Garry Shape
asked on
Set Mailbox privileges for managers and their employees
There was a powershell script I came across a while ago but I cannot relocate it. It basically enabled privileges for certain AD Groups to be able to add members' mailboxes who belonged to other AD groups into their Outlook if they wished (through account settings).
However my question here is: is there a way to set it up so that the managers can access all of their "Direct Reports" (referring to Active Directory structure where you set a Manager and then in that manager's properties, they have "Direct Reports")?
However my question here is: is there a way to set it up so that the managers can access all of their "Direct Reports" (referring to Active Directory structure where you set a Manager and then in that manager's properties, they have "Direct Reports")?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One correction (of course), the if statement should read:
if ($directReports -ne $Null)
I left off the s in $directReports
if ($directReports -ne $Null)
I left off the s in $directReports
ASKER
Hey thanks for your reply will try this in my comp very soon
ASKER
Do you know if there's a way to set it so that the Direct Reports are put into a group which then the group could be accessed by the manager?
I think if they're setup like this, which is a great script, then the mailboxes will automatically open each time the manager launches Outlook.
If the Direct Reports are in a group, and then the manager has full mailbox access to that "group", then all the mailboxes within that group do not automatically open when Outlook is launched. Instead, we have an add-on that allows people to "Open Mailbox" and then they can type the name of a person who's in a group that they have full access to, and open the mailbox on demand.
I think if they're setup like this, which is a great script, then the mailboxes will automatically open each time the manager launches Outlook.
If the Direct Reports are in a group, and then the manager has full mailbox access to that "group", then all the mailboxes within that group do not automatically open when Outlook is launched. Instead, we have an add-on that allows people to "Open Mailbox" and then they can type the name of a person who's in a group that they have full access to, and open the mailbox on demand.
The script doesn't cause the mailboxes to open. All it does is give the managers the rights needed to open the mailboxes. Outlook only opens, by default, the mailbox associated with the outlook profile and any mailboxes added to the additional mailboxes tab in outlook settings. The script just set the permissions so the manager can open the other mailboxes manually (or with your add-on).
As for groups, there is no way to do that since what you need is to apply rights on the direct reports mailboxes, not on their ad accounts.
As for groups, there is no way to do that since what you need is to apply rights on the direct reports mailboxes, not on their ad accounts.
ASKER
Hmm well I'm not sure, it may be something with our AutoDiscover that automatically opens it. because, I issued the command "Add-MailboxPermission UserA -User UserB -AccessRights:FullAccess" where UserA is someone else's mailbox and UserB is myself, I closed and re-opened Outlook and UserA is in my mailbox.
Or is just doing that because I'm running that single command and not the script in its entirety? Sorry if I'm misunderstanding.
Or is just doing that because I'm running that single command and not the script in its entirety? Sorry if I'm misunderstanding.
No, the add-mailboxpermission has nothing to do with outlook. The only thing I can think that you are doing is maybe you have a profile set up with the other user's mailbox and it is letting you open it. Make sure your outlook profile doesn't have his mailbox defined in it. If the profile is set up to use his mailbox, assigning the right will allow it. But if it is set up to use your profile, it will not automatically open his. All the add-mailboxpermission cmdlet does is grant you the rights to open the other mailbox.
ASKER
Ok I think this might be it:
http://www.stevieg.org/2011/02/disable-exchange-2010-sp1s-auto-shared-mailbox-mapping/
http://www.stevieg.org/2011/02/disable-exchange-2010-sp1s-auto-shared-mailbox-mapping/
ASKER
Thanks for your help I think with your script and the incorporation of that auto-share disabling we are looking at a suitable solution.
I have never seen this before. I run Exchange 2007 and outlook 2010 fully patched. Wierd. Why would they ever implement something like that? At any rate, good find. That should work for you. If you want me to re-write the script to include the script from the link I can do that for you.
ASKER
Ah man I closed too soon.
Think you could integrate the script?
Think you could integrate the script?
However, anb easier way might be to just add the Manager as a delegate to all their direct reports outlook profiles, giving them Review, Author, or editor rights.
Of course Depending on the organization
Some organizations see Exchange and Users Mailboxes as Company Property
And being company property everyone has at least Review Access on eachothers Mailboxes and Calendars
Of course other than users like CEO or HR