Hi From what I understand, when creating a new mailbox in Exchange 2003/AD 2003, there must be an associated AD account with the mailbox. So let's say I create domain\user1 who has a mailbox on mailserver1/storage group1/ store 1. Whenever I grant people access to this mailbox etc, I am actually setting the permissions on User1's AD account correct - it's just the Exchange related AD attributes I'm amending. But User1 may have access to several mailboxes, right? So where does it say that the one located on "mailserver1/storage group1/ store 1" is the one that you change permissions on when amending User1's AD attributes? And what is the attribute actually called?

Yes, an Exchange mailbox must have an AD account associated. You can give Send-As AD permission to grant access to people on user1 mailbox, that's user object Access Control List (ACL) an AD property or Full Mailbox access in mailbox access control list. Basically three AD attributes homeMTA, homeMDB & msExchHomeServerName of an AD user account are used to identify the location of user's mailbox. So basically if you grant permission to user1 on any other mailbox in environment, the information will be stored in ACLs of that mailbox and if you grant permission to someone else on user1's mailbox then it will be stored in ACL of user1. Amit Tank MVP: Exchange Server | MCTS: Microsoft Exchange Server 2010, Configuration | MCITP: EMA | MCSA: M Blog: http://ExchangeShare.WordPress.com | User Group: http://MUC-UG.org.in

Hi Amit >So basically if you grant permission to user1 on any other mailbox in environment, the information will be stored in ACLs of that mailbox and if you grant permission to >someone else on user1's mailbox then it will be stored in ACL of user1. Shouldn't that be: So basically if you grant permission to user1 on any other mailbox in environment, the information will be stored in ACLs of that AD ACCOUNT and if you grant permission to someone else on user1's mailbox then it will be stored in ACL of user1. i.e, if you grant permission to user1 on user2@domain.com mailbox, then the information will be stored in the ACL's of the user2 AD account (I presume there is an AD attribute that states who has Full Mailbox Access to the msExch mailbox)?

On Mon, 16 Aug 2010 14:57:22 +0000, Neil4933 wrote: >>So basically if you grant permission to user1 on any other mailbox in environment, the information will be stored in ACLs of that mailbox and if you grant permission to >someone else on user1's mailbox then it will be stored in ACL of user1. > >Shouldn't that be: > >So basically if you grant permission to user1 on any other mailbox in environment, the information will be stored in ACLs of that AD ACCOUNT and if you grant permission to someone else on user1's mailbox then it will be stored in ACL of user1. You both just said the same thing. >i.e, if you grant permission to user1 on user2@domain.com mailbox, then the information will be stored in the ACL's of the user2 AD account (I presume there is an AD attribute that states who has Full Mailbox Access to the msExch mailbox)? While the mailbox rights are kept in the AD, the real ACL is on the mailbox in the database managed by the Information Store on the Exchange server. You can blow away the information in the AD (if you don't use software that tries to keep the two sets of data in sync) and not affect the ACL on the mailbox. You wouldn't be happy woth the result, but the two really are independant. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

There are two levels of permissions: The AD account. It has an ACL (attribute MailboxRights) that contains permissions onh what you can do on behalf of or impersonating the user holding the related mailbox, e.g. Send As. The Mailbox. Permissions are granted on the mailbox (top of mailbox or information store) and on each subfolders. The permissions can be inspected or changed through the folder's ACL (aclobject). There are standard folders like Calendar and Inbox which are used as default folders when opening someone else's Calendar or Inbox for example. Note that only 1 mailbox can be associated with an user object (through HomeMDB etc). If you want to open additional boxes, you need to explicitly add them to your (Outlook) profile. For that mailbox, what you can do with it is defined on the AD object associated with the mailbox (Send As, etc). What permissions you have in the mailbox itself is defined on the mailbox in the store (top level, subfolders). Michel de Rooij, MCITP Ent.Msg 2007+2010| MCTS W2008, Ex2007+2010 Conf | MCSE+Msg2k3 | MCSE+Inet2k3 | Prince2 Fnd | ITIL I blog on http://eightwone.wordpress.com/ and tweet on http://twitter.com/mderooij