如何在 Exchange 2010 中限制具有完全邮箱权限的用户的访问？

Question 1

不。

完全访问权限胜过一切，因为 Exchange 具有最高权限，因此完整邮箱的权限高于文件夹级别的权限。

因此，唯一的选择是删除完全邮箱访问权限并在文件夹级别授予权限。

您应该能够使用 PowerShell 授予邮箱中所有文件夹的权限，然后删除所需文件夹的权限。但是，这也意味着新的顶级文件夹需要更改其权限（新的子文件夹继承）。

Answer

不。

完全访问权限胜过一切，因为 Exchange 具有最高权限，因此完整邮箱的权限高于文件夹级别的权限。

因此，唯一的选择是删除完全邮箱访问权限并在文件夹级别授予权限。

您应该能够使用 PowerShell 授予邮箱中所有文件夹的权限，然后删除所需文件夹的权限。但是，这也意味着新的顶级文件夹需要更改其权限（新的子文件夹继承）。

Question 2

谢谢@Sembee。

对于那些必须这样做的人。这里有一个快速而粗糙的脚本来执行此操作。请在实时邮箱上使用之前对其进行测试，并根据需要进行调整。

# The mailbox to apply the permissions changes on
$mailbox = "[email protected]"

# The users to add to the mailbox folder list
$users = "[email protected]"

# Get a list of folders in the mailbox defined above. We want only the folder path
$folderlist = Get-MailboxFolderStatistics -Identity $mailbox | select FolderPath

# Create a List item consisting of string objects
[Collections.Generic.List[String]]$sList = New-Object -TypeName Collections.Generic.List[String]

# Loop through the entire list of folders and do something
foreach ($folder in $folderlist)
{
# Get the folderpath object from the folderlist and output it as a string value
$sfoldername = $folder.FolderPath | Out-String

# Look for the tree node called "Top of Information Store" and replace it with a /
$sfname = $sfoldername -replace "/Top of Information Store","/"

# replace all back slashes with forward slashes
$sfname = $sfname  -replace "/","\"

# remove any hidden characters that might be lurking around in the string
$sfname = $sfname.Trim()

    #Perform a bunch of IF statements in a simple way.
    switch($sfname)
    {
        # System Folder in Mailbox. Do nothing if these are encountered
        "\Recoverable Items" {break;}
        "\Deletions" {break;}
        "\Purges" {break}
        "\Versions"{break;}
        "\Quick Step Settings"{break}
        "\Conversation Action Settings"{break;}
        "\News Feed"{break;}

        # Add the folder name into the list of strings defined earlier
        default{$sList.Add($sfname);break}
    }    
}

# For each item in the list of strings apply permissions

foreach ($item in $sList)
{
    # concatenate the foldername to contain the mailbox name and the folder path in a format the Set and Add permission command can understand.

    $foldername = $mailbox + ":" + $item | Out-String
    # remove any hidden characters that might be lurking around in the string
    $fname = $foldername.Trim()

    # Add the permissions on the folder assuming permissions haven't already been set
    Add-MailboxFolderPermission -Identity $fname -AccessRights Owner -User $users

    # If the user permissions already exists then set / update the permissions
    Set-MailboxFolderPermission -Identity $fname -AccessRights Owner -User $users
}

确保你对此非常小心。需要注意的一点是，如果你想使用组来控制访问，请确保将该组设置为 Active Directory 中的安全组，然后将其用作分发组。否则，使用组进行访问控制将不起作用。

Answer

谢谢@Sembee。

对于那些必须这样做的人。这里有一个快速而粗糙的脚本来执行此操作。请在实时邮箱上使用之前对其进行测试，并根据需要进行调整。

# The mailbox to apply the permissions changes on
$mailbox = "[email protected]"

# The users to add to the mailbox folder list
$users = "[email protected]"

# Get a list of folders in the mailbox defined above. We want only the folder path
$folderlist = Get-MailboxFolderStatistics -Identity $mailbox | select FolderPath

# Create a List item consisting of string objects
[Collections.Generic.List[String]]$sList = New-Object -TypeName Collections.Generic.List[String]

# Loop through the entire list of folders and do something
foreach ($folder in $folderlist)
{
# Get the folderpath object from the folderlist and output it as a string value
$sfoldername = $folder.FolderPath | Out-String

# Look for the tree node called "Top of Information Store" and replace it with a /
$sfname = $sfoldername -replace "/Top of Information Store","/"

# replace all back slashes with forward slashes
$sfname = $sfname  -replace "/","\"

# remove any hidden characters that might be lurking around in the string
$sfname = $sfname.Trim()

    #Perform a bunch of IF statements in a simple way.
    switch($sfname)
    {
        # System Folder in Mailbox. Do nothing if these are encountered
        "\Recoverable Items" {break;}
        "\Deletions" {break;}
        "\Purges" {break}
        "\Versions"{break;}
        "\Quick Step Settings"{break}
        "\Conversation Action Settings"{break;}
        "\News Feed"{break;}

        # Add the folder name into the list of strings defined earlier
        default{$sList.Add($sfname);break}
    }    
}

# For each item in the list of strings apply permissions

foreach ($item in $sList)
{
    # concatenate the foldername to contain the mailbox name and the folder path in a format the Set and Add permission command can understand.

    $foldername = $mailbox + ":" + $item | Out-String
    # remove any hidden characters that might be lurking around in the string
    $fname = $foldername.Trim()

    # Add the permissions on the folder assuming permissions haven't already been set
    Add-MailboxFolderPermission -Identity $fname -AccessRights Owner -User $users

    # If the user permissions already exists then set / update the permissions
    Set-MailboxFolderPermission -Identity $fname -AccessRights Owner -User $users
}

确保你对此非常小心。需要注意的一点是，如果你想使用组来控制访问，请确保将该组设置为 Active Directory 中的安全组，然后将其用作分发组。否则，使用组进行访问控制将不起作用。

如何在 Exchange 2010 中限制具有完全邮箱权限的用户的访问？

答案1

答案2

相关内容