NetCmdlets: 5 PowerShell One-liners to Manage IMAP Permissions


You can manage user permissions in Exchange and other mail servers with the same commands by using the IMAP protocol instead of server-specific tools. This article explores how to use NetCmdlets from the command line to manage permissions on an IMAP server.
The following all use Get-IMAP and Set-IMAP from NetCmdlets:

1. Get ACL: Here is a single line to get the ACL for a specific folder in an account. In this particular case, the main INBOX has a subfolder named RESUMES. The following line will expose the varying permissions:

PS> Get-IMAP -Server $mymailserver -User $user -Password $pass -Folder INBOX.RESUMES -ACL

Mailbox       Rights    User
-------       ------    ----
INBOX.RESUMES lrswipcda lancer
INBOX.RESUMES lrswipcd  sahils
INBOX.RESUMES lrswipcd  derekm
INBOX.RESUMES lrswipcd  johnh
INBOX.RESUMES lrswipcd  robc
INBOX.RESUMES lrswipcd  blakeb

PS>

The permissions are:
l=look, r=read, s=keep, w=write, i=insert, p=post, c=create, d=delete, a=administer. For more information on each meaning, check the NetCmdlets documentation or server documentation.

2. Set a Complete List of User Rights: In this case derekm's rights will be set only to l and r (look and read). To set the list, specify the rights as a string. For Example:

PS> Set-IMAP -Server $mymailserver -Credential $mycred -Folder INBOX.RESUMES -ACLUser derekm -ACL "lr"
PS> Get-IMAP -Server $mymailserver -Credential $mycred -Folder INBOX.RESUMES -ACL | Where-Object { $_.User -eq "derekm" }

Mailbox       Rights User
-------       ------ ----
INBOX.RESUMES lr     derekm

PS>

Using Set-IMAP specifies the user whose rights are to be modified (-ACLUser) and the rights the user is to have (-ACL)

3. Remove a specific right from a User: To remove a specific right from a user, use the "-" prefix. For example, if you decide that johnh should not have delete rights in the folder:

PS> Set-IMAP -Server $mymailserver -User $user -Password $pass -Folder INBOX.RESUMES -ACLUser johnh -ACL "-d"

PS> Get-IMAP -Server $mymailserver -User $user -Password $pass -Folder INBOX.RESUMES -ACL | Where-Object { $_.User -eq "johnh" }

Mailbox       Rights  User
-------       ------  ----
INBOX.RESUMES lrswipc johnh

PS>

Now, instead of setting a complete list of rights (as in #2), simply remove one specific right.

4. Add a Specific Right to a User: If you want to add a specific right to a user, use the "+" prefix. For example, if you want to add the delete right back to johnh:

PS> Set-IMAP -server $mymailserver -User $user -password $pass -folder INBOX.RESUMES -ACLUser johnh -ACL "+d"

PS> Get-IMAP -server $mymailserver -User $user -password $pass -folder INBOX.RESUMES -ACL | Where-Object { $_.User -eq "johnh" }

Mailbox       Rights   User
-------       ------   ----
INBOX.RESUMES lrswipcd johnh

PS>

5. Remove All Rights from a User: To completely remove all rights from a specific user requires you to explicitly remove all rights (using the “-” prefix). After this, they will be prevented from interacting at all with the folder, The following removes all rights from john:

PS> Set-IMAP -server $mymailserver -User $user -password $pass -folder INBOX.RESUMES -ACLUser johnh -ACL "-lrswipcda"

PS> Get-IMAP -server $mymailserver -User $user -password $pass -folder INBOX.RESUMES -ACL

Mailbox       Rights    User
-------       ------    ----
INBOX.RESUMES lrswipcda lancer
INBOX.RESUMES lrswipcd  sahils
INBOX.RESUMES lr        derekm
INBOX.RESUMES lrswipcd  robc
INBOX.RESUMES lrswipcd  blakeb

PS>

Now, johnh no longer has any rights in the INBOX.RESUMES folder.

When setting rights: If the ACL parameter value starts with a plus, the rights are added to any existing rights for the identifier. If the ACL parameter value starts with a minus, the rights are removed from any existing rights for the identifier. If the ACL parameter value does not start with a plus or minus, the rights replace any existing rights for the identifier.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.