5 PowerShell One-liners to Manage IMAP Permissions



You can manage user permissions in Exchange and other mail servers with the same commands by using the IMAP protocol instead of server-specific tools. This article explores how to use NetCmdlets from the command line to manage permissions on an IMAP server.
The following all use Get-IMAP and Set-IMAP from NetCmdlets:

1. Get ACL: Here is a single line to get the ACL for a specific folder in an account. In this particular case, the main INBOX has a subfolder named RESUMES. The following line will expose the varying permissions:

PS> Get-IMAP -Server $mymailserver -User $user -Password $pass -Folder INBOX.RESUMES -ACL

Mailbox       Rights    User
-------       ------    ----
INBOX.RESUMES lrswipcda lancer
INBOX.RESUMES lrswipcd  sahils
INBOX.RESUMES lrswipcd  derekm
INBOX.RESUMES lrswipcd  johnh
INBOX.RESUMES lrswipcd  robc
INBOX.RESUMES lrswipcd  blakeb

PS>

The permissions are:
l=look, r=read, s=keep, w=write, i=insert, p=post, c=create, d=delete, a=administer. For more information on each meaning, check the NetCmdlets documentation or server documentation.

2. Set a Complete List of User Rights: In this case derekm's rights will be set only to l and r (look and read). To set the list, specify the rights as a string. For Example:

PS> Set-IMAP -Server $mymailserver -Credential $mycred -Folder INBOX.RESUMES -ACLUser derekm -ACL "lr"
PS> Get-IMAP -Server $mymailserver -Credential $mycred -Folder INBOX.RESUMES -ACL | Where-Object { $_.User -eq "derekm" }

Mailbox       Rights User
-------       ------ ----
INBOX.RESUMES lr     derekm

PS>

Using Set-IMAP specifies the user whose rights are to be modified (-ACLUser) and the rights the user is to have (-ACL)

3. Remove a specific right from a User: To remove a specific right from a user, use the "-" prefix. For example, if you decide that johnh should not have delete rights in the folder:

PS> Set-IMAP -Server $mymailserver -User $user -Password $pass -Folder INBOX.RESUMES -ACLUser johnh -ACL "-d"

PS> Get-IMAP -Server $mymailserver -User $user -Password $pass -Folder INBOX.RESUMES -ACL | Where-Object { $_.User -eq "johnh" }

Mailbox       Rights  User
-------       ------  ----
INBOX.RESUMES lrswipc johnh

PS>

Now, instead of setting a complete list of rights (as in #2), simply remove one specific right.

4. Add a Specific Right to a User: If you want to add a specific right to a user, use the "+" prefix. For example, if you want to add the delete right back to johnh:

PS> Set-IMAP -server $mymailserver -User $user -password $pass -folder INBOX.RESUMES -ACLUser johnh -ACL "+d"

PS> Get-IMAP -server $mymailserver -User $user -password $pass -folder INBOX.RESUMES -ACL | Where-Object { $_.User -eq "johnh" }

Mailbox       Rights   User
-------       ------   ----
INBOX.RESUMES lrswipcd johnh

PS>

5. Remove All Rights from a User: To completely remove all rights from a specific user requires you to explicitly remove all rights (using the “-” prefix). After this, they will be prevented from interacting at all with the folder, The following removes all rights from john:

PS> Set-IMAP -server $mymailserver -User $user -password $pass -folder INBOX.RESUMES -ACLUser johnh -ACL "-lrswipcda"

PS> Get-IMAP -server $mymailserver -User $user -password $pass -folder INBOX.RESUMES -ACL

Mailbox       Rights    User
-------       ------    ----
INBOX.RESUMES lrswipcda lancer
INBOX.RESUMES lrswipcd  sahils
INBOX.RESUMES lr        derekm
INBOX.RESUMES lrswipcd  robc
INBOX.RESUMES lrswipcd  blakeb

PS>

Now, johnh no longer has any rights in the INBOX.RESUMES folder.

When setting rights: If the ACL parameter value starts with a plus, the rights are added to any existing rights for the identifier. If the ACL parameter value starts with a minus, the rights are removed from any existing rights for the identifier. If the ACL parameter value does not start with a plus or minus, the rights replace any existing rights for the identifier.