Exchange 2010 Unable to Assign Full Access Permissions using a Security Group
I've been running into this issue lately. I cannot seem to use groups to allow full access to mailboxes. When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...". After waiting a day and even restarting the Information Store service, the permissions do not take effect. When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed. When I grant a user full permission, it works and updates the attribute. However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute. So the mailbox will still appear in Outlook, but the user isn't able to see new emails. Any ideas on what may be going wrong? Environment: Exchange Server 2010 SP1 Standard Windows Server 2008 R2 Standard Outlook 2010 SP1 (tried without SP1 as well) I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups. Is this not possible?
July 6th, 2011 8:42am

This is just a guess, try mail-enabling the security group.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2011 11:49am

Just tried that. I tried switching it to a universal group first which didn't work. This hasn't worked yet either. The group shows up when I run Get-MailboxPermission -identity "mailboxname" as it did before.
July 6th, 2011 3:32pm

That didn't appear to work even after a restart of the Information Store service. I even tried removing the group and adding it back. Still no luck. It does show up when running Get-MailboxPermission -identity "mailboxname". It just doesn't show up in Outlook. I've also tred deleting and recreating the Outlook profile. Any other ideas?
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 7:29am

Hi wchar_t, I test in my lab (Exchange 2010 SP1), get the same result as you. If you only want members (in this security group) to have full access permission on the mailbox, you can use this command to achieve the goal: Get-DistributionGroupMember “Test Group” | foreach-Object { Add-MailboxPermission “Usermailbox” –AccessRights FullAccess –user $_.Name} Note: “Test Group” is a mail-enabled security group Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com
July 7th, 2011 7:41am

I appreciate the PS script to get this done. Is there any reaason groups shouldn't work? I had this issue prior to SP1 as well. I just didn't have a strong need like I do now. I really don't want to assign permissions by user as that isn't best practice. Thanks.
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 7:44am

Since we have SA, I have opened a case with MS. But I'm still open to ideas from the forums. :)
July 7th, 2011 7:53am

Hi, I have experienced exactely same issue at a client place. Exchange 2010 SP1 within a DAG Windows Server 2008 R2 SP1 Outlook 2010 If i apply full access permission to an user, it works. If i apply full access permission to a security group, it never applies. Thanks to keep us updated about your case. Samir
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 10:57am

I will definitely update this thread when I hear back from them. ~1 business day or so.
July 7th, 2011 10:59am

Hope MS will give you an answer :) Thanks!
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 11:19am

Hi! Any update concerning the issue?
July 11th, 2011 6:12am

Heard back from MS, but nothing new to report. Made them aware of this thread and what has been tried already. I'll post back when I hear something from them
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2011 7:37am

Any news?
July 14th, 2011 3:04am

Hi wchar_t, Do you get any information now? I got a same issue, I can apply full access permission to a user, but cannot to a security group. Could you share us your solution? Thanks, smart
Free Windows Admin Tool Kit Click here and download it now
July 18th, 2011 9:21pm

No news yet. The last suggestion was to add the mailbox to the "additional mailboxes" section in the mail profile. This failed as well with the error "Cannot expand the folder". Still waiting on a reply.
July 19th, 2011 8:56am

Add-AdPermission -Identity "User Mailbox login account Name" -User "Universal security group" -AccessRights readproperty, writeproperty _properties "Personal Information" Get-Mailbox -Identity "User Mailbox Name" | Add-MailboxPermission -User "Universal security group" -AccessRights fullaccess Can you try this
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2011 10:08am

This thread points clearly a bug...
July 21st, 2011 7:51am

The MS rep I'm working with is finally able to reproduce the issue in his test environment. He has asked me to install Exchange 2010 RU4 for SP1. http://www.microsoft.com/download/en/details.aspx?id=26910 I haven't done this yet, so I'm not sure that it will fix anything. I didn't see this specific bug listed.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 7:17am

Hi Read this before you go for update SP1 RU4 http://blogs.technet.com/b/exchange/archive/2011/07/13/exchange-2010-sp1-ru4-removed-from-download-center.aspx Dont do the availble version now, update version will release by Aug and try to install that
July 28th, 2011 7:31am

Per MS support: I would like to explain that Exchange 2010 SP1 RU4 was re-released on 7/27. This updated release of Exchange 2010 SP1 Rollup 4 can be download safely.
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2011 7:47am

Yes. New rerelease happened yesterday for RU4, I get the information today from my friend :) you can proceed as MS tech informed
July 29th, 2011 8:20am

Installed RU4 v2 without any issues. The problem still exists as I suspected it would. Little frustrating playing email tag with MSFT support.
Free Windows Admin Tool Kit Click here and download it now
August 5th, 2011 9:30am

Thanks for the updates wchar_t! I have been experiencing the same issue and it’s been driving me nuts. I’m surprised that there isn’t more of an uproar over this problem, unless it only happens in very specific EX2010 setups? Personally we migrated from Exchange 2003 to 2010 in this manner: · All Servers are VMware ESX 3.5 Virtual Machines · Upgraded all VMware ESX 3.5 hosts to VMware ESXi 4.1 update 1 · Created 2 new virtual W2K8R2 DC’s, decommissioned our 2 virtual W2K3 DC’s · Created 1 new virtual EX2010 STD Server with CAS, HT, and MB roles. · Migrated accounts from virtual EX2003 ENT to virtual EX2010 STD · Virtual EX2003 is still running strictly for SMTP delivery as our developer updates his code for the new virtual EX2010 STD server For anyone experiencing the problem are there any similarities in how you deployed EX2010?
August 12th, 2011 3:09pm

Thanks for the updates wchar_t! I have been experiencing the same issue and it’s been driving me nuts. I’m surprised that there isn’t more of an uproar over this problem, unless it only happens in very specific EX2010 setups? Our site is a fresh install. No migration at all. VMware 4.0/4.1. Not sure why more people aren't complaining unless they are just dealing with it. Last communication from MS wanted me to try: Add-ADPermission –Identity "Mailbox" -user "Security Group Name" –ExtendedRights Receive-As I haven't done it yet.
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2011 3:19pm

So I brought this issue up at my local Exchange Users group and no one else (out of 8 people) has the same problem, they also all run Exchange on a physical server. So I wonder if it's related to a something as dumb as a virtual driver?
August 16th, 2011 7:55pm

I tried the last command MS sent me. It didn't work either. It also broke OWA for the test account I was using. Not really sure why it would matter (physical vs virtual). But who knows at this point. It's definitely annoying.
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2011 8:27am

I've had this EXACT same issue since we migrated from Exchange 2003 to 2010. I can grant users full mailbox access to a mailbox but when I try to add a security group the member of the group is unable to open the mailbox as an additional mailbox in their Outlook profile. I did discover, that if I had a member of the security group create a new mail profile and connect to the vanity mailbox, they could open it. Out of curiosity I had the member go to their default Outlook profile and add the vanity mailbox as an additional mailbox, VOILA! they were able to open it. Not what I'd call a viable workaround, especially if you have a multitude of members in that security group. I'll be monitoring this board anxiously waiting for a solution.
August 25th, 2011 4:28pm

@Bugeater Fan, that actually worked for my account. Before I wiped my Local Outlook profile I had this issue, after troubleshooting a another issue and wiping/rebuilding my profile I can now use access mailboxes that I couldn’t before via a security group. A few things I noticed: 1. If I was already part of a security group that had access to an email box, that ability stayed after the upgrade to EX2010 2. If I created a new security group for a new mail box after our upgrade to EX2010 I had the issue. I plan to test the following with a user still having the issue 1. Before rebuilding outlook profile a. Add this user to a security group that has access to a mail box where both were created BEFORE our EX2010 upgrade (created in EX200). Does this issue still occur? b. Add this user to a security group that has access to a mail box where both were created AFTER our EX2010 upgrade (created in EX200). Does the issue still occur? 2. Wipe and rebuild local outlook profile and then test again. I’m wondering if there is something in the local profile that is missing if it isn’t rebuilt after an EX2003 to EX2010 upgrade… @wchar_t, any news on your end?
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 2:37pm

@wchar_t, any news on your end? Nothing on my end. Just sent off another email asking for a status update. I normally don't hear back until ~3am the next day. I'll let you know what I hear.
September 6th, 2011 2:40pm

wchar_t, Can you comment the case id you have open with Microsoft? As I am seeing the identical issue I'll see what leverage I can use to escalate the issue. Helps if I can give them the existing case id for them to review.
Free Windows Admin Tool Kit Click here and download it now
September 9th, 2011 2:20pm

It was implied that the issue may be with virtual servers. It is not.. Currently all of my exchange servers are physical. I'm also having an issue with giving groups full access permissions on mailboxes.
September 12th, 2011 12:28pm

I'm also quite interested in this. However, my situation would take it even a step further: User is a member of a RoleGroup RoleGroup is a member of MailboxPermissionGroup The MailboxPermissionGroup is what I'd like to give: -ExtendedRight 'Send-As','Receive-As' -AccessRights FullAccess ...and also have the group given full access end up in the msExchDelegateListLink attribute of the mailbox... which should happen when given fullaccess. Nothing I do other than granting that permission to an account (not at all prefered) works. Ian
Free Windows Admin Tool Kit Click here and download it now
September 24th, 2011 12:41pm

hello same issue here, migrating from ex2003, domain 2008, ex2010 sp1 giving a AD security group Full Access to a mailbox will not give user the access..
September 26th, 2011 3:33am

Just wanted to post a quick status update. I'm working with Exchange support (a different tier) now to find the cause of the issue. So far he hasn't been able to reproduce it. I just sent off more data to him last week. I should hear back fairly soon. I'll post back with what I find.
Free Windows Admin Tool Kit Click here and download it now
September 26th, 2011 8:13am

Finally got around to testing some more on my end and here what I found · Granting full access permissions to universal groups (created through the EMC in 2010) on a mailbox works but only after 12- 24 hours · Even after a group has access any new members will need 12-24 hours to be recognized So I'm guessing that in my Active Directory that for some reason Universal Groups are painfully slow to update individual accounts as group members. Now I know Universal groups usually only replicate groups as members and not users, but since my AD is flat (1 one domain, 2 DC's) I’m not sure why I’m having such a hard time pulling user accounts as group members. I did try switching the domain controller my Exchange server pointed to but that didn’t help with the issue. Can anyone else confirm if the issue is due to slow Universal group replication in their environment?
October 5th, 2011 2:34pm

Vox Medica, You can expedite the process by restarting the Information Store service.
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 2:48pm

Won't that disconnect everyone from their mailbox? We run in our Outlook clients in cached mode I assume our users would just see a message stating that connection to the mail server has been lost.
October 5th, 2011 3:01pm

Won't that disconnect everyone from their mailbox? We run in our Outlook clients in cached mode I assume our users would just see a message stating that connection to the mail server has been lost. Yes it will. So I'd advise not doing that during working hours. ;)
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 3:10pm

Hi, I use security groups a lot when assigning permissions to Shared Mailboxes and I have never had any problemes with that. I must ask, After you added the users to the group, did they log off/on before they tried to add the Shared Mailbox as an additional one? (just restarting Outlook will not work) If not that would really explain why it takes time before the new permissions takes affect (TGT not updated = Ticket Granted Ticket).Martina Miskovic - http://www.nic2012.com/
October 5th, 2011 3:21pm

Hi, I use security groups a lot when assigning permissions to Shared Mailboxes and I have never had any problemes with that. I must ask, After you added the users to the group, did they log off/on before they tried to add the Shared Mailbox as an additional one? (just restarting Outlook will not work) If not that would really explain why it takes time before the new permissions takes affect (TGT not updated = Ticket Granted Ticket). Martina Miskovic - http://www.nic2012.com/ Yes I have. I've also tried accessing the other mailbox via OWA without any luck.
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 3:23pm

Martina_Miskovic, to confirm with wchar_t, I’ve tried restarting Outlook, restarting the the PC, rebuilding the Outlook profile, and trying to access from Outlook 2011 (which uses EWS). All with no luck. In the meantime whenever the need arises I give the group and it's individual members full mailbox access and then remove the individual accounts 24 hours later. On a side note I always wondered why when the groups do finally kick in they never auto add the mailbox to the users Outlook file tree. I'll have to look into what imbruck2 posted if once this issues is resolved they still don’t auto add.
October 5th, 2011 3:34pm

Hi Vox Medica, Auto-Mapping only works when giving fullmailboxaccess to users and not when security groups is used, so that is expected.Martina Miskovic - http://www.nic2012.com/
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 3:39pm

Hi Vox Medica, Auto-Mapping only works when giving fullmailboxaccess to users and not when security groups is used, so that is expected. Martina Miskovic - http://www.nic2012.com/ From what MS support has said so far, that's not correct. Autodiscovery should work when using groups as well.
October 5th, 2011 3:41pm

Did MS Support really say that Auto-Mapping would work when giving groups fullmailboxpermission? In my experience, that is not true.Martina Miskovic - http://www.nic2012.com/
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 3:46pm

Hi Guys I'm also seeing the same problems. I created an Ad Security group called "test" and this is a security/Universal group. I added my normal user account to this grop I created a shared mailbox on my Exchange 2010 SP1 UR5 Org (all Exchange servers on 2010 SP1 UR5) using the New-Mailbox cmdlet with "-shared" and then gave the security group Full Access permission through the Exchange Console Gui (not via PS) 24 hours later, on a Windows 7 Enterprise x64 SP1 Machine with Office 2010 SP1 x86 installed, I'm not getting the additional mailbox self populating at all. the msExchDeletageList is also empty. If I add myself directly to a mailbox with Full Access Permissions, the mailbox suddenly appears in my outlook (no restart of outlook required) something not quite right with reading the groups. Maybe enable Universal caching on the GCs? Thanks Andy
October 6th, 2011 9:05am

Andy, thats what I was thinking of trying next even though that option is meant to address replication issues across slow links between Active Directory Sites. Which makes me belive there is either something odd flaw in how Universal Groups are handled in EX2010 or some misconfiguration issue with our all our Gobal Catalong servers.
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2011 12:35pm

On Thu, 6 Oct 2011 16:35:03 +0000, Vox Medica wrote: >Andy, thats what I was thinking of trying next even though that option is meant to address replication issues across slow links between Active Directory Sites. Which makes me belive there is either something odd flaw in how Universal Groups are handled in EX2010 or some misconfiguration issue with our all our Gobal Catalong servers. Exchange (any release after 5.5) has nothing to do with groups other than to update properties. The AD is responsible for replication. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
October 6th, 2011 5:50pm

Exchange (any release after 5.5) has nothing to do with groups other than to update properties. The AD is responsible for replication. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP The only reason I mention EX2010 is that previous versions of Exchange didnt require Universal groups and we didnt have the issue until we moved to from EX2003 to EX2010. Granted we moved our AD from 2003 to 2008 R2 first but we were still able to assign permissions to mailboxs via Global groups in EX2003 fairly quickly.
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2011 5:58pm

On Thu, 6 Oct 2011 21:58:16 +0000, Vox Medica wrote: [ snip ] >The only reason I mention EX2010 is that previous versions of Exchange didnt require Universal groups and we didnt have the issue until we moved to from EX2003 to EX2010. Although it wasn't _required_ in releases earlier than 2007 (not 2010) the use of groups with global or local scopes casued problems. >Granted we moved our AD from 2003 to 2008 R2 first but we were still able to assign permissions to mailboxs via Global groups in EX2003 fairly quickly. For group membership to work as people expect, the membership of a group must appear in the GCs of all domains in the forest. The only group scope that works that way is "universal". Other scopes replicate the group membership only in the DCs in the same domain. That AD behavior results inconsistent behavior across domains. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
October 6th, 2011 9:26pm

For group membership to work as people expect, the membership of a group must appear in the GCs of all domains in the forest. The only group scope that works that way is "universal". Other scopes replicate the group membership only in the DCs in the same domain. That AD behavior results inconsistent behavior across domains. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP Thats whats bugging me, I have one domain with 2 DC's. Shouldn't universal groups be replicated already, espcially when Exchange 2010 is ponting to the DC holding all my FSMO roles?
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2011 7:38am

I'm still at 2003 native due to some internally developed software still using our Exchange 2003 server and one of our SQL 2000 servers. Once those applications are updated and working I plan to raise our AD to 2008 R2 native.
October 7th, 2011 1:04pm

I should have mentioned I'm on 2003 Native as well, planning on flipping the flags in 2-3 weeks to 2008R2 Native.
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2011 1:06pm

On Fri, 7 Oct 2011 11:38:48 +0000, Vox Medica wrote: <>For group membership to work as people expect, the membership of a group must appear in the GCs of all domains in the forest. The only group scope that works that way is "universal". Other scopes replicate the group membership only in the DCs in the same domain. That AD behavior results inconsistent behavior across domains. --- Rich Matheisen MCSE+I, Exchange MVP >>--- Rich Matheisen MCSE+I, Exchange MVP >Thats whats bugging me, I have one domain with 2 DC's. And both of those DCs are in the same AD forest? >Shouldn't universal groups be replicated already, That's easy enough to verify. Use ADUC and onnect to each DC in turn. Do you see the same results when you look at the properties of the group? Next, use LDP.exe and connect to each of the GCs (port 3268). Do you see the same results? If you don't see the same thing in both DCs and GCs then you have a problem with AD replication, not with Exchange. >espcially when Exchange 2010 is ponting to the DC holding all my FSMO roles? FSMO roles mean nothing in this context. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
October 7th, 2011 5:42pm

I am agree with you, previously I was able to assign a Security Group to have a full access to an exchange mailbox. It was before I was migrating all mailbox from SBS2008 (which is Exchange 2007) to Exchange 2010 SP1. Today I was creating similar proxy mailbox and want to assign a Security Group but it cannot be done through EMC.
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2011 4:56am

@Rich Matheisen Universal Groups and group members show up on both DC’s immediately after creation, and both DC’s are in the same forest and domain. I tried using LDP but wasn’t sure what to look for but the initial query gave similar results when used against both DC’s @Everyone else To further isolate the issue to EX2010 I created 3 test groups: 01 – Universal group with my account as a member 02 – Global group with my account as a member 03 – Universal group containing a Global Group I belong to For all three groups I verified that they appeared on both of my DC’s after creation, I created group 01 on my first DC and the other two on my 2<sup>nd</sup> DC. All groups appeared instantaneously on both DC’s after creation. I then, one by one, assigned each group access permissions to a share on one of my file servers. Both Universal groups (01 and 03) required a log off/log on before I could access the share on the PC I tested on. Once they worked any other PC I was logged into still couldn’t access it unless I logged off. I read somewhere in my research that Universal groups membership is only once at login by the PC and this appears to be the case The Global group worked within a few minutes of being created I then tried assigning the two Universal groups full access to a mailbox I did not have prior access and then tried to open the mailbox through Outlook 2007. Each time I encountered the same error we have all been dealing with, just for kicks I gave each a 2<sup>nd</sup> try after logging in and out but the result was the same. So I think we can rule out issues with everyone’s Global catalog servers seeing that in my testing our file servers handled Universal group membership just fine. So I wonder if Exchange is exhibiting the same behavior as my desktops, that is not processing the group membership until a login event or 24 hours later. I’m going to keep my one PC logged in to see if the Universal group is recognized by it 12-24 hours later.
October 13th, 2011 4:56pm

same problem here. able to view the mailbox using the security group membership but not send-as we are on SP1 RU6. surely there is a solution to this by now
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2011 5:45am

Apparently RU5 was supposed to resolve this issue. This is a major booboo from Microsoft, and there is no mention of it in SP2 :(
December 2nd, 2011 6:55am

we have noticed that legacy permissions seem to work - mailboxes that had the permissions set before environment was upgraded from 2007 to 2010 are fully functional. new ones however only allow view, not send-as
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2011 9:37am

Hi all, and update in regards to our problems with nested groups. After applying RU6 on to all MB\CAS\Hub servers, our nested groups now seem to be working OK. We have done extensive testing over the last few days and all seems to be OK (Though still not removing the DelegateListLink ADSI Attribute!). Although the fix is not listed in the RU6 issues list, i suspect MS have sneaked it in as the RU5 update was supposed to fix this and never did! Hope this info helps you all out I have RU6 waiting to deploy. Hopefully it fixes it. From what the Exchange engineer I talked to said, they don't publish all fixes in RU or SP. So it could very well be in there and just not made public.
January 5th, 2012 8:32am

We recently applied EX2010 SP2 over the weekend and in our enviroment the issue still remains.
Free Windows Admin Tool Kit Click here and download it now
January 6th, 2012 2:35pm

I too continue to have this issue... has anyone heard anything further from MS? -DEMPC
January 30th, 2012 4:43pm

I have RU6 waiting to deploy. Hopefully it fixes it. From what the Exchange engineer I talked to said, they don't publish all fixes in RU or SP. So it could very well be in there and just not made public. Did this fix the issue for you in the end? We are having the same issue with nested groups and are currently on SP1. thanks
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2012 11:39am

I have SP2 installed and it is still not working for me... FYI-DEMPC
February 24th, 2012 11:48am

Looking over the KB for SP2 RU1, it doesn't look like the issue was addressed http://support.microsoft.com/kb/2645995
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2012 11:56am

I have RU6 waiting to deploy. Hopefully it fixes it. From what the Exchange engineer I talked to said, they don't publish all fixes in RU or SP. So it could very well be in there and just not made public. Did this fix the issue for you in the end? We are having the same issue with nested groups and are currently on SP1. thanks Actually, it has so far. I haven't had issues adding them to an Outlook profile or opening via OWA. I will say that permissions take a bit to take effect sometimes. Just a quick note. Outlook will not automatically add mailboxes unless you assign permissions with the user account. Outlook does not attempt to expand groups looking for users. That said, I wonder if nested groups are supported at all? I haven't tried them out yet.
February 24th, 2012 12:25pm

Just a quick note. Outlook will not automatically add mailboxes unless you assign permissions with the user account. Outlook does not attempt to expand groups looking for users. That said, I wonder if nested groups are supported at all? I haven't tried them out yet. That's precisely the functionality that i am looking for. I want to be able to grant a group full access permission the mailbox rather than assigning each user full access permissions-DEMPC
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2012 12:40pm

@ DEMPC, you can pull that off with some powershell scripting. imbruck2 has posted a way to do so earlier in the thread, i tested it and it works as advertised but it is a little cumbersome to resort to such a method. @ wchat_t, so it is working for you? I still have to wait around 24 hours in my environment. Are you seeing a much quicker turn around time now?
February 24th, 2012 12:47pm

@ wchat_t, so it is working for you? I still have to wait around 24 hours in my environment. Are you seeing a much quicker turn around time now? Hate to say it, but it depends. Sometimes its quick. Other times I have to wait a day. Same with removing permissions. Not to muddy the waters any, but I found another bug. If you add a user and a group with full access to a mailbox and that use happens to be in the group as well, Outlook doesn't like it. It caused rule issues, "cannot expand folder" errors. Granted, it was my fault for having both there, but you'd think it wouldn't matter.
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2012 12:55pm

@ DEMPC, you can pull that off with some powershell scripting. imbruck2 has posted a way to do so earlier in the thread, i tested it and it works as advertised but it is a little cumbersome to resort to such a method. @ wchat_t, so it is working for you? I still have to wait around 24 hours in my environment. Are you seeing a much quicker turn around time now? Agreed, cumbersome indeed. Do you think this functionality will ever exists in future updates? -DEMPC
February 29th, 2012 10:53am

Looking at the timing of the issue, perhaps it is related to OAB generation and updates on the Outlook client. Are the folks having the issue using Cached mode on Outlook, what happens if you disable cached mode?
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2012 8:30pm

We have noticed the issue with both cached and unchaced outlook 2007/2010 clients. I think the issue is due to the replication of universal groups memberships as opposed to Off line address book generations. Good thinking though!
March 23rd, 2012 1:13pm

I'm having the same issue, did you every get a resolution from Microsoft?george
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2012 11:14am

this may be a bug. Even with the latetst rollup. Similar to, if you try to give the send-as permission to a DL via EMS on another Exch server than to the one you created to the DL on, it will fail, because the local exchange server in the owner and not the Exchnage Servers groups. Similar if you create a DL in ADUC, it will fail because the domain admins are the owners and not the Exchange server groups. Workaround for these is to give the exch servers group modify permission I will find out about this next week. Sukh This worked like a charm for me. Seems to be related to the security relationship between Exchange and the AD objects. To clarify: I was running in to this issue when trying to grant full access to resources via a security group.I access a/the resource in AD, brought up the security tab, granted Exchange Servers full control to the AD object.Viola! almost instantaneously members of the security group can now access those resources.
July 3rd, 2012 1:54pm

Please see Sukh282's post from Sept 24, 2011 10:02 pm. It worked for me, even though it's more of a workaround than a fix. Shame on you MS for yet another stupid bug that we have to figure out for you.
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2012 1:56pm

this may be a bug. Even with the latetst rollup. Similar to, if you try to give the send-as permission to a DL via EMS on another Exch server than to the one you created to the DL on, it will fail, because the local exchange server in the owner and not the Exchnage Servers groups. Similar if you create a DL in ADUC, it will fail because the domain admins are the owners and not the Exchange server groups. Workaround for these is to give the exch servers group modify permission I will find out about this next week. Sukh This worked like a charm for me. Seems to be related to the security relationship between Exchange and the AD objects. To clarify: I was running in to this issue when trying to grant full access to resources via a security group.I access a/the resource in AD, brought up the security tab, granted Exchange Servers full control to the AD object.Viola! almost instantaneously members of the security group can now access those resources. This worked wonderfully, Thank you!!!
July 5th, 2012 9:51am

Hi , With exchange servers do you mean the Exchange domain servers or the Exchange Enterprise servers ? Thank you all for this workaround..
Free Windows Admin Tool Kit Click here and download it now
July 10th, 2012 6:23am

Hi , With exchange servers do you mean the Exchange domain servers or the Exchange Enterprise servers ? Thank you all for this workaround.. Exchange servers will do.Sukh
July 10th, 2012 7:46am

Hi all, i still have the issue with granting access to a shared mailbox via a security group, the attribute msExchDelegateListLink of the Shared mailbox does not get filled so users who are member of that group still does not get the sharedmailbox automatically in their outlook 2010, but users are able to manually add the mailbox. offcourse adding the user separately will add the mailbox automatically but I wont believe Microsoft intended it to have it work this way. I have tried the sollution mention above with setting the permissions for the exchange group to the AD object, but that didn't do the trick for me. if there something i missed or someone has a workaround .. please let me know.. in advance thanks all for your help.
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2012 5:23am

Hi, I can understand that you think it's an issue, but as I wrote earlier in this thread that is expected. Auto-Mapping will only work when given fullmailboxaccess to mailboxes and that is By Design (a linked attribute is used)Martina Miskovic
July 11th, 2012 5:29am

Hi martina, Thank you for your reply, it looks like i have to live with this.. Hope that this "Design" will be reviewed/changed with the next RU/Exchange version :).
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2012 5:47am

Hi martina, Thank you for your reply, it looks like i have to live with this.. Hope that this "Design" will be reviewed/changed with the next RU/Exchange version :). Hi GreenGolfer, I hope so too, cause I really like Automapping.Martina Miskovic
July 11th, 2012 5:52am

We had exact same problem with groups not working with shared mailboxes. Sukh828's number 4 item resolved it, as with others. It's an issue with migrating from older Exchange where new permissions for Exchange Servers group are added into AD, but it may not get the right permissions it needs. If you give the group Full Control in AD, it can then read and set the group permissions. Can you explain this to me?? Sukh828's number 4 doesn't mean a lot to me.. I'm in the same situation. I have migrated from Exchange 2003 to Exchange 2010 and when I add Full Access to a Group, no access is granted. I'm having to grant Full Access to each user one by one and it's a major pain.
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2012 1:18am

I have the same issue as described here too... what are the steps I need to do with Exchange Server group?DURP
September 18th, 2012 10:05am

I know this thread is a bit old but I really liked this solution and wanted to post a reply. I found I needed to tweak the Set-MailboxSharedAutoOpen function some since I'm not using the Quest commandlets. Here's what's working for me; function Set-SharedMailboxAutoOpen { $SharedMailboxes=Get-Mailbox -RecipientTypeDetails SharedMailbox foreach ($SharedMailbox in $SharedMailboxes) { $PermissionGroupMemberDNs=(Get-ADGroupMember -Identity $($SharedMailbox.CustomAttribute5) | %{$_.distinguishedname}) Set-ADObject $SharedMailbox.distinguishedname -Replace @{msExchDelegateListLink=$PermissionGroupMemberDNs} } } Set-SharedMailboxAutoOpen
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2012 2:35pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics