Exchange 2010 SP1 Resource Delegate Permission Problem
I have several room mailboxes on an Exchange 2010 SP1 server. All are configured to have the resource booking attendant enabled. Some of them additionally allow out of policy requests. These have a delegate set. The delegate also receives the forwards of out of policy requests. However, it is not possible to approve them: Outlook 2010 says that it cannot open the "Calendar" folder of the room and OWA does not open the request at all, because the delegate user does not have the appropriate permissions. What is the proper way to configure a resource delegate? I thought it would suffice to add it in the "Specify delegates of this mailbox" list of EMC. What else do I have to configure in order to make it work?
May 5th, 2011 10:12pm

Hi, When the room mailbox specify a user, it can be opened by the user To check whether the user is in the resource delegate list: Get-CalendarProcessing -Identity room | fl If the user is not in the list, use cmdlet to add a user http://technet.microsoft.com/en-us/library/bb124973.aspx If it is still not working, try to grant a full access permission to the room to see if it is work or not.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2011 9:09am

Hi, When the room mailbox specify a user, it can be opened by the user To check whether the user is in the resource delegate list: Get-CalendarProcessing -Identity room | fl If the user is not in the list, use cmdlet to add a user http://technet.microsoft.com/en-us/library/bb124973.aspx If it is still not working, try to grant a full access permission to the room to see if it is work or not. The user is in the ResourceDelegates list in the output of Get-CalenderProcessing. I have also tried full access permissions, but without success. Regarding full access, I have two questions: 1. Should it not work if I set the resource delegate without full access permission? Setting permissions and delegates makes administration more complex and I do not see any advantage of having a resource delegate list which effectively does not work w/o full access. 2. Is granting full access permissions dependent on AD replication, i. e. could it take some time to become effective? Do I need to restart anything on the server or on the client?
May 9th, 2011 12:49pm

Hi, >1. Should it not work if I set the resource delegate without full access permission? It should work without full access permission. It is just for test. >2. Is granting full access permissions dependent on AD replication, Yes After you set the resource delegate, check if the user has permission on the calendar folder Get-MailboxFolderPermission -Identity "room:\calendar" if not, add it Add-MailboxFolderPermission -Identity "room:\calendar" -User delegateUser -AccessRights Editor Try on different resource and users to check if it is a common problemPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2011 11:14am

After you set the resource delegate, check if the user has permission on the calendar folder Get-MailboxFolderPermission -Identity "room:\calendar" I cannot make the request for "room:\calendar", only for "room". It says The operation couldn't be performed because 'room:\calendar' couldn't be found. However, having full access permissions, I can see the calendar in Outlook now.
May 10th, 2011 6:42pm

I cannot make the request for "room:\calendar", only for "room". It says The operation couldn't be performed because 'room:\calendar' couldn't be found. However, having full access permissions, I can see the calendar in Outlook now. OK, that is because the mailbox is German. room:\Kalender works ... I gave myself permissions, but still cannot approve the forwarded request. Edit: Found out that I cannot approve my own request, so I created a separate account. Now, I can approve out of policy requests for the one room I have edited. However, the problem seems to be common - I cannot approve any request for other room which I have not edited in the way you described. I assume this should be possible, right? I. e. the permissions should be set if I add a resource delegate. W/o this permission entry, it seems that the delegate cannot work. Is there any workaround (besides writing a powershell script that fixes all resource mailboxes or - even worse - using full access permissions) or configuration that I have to change? It would be quite nasty if I had to set the permissions for all resources manually. Additionally, if I had to: would this work for Mail Universal Security Groups, too? That would avoid setting the permissions for a bunch of people in the office who are allowed to approve room requests.
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2011 6:46pm

One other idea: Could the problem result from the fact that we have a German room mailbox on an English server system? I mean, if adding a delegate performs Add-MailboxFolderPermission -Identity "room:\calendar", this will not succeed.
May 11th, 2011 12:58pm

Hi, On my personal idea, it could be the cause of this issue if you use an German Exchange Server on English version system. I am sorry that it seems that you have requested support for a localized product. Since we do not familiar with this language, it is very difficult for us to perform further troubleshooting steps, such as capture the log file. These newsgroups are geared to answer on the English version of the product. For support for localized versions we request that use the support resources appropriate to that language. Please visit http://www.microsoft.com/partner and click on the Worldwide Sites link to find the appropriate resources for your language. If the issue is urgent to your business, it is recommended that you contact Microsoft Product Support Services via telephone so that a dedicated Support Professional can assist you recover the server in a more efficient manner. Please be advised that contacting phone support will be a charged call. To obtain the phone numbers for specific technology request please take a look at the web site listed below. http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS If you are outside the US please see http://support.microsoft.com for regional support phone numbers. Thank you for your understanding. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2011 10:42am

Hi, On my personal idea, it could be the cause of this issue if you use an German Exchange Server on English version system. I do not have a German server. The W2K8 R2 Ent as well as the Exchange 2010 SP1 Std are both English. However, the mailbox language is German, because the Outlook client is too. What I am interested in is what the expected behaviour of adding a delegate is: should there be a separate permission for that delegate? If so, I could script that if nothing else helps. However I would like to avoid setting dozens of special mailbox permissions if this should work in a different way, because I consider it a potential security hole having such manually created "ACLs" everywhere.
May 13th, 2011 3:58pm

Hi, have you solved it ? I got a similiar issue, just created new rooms with powershell, and added room delegates to a mailenabled security group, and it doesn´t work to approve requests. Any tips? Thanks, Magnus Magnus
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2011 2:39pm

Hi Magnus, You can't add security group in delegate list. you have to add each memeber to delegate access permission list independtly. Set-CalendarProcessing –Identity <Room Mailbox Name> –ResourceDelegates userID1,UserID2,... Delegates also need Editor access to the free/busy and calendar folder of the mailbox itself so that they can manage meeting requests. Grant the delegate Full Access Permissions to the Room Mailbox Add-MailboxPermission -Identity <Room Mailbox Name> -User userID1,UserID2,... -AccessRights FullAccess Thanks, Vidyanand
June 20th, 2011 5:00pm

Hi, have you solved it ? I got a similiar issue, just created new rooms with powershell, and added room delegates to a mailenabled security group, and it doesn´t work to approve requests. Any tips? Unfortunately not. It works by settings the Editor permission and for the Full Access permission, but I do not consider this a real solution, because it requires touching any resource manually. Also, granting full access seems a bit of overkill for me.
Free Windows Admin Tool Kit Click here and download it now
June 28th, 2011 11:59am

You can't add security group in delegate list. you have to add each memeber to delegate access permission list independtly. I have read that several times, but the interesting thing is: If I follow your instruction and grant full access, it also works for groups - actually, I tried any type of user/group/permission combination I could think of and all comes back to the mailbox permission. Therefore, I tend to consider this some kind of permission problem that we do not yet understand completely.
June 28th, 2011 12:02pm

I can confirm that groups (even distribution groups) do not work: the confirmation requests are sent, but Exchange does not honour mailbox permissions for groups. For fixing the permission problem, I use the following Powershell command: (Get-Mailbox -RecipientTypeDetails roommailbox,equipmentmailbox | Get-CalendarProcessing | ?{ $_.ResourceDelegates }) | %{ $m = $_.Identity; $_.ResourceDelegates | %{ $u = Get-Recipient -Identity $_; Add-MailboxFolderPermission -Identity $m -AccessRights Editor -User $u.Name -WhatIf } }
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2011 5:48pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics