Granular permission for shared mailbox (Network Steve Forum)

Granular permission for shared mailbox

Hi Lynn,

Thanks for your reply. AccessRights for Test user below:

PS C:\Users\Administrator> Get-MailboxPermission support@domain.com | fl TEST,AccessRights

AccessRights : {FullAccess, ReadPermission}
AccessRights : {FullAccess, ExternalAccount, ReadPermission}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {FullAccess}
AccessRights : {ReadPermission}
AccessRights : {ReadPermission}
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
AccessRights : {ReadPermission}
AccessRights : {FullAccess, ReadPermission}
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
AccessRights : {ReadPermission}

In the same time: PS C:\Users\Administrator> Get-MailboxFolderPermission -Identity "support@domain.com:\Unsorted recovered" -user TEST

FolderName           User                 AccessRights
----------           ----                 ------------
Unsorted recovered   TEST           {Reviewer}

What should I do to disable deletion?

Edited by IT Jericho Monday, June 15, 2015 9:43 PM

June 15th, 2015 9:31pm

Hi Lynn,

Thanks for your reply. AccessRights for Test user below:

What should I do to disable deletion?

Edited by IT Jericho Monday, June 15, 2015 9:43 PM

Free Windows Admin Tool Kit Click here and download it now

June 15th, 2015 9:31pm

Hi,

Please check the permission on this shared mailbox for the test user.

Get-MailboxPermission support@domain.com | fl User,AccessRights

Best Regards.

June 17th, 2015 4:09am

HI,

No need to replace the user parameter with TEST in my command. Anyway, try this command (Just copy and paste)

Get-MailboxPermission support@domain.com User TEST | FL User, AccessRights

The reason of running this command to check is if the TEST user has full access permission on the support mailbox, TEST user can do any actions on this shared mailbox even the TEST user has no needed permission under Get-MailboxFolderPermission cmdlet.

Best Regards.

Free Windows Admin Tool Kit Click here and download it now

June 17th, 2015 5:43am

Hi Lynn. Thanks for clarification. The result of command below:

>Get-MailboxPermission support@domain.com -User TEST | FL User, AccessRights

User : TEST@domain.com
AccessRights : {FullAccess}

Kind Regards,

Nick

June 17th, 2015 4:22pm

Hi Lynn,

Thanks for your reply. AccessRights for Test user below:

What should I do to disable deletion?

Edited by IT Jericho 9 hours 35 minutes ago

Free Windows Admin Tool Kit Click here and download it now

June 17th, 2015 5:49pm

Hi guys,

I'm trying to apply granular permissions to one of our shared mailbox, but my setup not working. The purpose is to disable email deletion for specific user, however TEST user still able to delete any email from shared mailbox (tested on OWA)

I've used that article: http://msftexchange.org/granular-outlook-permissions/

So, what has been done:

PS C:\Users\Administrator> Add-MailboxFolderPermission "support@domain.com:\" -User TEST -AccessRights FolderVisible

FolderName           User                 AccessRights
----------           ----                 ------------
Top of Informatio... TEST           {FolderVisible}

PS C:\Users\Administrator> Get-MailboxFolderPermission -Identity "support@domain.com:\Unsorted recovered"

FolderName           User                 AccessRights
----------           ----                 ------------
Unsorted recovered   Default              {Reviewer}
Unsorted recovered   Anonymous            {None}
Unsorted recovered   Me        {Owner}
Unsorted recovered   TEST           {Reviewer}

PS C:\Users\Administrator> Get-MailboxFolderPermission -Identity "support@domain.com:\"

FolderName           User                 AccessRights
----------           ----                 ------------
Top of Informatio... Default              {None}
Top of Informatio... Anonymous            {None}
Top of Informatio... TEST           {FolderVisible}

Hope you can advise me the solution.

June 17th, 2015 6:02pm

Hi,

According to the result, the TEST user has full access permission on the support mailbox.

Please use the following command to remove this permission then check if user 'TEST' can delete messages from shared mailbox.

Remove-MailboxPermission -Identity support@domain.com -User Test -AccessRights FullAccess -InheritanceType All

Best Regards.

Free Windows Admin Tool Kit Click here and download it now

June 17th, 2015 9:13pm

Hi,

After Remove-MailboxPermission command TEST user is unable to open shared mailbox - no permissions, Bad Request.

Regards,

June 18th, 2015 6:03pm

Hi,

After Remove-MailboxPermission command TEST user is unable to open shared mailbox - no permissions, Bad Request.

Regards,

You can't give an account full mailbox access, then granularly remove specific permissions.

Your only option is to give permissions such as reviewer to specific folders in that mailbox and have the delegate open those directly.

Free Windows Admin Tool Kit Click here and download it now

June 18th, 2015 7:58pm

Hi Andy,

Could you kindly advise how I can achieve it? I assume that to set Reviewer permission to specific folder I have to use:

>Add-MailboxFolderPermission -Identity support@domain.com:\Folder -user Test -AccessRights Reviewer

But how to delegate shared mailbox?

Kind Regards,

Nick

June 21st, 2015 9:15pm

Hi Andy,

Could you kindly advise how I can achieve it? I assume that to set Reviewer permission to specific folder I have to use:

>Add-MailboxFolderPermission -Identity support@domain.com:\Folder -user Test -AccessRights Reviewer

But how to delegate shared mailbox?

Kind Regards,

Nick

It won't be a shared mailbox if they only have access to one folder. In that case, they can open that specific folder in Outlook in the backstage area of Outlook and choose Open Another User's Folder...

Free Windows Admin Tool Kit Click here and download it now

June 22nd, 2015 7:52am

Hi IT Jericho,

Please remove the other mailbox mapping from the profile and add it back.(If its not automapped)

Permissions required is already set correctly as below.

TopLevel: FolderVisile

Below folder: Reviewer

Add Shared Mailbox

To add a shared mailbox in Outlook 2010, do the following:

Open Outlook 2010.
Click File.
Click Info on the left.
Click the Account Settings button and select Account Settings....
Select your Exchange account.
Click the Change button at the top of the window ....
Click More Settings....
Click the Advanced tab.
Click the Add button.
Enter the name of the shared mailbox and click OK.
Click Apply and then click OK.
Click Next.
Click Finish.
Click Close.
Click Mail on the left. The shared mailbox appears on the left side of the screen. Expand the mailbox to view its contents.

June 22nd, 2015 8:08am

This topic is archived. No further replies will be accepted.