Is there a way to assign a user full control over another user's mailbox with FIM, i.e. the equivalent of the PowerShell command Add-MailboxPermission xxx -AccessRights FullAccess -user yyy If not, which is the most appropriate way to run some mailbox-specific configuration (custom activity, MA rules extension)? Thanks, PaoloPaolo Tedesco - http://cern.ch/idm

ILM was never much good at assigning permissions, and FIM isn't any different. You can do some permissions work using XMAs, as long as you keep your requirements simple.For instance it may work to provision a "mailbox-access" object in an XMA which has an email address as one attribute, and a multi-valued attribute listing the trustees. You would then write an export routine that looped through the trustee list and called the powershell cmdlet.I wrote up a powershell xma for ilm some time back which may help. http://www.wapshere.com/missmiis/adding-exchange-2007-mailboxes-to-existing-user-accountsCarolhttp://www.wapshere.com/missmiis

Looks like I am in the same boat as you in figuring out a way to implement cmdlet functions from within FIM - Exchange 2010 cmdlets vs. FIM. Please post back any progress and I'll do the same here. Carol has some good thought starters.Anu

Hi Carol,thanks for your help (and for the blog posts), the extensible MA is definitely something to consider.I see that the Microsoft.MetadirectoryServices namespace contains an IMACalloutExtension interface, about which I could find no documentation, but that has some methods that look like hooks to perform operations when something is exported... does anybody know what it is meant for? Attaching some code to an export event would be the ideal solution for me.Thanks,PaoloPaolo Tedesco - http://cern.ch/idm

An interesting alternative to the MA solution is using the MAs log files. - set the AD MA export profile to log to some file, e.g. "AD-Export.xml" - run the export profile with a PS script - use AD-Export.xml to retrieve information about the newly created / modified users - run the Add-Permission cmdlet on the new users without running a query This approach might prove useful to implement some more complex scenarios, like performing an operation when an attribute of a user is modified, since the log file contains all the relevant information.Paolo Tedesco - http://cern.ch/idm