Delegate user rights to a mailbox and deny the ability to delete.
Help. I am struggling to allocate the delegated rights a customer requires on an Exchange 2007 server.Basically we have set up astandard user mailbox that is required as a "resourse mailbox" (not in the 2007 terminology) accessed by multiple users.These users do NOT have mailboxes and have no requirement for them.They only want 2 "admins" to have the right to delete emails. That is the easy bit (via the console or Powershell) and works fine.I cannot find a way of grant the other 6 access to the mailbox and deny them the ability to delete emails.Full Access grants them the delete right and I cannot find a way to stop them from being able to delete.(Having tested the various -accessrights and trying to utilise the -deny parameter switch)So1- can you do this?2 - If so how?Really appreciate some help as I have spent a while on this and I now have a PM on my back.cheers(and please don't just point me to http://technet.microsoft.com/en-us/library/bb124097.aspxor http://technet.microsoft.com/en-us/library/bb124403.aspx. If they contain the answer please help me find it there)
April 3rd, 2009 4:35pm

Well, it is not possible with Add-MailboxPermission or with Add-ADPermission to deny delete permission but the workaround is give necessary MAPI folder permissions (select None for delete itme) inside the mailbox by opening in outlook, on root of mailbox and on all sub folders. However you can give mapi permissions to mail or mailbox enabled users only which are listed in GAL. Check below article to understand it... Minimum permissions necessary to access mailbox data http://msexchangeteam.com/archive/2006/01/25/418099.aspxAmit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2009 6:50pm

Amit,Thank you for your reply.It proves whatI thought (hence my comment "These users do NOT have mailboxes and have no requirement for them")Having spend hours in ADSIEDIT etc I soon realised of course all these permissions are against the AD objectsI guess whatI would have to do is mail-enable all accounts and then delegate the rights through outlook.The other option I gave to the PM was journaling and give access to the journal to only the two "admin" accounts.(EDIT - Of course the journaling option would be after giving all six users full rights through the EMS)Thank you
April 3rd, 2009 7:43pm

So If I create a mail-enabled group and add non-mail enabled users into it I can assign MAPI permissions to the group.I configure Outlook (2003 presented through Citrix) to point to the "shared" mailbox, however I then get presented with a credentials box (with Outlook half open behind).Now at this point I assume this is because the user account does not have permissions to the mailstore / Exchange Organisation.Can I overcome this (without granting permissions to other mailboxes in the mailstore) or we just looking at the fact we are not using Exchange / Outlook in the way in which it was designed to be used?I guess one option is to give all the users a single account and password for a mail enabled account and have them cache the credentials (save password) and ensure their roaming profiles pick it up, but then any potential auditing etc goes out of the window......
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2009 8:45pm

Hi,I have tested on my lab, that could not be achieved.To access the resource mailbox by using the accounts which are non-mail enabled users, you should give the Full Access Permissions for the non-mail enabled users which let the non-mail enabled users use own credential to access the resource mailbox. However, torestrict the delete permission, we need to configure it on the MAPI level. That will cause the non-mail enabled users still have delete permission since it already inheritated the permission from the Full Access Permission.ThanksAllen
April 7th, 2009 12:47pm

Thanks for the testing Allen, I had similar feeling but didn't have lab near by to produce similar sitution :) Amit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2009 1:09pm

Thanks Allen.Your testing confirms what everything was telling me originally but I didn't want to hear.Appreciate you taking some to run throught it and see if there were any "work arounds"RegardsAlan
April 9th, 2009 5:52pm

Hi,The work around is mail enabled account for the non-mail enabled usersand configure the permission on the MAPI level of theresource mailboxdirectly but no need to give the Full Access Permissions asAmit recommended. But that imply your deployment has no meaning.ThanksAllen
Free Windows Admin Tool Kit Click here and download it now
April 10th, 2009 5:55am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics