Solved

Exchange 2010 - Shared/Room/Equipment Mailboxes - Permissions Best Practices

Posted on 2011-09-07
17
4,339 Views
Last Modified: 2013-11-05
Hello,

I am in need of some assistance in regards to permissions and best practices for Exchange.  We have recently migrated from Novell Groupwise 8.02 to Microsoft Exchange 2010 SP1.  During this conversion what was previously called "Proxy" rights were converted to "Delegate Access" rights.  What I have been finding is that none of these rights converted very well, and most if not all of them do not work as they should.  I have users who used to have Proxy (or Delegate) rights to a shared mailbox that cannot open the mailbox, or cannot open the calendar.  I also have other users who had Proxy rights who are now getting CC'ed on every appointment made with a shared resource (i.e. Conference Rooms).

In order to fix this problem I am under the assumption that I will be starting over from a permissions standpoint.  I have learned very quickly that I do NOT want to use the Delegate Access feature as it is presented in the Outlook client, as it is a very cumbersome way to manage permissions to mailboxes.

The first problem I am having is finding the powershell commands to show who the current delegates are so I can delete them.  If I have to, I guess I will, but I do not feel like setting up an Outlook profile for every single shared resource, and setting a password for every single shared resource, so I can go in and manually remove all of the delegates from every single shared resource.

The second problem I am having is I have no idea the proper way to assign rights without using the Delegate Access permission.  For example, I would like to give the receptionists rights to add/remove and review calendar appointments without giving them access to assign delegate access to others.

The third problem I am having is figuring out how to assign these rights to security groups instead of directly to users, thus making these permissions easier to manage going forward.

Any help with any of these problems is greatly appreciated.
0
Comment
Question by:PhillipsPlastics
  • 10
  • 7
17 Comments
 

Author Comment

by:PhillipsPlastics
ID: 36502984
I added ReadPermission for a Group to a specific mailbox, yet I still cannot open the shared mailbox from OWA with a user who is a member of the group that I gave the permission to.  ??  I was under the assumption that this would give those rights.

0
 
LVL 14

Expert Comment

by:isaman07
ID: 36504503
0
 

Author Comment

by:PhillipsPlastics
ID: 36505010
Very nice article, however, even if I follow the article, the user still does not have permissions to open the shared mailbox via the Outlook Web Access.  Nor do they have permissions to add the mailbox via the full outlook client.
0
 
LVL 14

Expert Comment

by:isaman07
ID: 36505398
How did you try to go to the mailbox over OWA? Direct access by using the shared mailbox username and password? Try logging on OWa using a regular username and password (A user who has permissions to the mailbox) then in the address bar of IE add a slash and the shared mailbox name. So it will be something like this

webmail.mydomain.com/owa/username/sharedmailboxname

Let me knwo if this works
0
 

Author Comment

by:PhillipsPlastics
ID: 36505468
This mailbox can't be opened. For more information, contact your helpdesk. That is the message I receive when I attempt to do that. I am not attempting to access using shared mailbox username and password.  That does not work through the OWA, but it does work through the Outlook Client.  My specific problem is attempting to open a shared mailbox when logged in as user.
0
 
LVL 14

Expert Comment

by:isaman07
ID: 36505491
Do you have any delegates for that mailbox?

http://technet.microsoft.com/en-us/library/bb124374.aspx
0
 

Author Comment

by:PhillipsPlastics
ID: 36505711
I do not have any delegates set for that mailbox.  I do not want the user to have to approve any appointments made, I want the room to auto approve, I just want the user to be able to switch to the shared mailbox.
0
 
LVL 14

Expert Comment

by:isaman07
ID: 36505733
You will need to delegate so they can access it directly. Delegate doesn't necessarily mean to approve, you can still use automatic approvals.
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 

Author Comment

by:PhillipsPlastics
ID: 36505763
So apparently I cannot set delegates to be a group.  Can I then remove the fullaccess and readpermission, will the delegate permission alone give this access, or will I need both?
0
 

Author Comment

by:PhillipsPlastics
ID: 36505769
Does it take a period of time for this to happen? because I just added the user to the delegate list as you suggested in the article, and left the box unchecked for forward meeting requests to delegates.  Yet I still cannot change to the mailbox.
0
 

Author Comment

by:PhillipsPlastics
ID: 36505806
I now receive the error message "You don't have permission to open this mailbox." instead of "This mailbox can't be opened. For more information, contact your helpdesk"
0
 
LVL 14

Accepted Solution

by:
isaman07 earned 500 total points
ID: 36505923
Did you give full access?
0
 

Author Comment

by:PhillipsPlastics
ID: 36505931
user has full access, yes
0
 
LVL 14

Expert Comment

by:isaman07
ID: 36506130
Just created the scenario on my exchange 2010 server and i can access the mailbox both from OWA and Outlook 2010.
Here is what you
Create the resource mailbox (room) , yu already have it
Right click the mailbox and manage full access permissions, then add a user and click on manage.
log on owa with your own account and in the upper right corner, click the arrow right next to your name and type the resource mailbox name then open. That opens the resource mailbox.
In outlook, file, open other users folders, type the name of the mailbox, this comes with no results, click on show more names then change the address book from GAL to ALL Rooms, highlight the resource mailbox and choose open.
0
 

Author Comment

by:PhillipsPlastics
ID: 36506451
Try this scenario -

Create a resource mailbox (room)
Right click the mailbox and manage full access permissions, then add a group and click manage.
Go into AD and add yourself to be a member of that group.
Login to owa with your account, and in the upper right corner, click the arrow next to your name and type the resource mailbox name and then open.  It fails for me..


If I add the user directly to have full access as you just instructed me, it works.  Can I make this work via groups? I was told that I could? It lets me add the group via the Manage Full Access Console?
0
 
LVL 14

Expert Comment

by:isaman07
ID: 36506672
I'll give that a shot tomorrow.
0
 

Author Closing Comment

by:PhillipsPlastics
ID: 36909782
Needed to assign rights via the Powershell, as assigning rights using the GUI Full Access does NOT include -inheritancetype all (which is required when assigning permissions to groups).

add-mailboxpermission -identity mailboxname -user domain\groupname -AccessRights FullAccess -InheritanceType All
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now