Task 1: Add permissions for each manager in IT to have reviewer permissions to the calendar of their direct and indirect reports. I also wanted to check membership of a group that already has permissions and skip them. I came up with the following script, with some caveats.
- There are probably cleaner ways of accomplishing the task, but it was simple and worked.
- This adds permissions, but does not remove permissions if someone changes manager. Since it is just reviewer permission, and we didn't want to mess with permissions anyone else had already granted to their manager, we accepted that risk.
- It only goes 5 levels deep.
- Someone can get around this by just assigning their manager a permission level of none.
Clearly this isn't full-proof, but to save some time and get some permissions added, it does okay.
The $MGR grabs the users manager to assign the permission. The $MGRMEM grabs the manager's group membership to see if they are in the group I want to exclude.
get-aduser -filter {department -eq "Information Technology"}|Foreach-Object {
$MGR = (get-aduser -Identity $_.SamAccountName -properties *).manager
$MGRMEM = (get-aduser $MGR -properties *).memberof
$MGR2 = (get-aduser $MGR -properties *).manager
$MGRMEM2 = (get-aduser $MGR2 -properties *).memberof
$MGR3 = (get-aduser $MGR2 -properties *).manager
$MGRMEM3 = (get-aduser $MGR3 -properties *).memberof
$MGR4 = (get-aduser $MGR3 -properties *).manager
$MGRMEM4 = (get-aduser $MGR4 -properties *).memberof
$MGR5 = (get-aduser $MGR4 -properties *).manager
$MGRMEM5 = (get-aduser $MGR5 -properties *).memberof
If (!($MGRMEM -like "*CN=CalendarAdminAccess*"))
{
Add-MailboxFolderPermission ${_}:\Calendar -User $MGR -AccessRights Reviewer
}
If (!($MGRMEM2 -like "*CN=CalendarAdminAccess*"))
{
Add-MailboxFolderPermission ${_}:\Calendar -User $MGR2 -AccessRights Reviewer
}
If (!($MGRMEM3 -like "*CN=CalendarAdminAccess*"))
{
Add-MailboxFolderPermission ${_}:\Calendar -User $MGR3 -AccessRights Reviewer
}
If (!($MGRMEM4 -like "*CN=CalendarAdminAccess*"))
{
Add-MailboxFolderPermission ${_}:\Calendar -User $MGR4 -AccessRights Reviewer
}
If (!($MGRMEM5 -like "*CN=CalendarAdminAccess*"))
{
Add-MailboxFolderPermission ${_}:\Calendar -User $MGR5 -AccessRights Reviewer
}
}
Note: The curly brackets are used to enclose the value {_} because the distinguished name is returned and can have spaces in it.
Task 2: A much simpler task, I was asked to create a group and assign permissions so members of the group are granted Reviewer access to all IT Department calendars, regardless of whether they are in their management chain or not.
get-aduser -filter {department -eq "Information Technology1"}|Foreach-object{Add-MailboxFolderPermission ${_}:\Calendar -User ITCalendarAdminAccess -AccessRights Reviewer}
Note: The group should be a Distribution Group, or a mail-enabled Security Group.
This is pretty simple stuff as far as PowerShell goes, so I know I'm not shocking the world or anything. Just wanted to share in case someone finds it of use.
