2. I created subfolders with names specifically designed to break scripts, including characters like #, &, [], +, and = 
3. I assigned the initial PublishingAuthor rights to a delegate user. 
4. I ran your script to upgrade the permissions to PublishingEditor. 

Your script logic is solid. Specifically, the way you reconstruct the Identity property (replacing forward slashes with backslashes and correctly appending the mailbox root) successfully bypasses the path parsing errors usually caused by special characters. 

As you can see in the screenshot below from my environment, the script successfully located all "difficult" folders and updated the permissions to PublishingEditor without error:  

The script is safe to run. The Try/Catch block correctly handles the logic: it updates existing permissions if found, and adds them if missing, ensuring full coverage even for those tricky folder names. 

I hope this provides you with some helpful insights as you proceed with the execution. If you have any further questions or concerns, or if I have misunderstood anything or was unclear, please feel free to reach out at any time. 

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".    

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

Answer 2

The script you provided is generally well-structured for updating folder permissions in Exchange Online. Here are some points to consider:

1. Mailbox and User Variables: Ensure that you replace the placeholders for $mbx and $user with the actual email addresses.
2. Folder Matching: The use of -like with *MY - Projects* is appropriate for matching folder names. Ensure that this matches the actual folder names in your mailbox.
3. Identity Handling: The script correctly handles special characters in folder names by adjusting the Identity format. This is crucial for folders with special characters.
4. Error Handling: The error handling is robust, checking for existing permissions and handling both updates and additions appropriately.
5. Output Summary: The summary section at the end provides a clear overview of the operations performed, which is helpful for validation.
6. Exporting Results: The results are exported to a CSV file, which is useful for record-keeping and further analysis.

Before running the script, ensure you have the necessary permissions to execute these commands and that you are aware of the implications of changing permissions on folders. It’s also recommended to test in a non-production environment if possible.

---

References:

• Public folder permissions and settings don't propagate to all subfolders
• Set folder permissions for another user by using EWS in Exchange