?
Solved

Exchange 2010 - Shared/Room/Equipment Mailboxes - Permissions Best Practices

Posted on 2011-09-07
17
Medium Priority
?
4,677 Views
Last Modified: 2013-11-05
Hello,

I am in need of some assistance in regards to permissions and best practices for Exchange.  We have recently migrated from Novell Groupwise 8.02 to Microsoft Exchange 2010 SP1.  During this conversion what was previously called "Proxy" rights were converted to "Delegate Access" rights.  What I have been finding is that none of these rights converted very well, and most if not all of them do not work as they should.  I have users who used to have Proxy (or Delegate) rights to a shared mailbox that cannot open the mailbox, or cannot open the calendar.  I also have other users who had Proxy rights who are now getting CC'ed on every appointment made with a shared resource (i.e. Conference Rooms).

In order to fix this problem I am under the assumption that I will be starting over from a permissions standpoint.  I have learned very quickly that I do NOT want to use the Delegate Access feature as it is presented in the Outlook client, as it is a very cumbersome way to manage permissions to mailboxes.

The first problem I am having is finding the powershell commands to show who the current delegates are so I can delete them.  If I have to, I guess I will, but I do not feel like setting up an Outlook profile for every single shared resource, and setting a password for every single shared resource, so I can go in and manually remove all of the delegates from every single shared resource.

The second problem I am having is I have no idea the proper way to assign rights without using the Delegate Access permission.  For example, I would like to give the receptionists rights to add/remove and review calendar appointments without giving them access to assign delegate access to others.

The third problem I am having is figuring out how to assign these rights to security groups instead of directly to users, thus making these permissions easier to manage going forward.

Any help with any of these problems is greatly appreciated.
0
Comment
Question by:PhillipsPlastics
  • 10
  • 7
17 Comments
 

Author Comment

by:PhillipsPlastics
ID: 36502984
I added ReadPermission for a Group to a specific mailbox, yet I still cannot open the shared mailbox from OWA with a user who is a member of the group that I gave the permission to.  ??  I was under the assumption that this would give those rights.

0
 
LVL 14

Expert Comment

by:isaman07
ID: 36504503
0
 

Author Comment

by:PhillipsPlastics
ID: 36505010
Very nice article, however, even if I follow the article, the user still does not have permissions to open the shared mailbox via the Outlook Web Access.  Nor do they have permissions to add the mailbox via the full outlook client.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 14

Expert Comment

by:isaman07
ID: 36505398
How did you try to go to the mailbox over OWA? Direct access by using the shared mailbox username and password? Try logging on OWa using a regular username and password (A user who has permissions to the mailbox) then in the address bar of IE add a slash and the shared mailbox name. So it will be something like this

webmail.mydomain.com/owa/username/sharedmailboxname

Let me knwo if this works
0
 

Author Comment

by:PhillipsPlastics
ID: 36505468
This mailbox can't be opened. For more information, contact your helpdesk. That is the message I receive when I attempt to do that. I am not attempting to access using shared mailbox username and password.  That does not work through the OWA, but it does work through the Outlook Client.  My specific problem is attempting to open a shared mailbox when logged in as user.
0
 
LVL 14

Expert Comment

by:isaman07
ID: 36505491
Do you have any delegates for that mailbox?

http://technet.microsoft.com/en-us/library/bb124374.aspx
0
 

Author Comment

by:PhillipsPlastics
ID: 36505711
I do not have any delegates set for that mailbox.  I do not want the user to have to approve any appointments made, I want the room to auto approve, I just want the user to be able to switch to the shared mailbox.
0
 
LVL 14

Expert Comment

by:isaman07
ID: 36505733
You will need to delegate so they can access it directly. Delegate doesn't necessarily mean to approve, you can still use automatic approvals.
0
 

Author Comment

by:PhillipsPlastics
ID: 36505763
So apparently I cannot set delegates to be a group.  Can I then remove the fullaccess and readpermission, will the delegate permission alone give this access, or will I need both?
0
 

Author Comment

by:PhillipsPlastics
ID: 36505769
Does it take a period of time for this to happen? because I just added the user to the delegate list as you suggested in the article, and left the box unchecked for forward meeting requests to delegates.  Yet I still cannot change to the mailbox.
0
 

Author Comment

by:PhillipsPlastics
ID: 36505806
I now receive the error message "You don't have permission to open this mailbox." instead of "This mailbox can't be opened. For more information, contact your helpdesk"
0
 
LVL 14

Accepted Solution

by:
isaman07 earned 1500 total points
ID: 36505923
Did you give full access?
0
 

Author Comment

by:PhillipsPlastics
ID: 36505931
user has full access, yes
0
 
LVL 14

Expert Comment

by:isaman07
ID: 36506130
Just created the scenario on my exchange 2010 server and i can access the mailbox both from OWA and Outlook 2010.
Here is what you
Create the resource mailbox (room) , yu already have it
Right click the mailbox and manage full access permissions, then add a user and click on manage.
log on owa with your own account and in the upper right corner, click the arrow right next to your name and type the resource mailbox name then open. That opens the resource mailbox.
In outlook, file, open other users folders, type the name of the mailbox, this comes with no results, click on show more names then change the address book from GAL to ALL Rooms, highlight the resource mailbox and choose open.
0
 

Author Comment

by:PhillipsPlastics
ID: 36506451
Try this scenario -

Create a resource mailbox (room)
Right click the mailbox and manage full access permissions, then add a group and click manage.
Go into AD and add yourself to be a member of that group.
Login to owa with your account, and in the upper right corner, click the arrow next to your name and type the resource mailbox name and then open.  It fails for me..


If I add the user directly to have full access as you just instructed me, it works.  Can I make this work via groups? I was told that I could? It lets me add the group via the Manage Full Access Console?
0
 
LVL 14

Expert Comment

by:isaman07
ID: 36506672
I'll give that a shot tomorrow.
0
 

Author Closing Comment

by:PhillipsPlastics
ID: 36909782
Needed to assign rights via the Powershell, as assigning rights using the GUI Full Access does NOT include -inheritancetype all (which is required when assigning permissions to groups).

add-mailboxpermission -identity mailboxname -user domain\groupname -AccessRights FullAccess -InheritanceType All
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Upgrading from older Exchange server to the latest Exchange server can be tiresome, error-prone and risky, without being a seasoned exchange server administrators. It can become even problematic if you're an organization that runs on tight timeline…
There’s hardly a doubt that Business Communication is indispensable for both enterprises and small businesses, and if there is an email system outage owing to Exchange server failure, it definitely results in loss of productivity.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

594 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question