I've been running into this issue lately. I cannot seem to use groups to allow full access to mailboxes. When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...". After waiting a day and even restarting the Information Store service, the permissions do not take effect. When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed. When I grant a user full permission, it works and updates the attribute. However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute. So the mailbox will still appear in Outlook, but the user isn't able to see new emails. Any ideas on what may be going wrong? Environment: Exchange Server 2010 SP1 Standard Windows Server 2008 R2 Standard Outlook 2010 SP1 (tried without SP1 as well) I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups. Is this not possible?

This is just a guess, try mail-enabling the security group.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Just tried that. I tried switching it to a universal group first which didn't work. This hasn't worked yet either. The group shows up when I run Get-MailboxPermission -identity "mailboxname" as it did before.

That didn't appear to work even after a restart of the Information Store service. I even tried removing the group and adding it back. Still no luck. It does show up when running Get-MailboxPermission -identity "mailboxname". It just doesn't show up in Outlook. I've also tred deleting and recreating the Outlook profile. Any other ideas?

Hi wchar_t, I test in my lab (Exchange 2010 SP1), get the same result as you. If you only want members (in this security group) to have full access permission on the mailbox, you can use this command to achieve the goal: Get-DistributionGroupMember “Test Group” | foreach-Object { Add-MailboxPermission “Usermailbox” –AccessRights FullAccess –user $_.Name} Note: “Test Group” is a mail-enabled security group Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com

I appreciate the PS script to get this done. Is there any reaason groups shouldn't work? I had this issue prior to SP1 as well. I just didn't have a strong need like I do now. I really don't want to assign permissions by user as that isn't best practice. Thanks.

Since we have SA, I have opened a case with MS. But I'm still open to ideas from the forums. :)

Hi, I have experienced exactely same issue at a client place. Exchange 2010 SP1 within a DAG Windows Server 2008 R2 SP1 Outlook 2010 If i apply full access permission to an user, it works. If i apply full access permission to a security group, it never applies. Thanks to keep us updated about your case. Samir

I will definitely update this thread when I hear back from them. ~1 business day or so.

Hope MS will give you an answer :) Thanks!

Hi! Any update concerning the issue?

Heard back from MS, but nothing new to report. Made them aware of this thread and what has been tried already. I'll post back when I hear something from them

Any news?

Hi wchar_t, Do you get any information now? I got a same issue, I can apply full access permission to a user, but cannot to a security group. Could you share us your solution? Thanks, smart

No news yet. The last suggestion was to add the mailbox to the "additional mailboxes" section in the mail profile. This failed as well with the error "Cannot expand the folder". Still waiting on a reply.

Add-AdPermission -Identity "User Mailbox login account Name" -User "Universal security group" -AccessRights readproperty, writeproperty _properties "Personal Information" Get-Mailbox -Identity "User Mailbox Name" | Add-MailboxPermission -User "Universal security group" -AccessRights fullaccess Can you try this

This thread points clearly a bug...

The MS rep I'm working with is finally able to reproduce the issue in his test environment. He has asked me to install Exchange 2010 RU4 for SP1. http://www.microsoft.com/download/en/details.aspx?id=26910 I haven't done this yet, so I'm not sure that it will fix anything. I didn't see this specific bug listed.

Hi Read this before you go for update SP1 RU4 http://blogs.technet.com/b/exchange/archive/2011/07/13/exchange-2010-sp1-ru4-removed-from-download-center.aspx Dont do the availble version now, update version will release by Aug and try to install that

Per MS support: I would like to explain that Exchange 2010 SP1 RU4 was re-released on 7/27. This updated release of Exchange 2010 SP1 Rollup 4 can be download safely.

Yes. New rerelease happened yesterday for RU4, I get the information today from my friend :) you can proceed as MS tech informed

Installed RU4 v2 without any issues. The problem still exists as I suspected it would. Little frustrating playing email tag with MSFT support.

Thanks for the updates wchar_t! I have been experiencing the same issue and it’s been driving me nuts. I’m surprised that there isn’t more of an uproar over this problem, unless it only happens in very specific EX2010 setups? Personally we migrated from Exchange 2003 to 2010 in this manner: · All Servers are VMware ESX 3.5 Virtual Machines · Upgraded all VMware ESX 3.5 hosts to VMware ESXi 4.1 update 1 · Created 2 new virtual W2K8R2 DC’s, decommissioned our 2 virtual W2K3 DC’s · Created 1 new virtual EX2010 STD Server with CAS, HT, and MB roles. · Migrated accounts from virtual EX2003 ENT to virtual EX2010 STD · Virtual EX2003 is still running strictly for SMTP delivery as our developer updates his code for the new virtual EX2010 STD server For anyone experiencing the problem are there any similarities in how you deployed EX2010?

Thanks for the updates wchar_t! I have been experiencing the same issue and it’s been driving me nuts. I’m surprised that there isn’t more of an uproar over this problem, unless it only happens in very specific EX2010 setups? Our site is a fresh install. No migration at all. VMware 4.0/4.1. Not sure why more people aren't complaining unless they are just dealing with it. Last communication from MS wanted me to try: Add-ADPermission –Identity "Mailbox" -user "Security Group Name" –ExtendedRights Receive-As I haven't done it yet.

So I brought this issue up at my local Exchange Users group and no one else (out of 8 people) has the same problem, they also all run Exchange on a physical server. So I wonder if it's related to a something as dumb as a virtual driver?

I tried the last command MS sent me. It didn't work either. It also broke OWA for the test account I was using. Not really sure why it would matter (physical vs virtual). But who knows at this point. It's definitely annoying.

I've had this EXACT same issue since we migrated from Exchange 2003 to 2010. I can grant users full mailbox access to a mailbox but when I try to add a security group the member of the group is unable to open the mailbox as an additional mailbox in their Outlook profile. I did discover, that if I had a member of the security group create a new mail profile and connect to the vanity mailbox, they could open it. Out of curiosity I had the member go to their default Outlook profile and add the vanity mailbox as an additional mailbox, VOILA! they were able to open it. Not what I'd call a viable workaround, especially if you have a multitude of members in that security group. I'll be monitoring this board anxiously waiting for a solution.

@Bugeater Fan, that actually worked for my account. Before I wiped my Local Outlook profile I had this issue, after troubleshooting a another issue and wiping/rebuilding my profile I can now use access mailboxes that I couldn’t before via a security group. A few things I noticed: 1. If I was already part of a security group that had access to an email box, that ability stayed after the upgrade to EX2010 2. If I created a new security group for a new mail box after our upgrade to EX2010 I had the issue. I plan to test the following with a user still having the issue 1. Before rebuilding outlook profile a. Add this user to a security group that has access to a mail box where both were created BEFORE our EX2010 upgrade (created in EX200). Does this issue still occur? b. Add this user to a security group that has access to a mail box where both were created AFTER our EX2010 upgrade (created in EX200). Does the issue still occur? 2. Wipe and rebuild local outlook profile and then test again. I’m wondering if there is something in the local profile that is missing if it isn’t rebuilt after an EX2003 to EX2010 upgrade… @wchar_t, any news on your end?

@wchar_t, any news on your end? Nothing on my end. Just sent off another email asking for a status update. I normally don't hear back until ~3am the next day. I'll let you know what I hear.

wchar_t, Can you comment the case id you have open with Microsoft? As I am seeing the identical issue I'll see what leverage I can use to escalate the issue. Helps if I can give them the existing case id for them to review.

It was implied that the issue may be with virtual servers. It is not.. Currently all of my exchange servers are physical. I'm also having an issue with giving groups full access permissions on mailboxes.

As an update here is what is happening in my environment through testing: If a new group created in ECM (which makes Universal groups) and that group is used to give full access permissions to mailbox (created pre or post upgrade) the users in the group will eventually get access to the mail box but it might take a few days (Created the group on Thursday and it didn’t work immediately or on Friday, when I tried on Monday it did work) Mailboxes that worked before the upgrade from 2003 to 2010 still work with the original groups. These groups are Global and not Universal groups so they do not show up in the ECM under Recipient Configuration ->Distribution Group but do show up when you use the ECM to Added full mailbox permissions. New members added to these groups do not have immediate access, but after 30 minutes they do. So, I'm wondering if this is an issue with how universal groups are handled in EX2010? Maybe we all have a setting in our Global Catalog servers that only Exchange 2010 is sensitive too? I currently have a single domain with two DC's., they both are Global Catalog servers but one DC holds all of the FSMO roles. And when I run Get-ADServerSettings | FL I see that my EX2010 server is pointing to my secondary DC. I'm going to try changing that to my primary and see if that helps it process Universal group memberships quicker.

I'm also quite interested in this. However, my situation would take it even a step further: User is a member of a RoleGroup RoleGroup is a member of MailboxPermissionGroup The MailboxPermissionGroup is what I'd like to give: -ExtendedRight 'Send-As','Receive-As' -AccessRights FullAccess ...and also have the group given full access end up in the msExchDelegateListLink attribute of the mailbox... which should happen when given fullaccess. Nothing I do other than granting that permission to an account (not at all prefered) works. Ian

this may be a bug. Even with the latetst rollup. Similar to, if you try to give the send-as permission to a DL via EMS on another Exch server than to the one you created to the DL on, it will fail, because the local exchange server in the owner and not the Exchnage Servers groups. Similar if you create a DL in ADUC, it will fail because the domain admins are the owners and not the Exchange server groups. Workaround for these is to give the exch servers group modify permission I will find out about this next week. Sukh

hello same issue here, migrating from ex2003, domain 2008, ex2010 sp1 giving a AD security group Full Access to a mailbox will not give user the access..

Just wanted to post a quick status update. I'm working with Exchange support (a different tier) now to find the cause of the issue. So far he hasn't been able to reproduce it. I just sent off more data to him last week. I should hear back fairly soon. I'll post back with what I find.

I am also having this problem; Im using a Native 2008 R2 SP1 Domain, Exchange 2010 SP1 RU3, and Office 2010 (both SP1 and non SP). The domain originally had Exchange 2003, which was upgraded to Exchange 2007, and then Exchange 2010 8 months ago.