Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Set Mailbox privileges for managers and their employees

Posted on 2011-10-06
12
Medium Priority
?
1,393 Views
Last Modified: 2012-05-12
There was a powershell script I came across a while ago but I cannot relocate it. It basically enabled privileges for certain AD Groups to be able to add members' mailboxes who belonged to other AD groups into their Outlook if they wished (through account settings).

However my question here is: is there a way to set it up so that the managers can access all of their "Direct Reports"  (referring to Active Directory structure where you set a Manager and then in that manager's properties, they have "Direct Reports")?
0
Comment
Question by:garryshape
  • 6
  • 5
12 Comments
 
LVL 47

Expert Comment

by:apache09
ID: 36928622
In AD basically what you do is simply add that Manager to Each Direct Reports Mailbox

However, anb easier way might be to just add the Manager as a delegate to all their direct reports outlook profiles, giving them Review, Author, or editor rights.

Of course Depending on the organization
Some organizations see Exchange and Users Mailboxes as Company Property
And being company property everyone has at least Review Access on eachothers Mailboxes and Calendars

Of course other than users like CEO or HR


0
 
LVL 12

Accepted Solution

by:
GusGallows earned 2000 total points
ID: 36930435
A way to do it through Powershell (running in the Exchange Management Shell) would be to grab all user accounts, check to see if they have direct reports, and if they do, add fullaccess permissions to those direct account mailboxes for the user. See the script in the code box below:

$users = get-user -resultsize unlimited
foreach ($user in $users)
{
	$manUserDN = $user.DistinguishedName
	$directReports = @($user.DirectReports)
	if ($directReport -ne $Null)
	{
		foreach ($directReport in $directReports)
		{
			$drUserdn = $directReport.DistinguishedName
			Add-MailboxPermission $drUserDN -User $manUserDN -AccessRights:FullAccess
		}
	}
}

Open in new window

0
 
LVL 12

Expert Comment

by:GusGallows
ID: 36930440
One correction (of course), the if statement should read:
if ($directReports -ne $Null)


I left off the s in $directReports
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 

Author Comment

by:garryshape
ID: 36931027
Hey thanks for your reply will try this in my comp very soon
0
 

Author Comment

by:garryshape
ID: 36943157
Do you know if there's a way to set it so that the Direct Reports are put into a group which then the group could be accessed by the manager?
I think if they're setup like this, which is a great script, then the mailboxes will automatically open each time the manager launches Outlook.

If the Direct Reports are in a group, and then the manager has full mailbox access to that "group", then all the mailboxes within that group do not automatically open when Outlook is launched. Instead, we have an add-on that allows people to "Open Mailbox" and then they can type the name of a person who's in a group that they have full access to, and open the mailbox on demand.
0
 
LVL 12

Expert Comment

by:GusGallows
ID: 36944201
The script doesn't cause the mailboxes to open. All it does is give the managers the rights needed to open the mailboxes. Outlook only opens, by default, the mailbox associated with the outlook profile and any mailboxes added to the additional mailboxes tab in outlook settings. The script just set the permissions so the manager can open the other mailboxes manually (or with your add-on).

As for groups, there is no way to do that since what you need is to apply rights on the direct reports mailboxes, not on their ad accounts.
0
 

Author Comment

by:garryshape
ID: 36945106
Hmm well I'm not sure, it may be something with our AutoDiscover that automatically opens it. because, I issued the command "Add-MailboxPermission UserA -User UserB -AccessRights:FullAccess" where UserA is someone else's mailbox and UserB is myself, I closed and re-opened Outlook and UserA is in my mailbox.

Or is just doing that because I'm running that single command and not the script in its entirety? Sorry if I'm misunderstanding.
0
 
LVL 12

Expert Comment

by:GusGallows
ID: 36948034
No, the add-mailboxpermission has nothing to do with outlook. The only thing I can think that you are doing is maybe you have a profile set up with the other user's mailbox and it is letting you open it. Make sure your outlook profile doesn't have his mailbox defined in it. If the profile is set up to use his mailbox, assigning the right will allow it. But if it is set up to use your profile, it will not automatically open his. All the add-mailboxpermission cmdlet does is grant you the rights to open the other mailbox.
0
 

Author Comment

by:garryshape
ID: 36949771
0
 

Author Closing Comment

by:garryshape
ID: 36949943
Thanks for your help I think with your script and the incorporation of that auto-share disabling we are looking at a suitable solution.
0
 
LVL 12

Expert Comment

by:GusGallows
ID: 36949948
I have never seen this before. I run Exchange 2007 and outlook 2010 fully patched. Wierd. Why would they ever implement something like that? At any rate, good find. That should work for you. If you want me to re-write the script to include the script from the link I can do that for you.
0
 

Author Comment

by:garryshape
ID: 36950105
Ah man I closed too soon.

Think you could integrate the script?
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Among the most obnoxious of Exchange errors is error 1216 – Attached Database Mismatch error of the Jet Database Engine. When faced with this error, users may have to suffer from mailbox inaccessibility and in worst situations, permanent data loss.
Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question