Environment: Exchange 2010 Windows 2008 Outlook 2007 Service pack 2 Issue: A mailbox enabled user have the following permissions on a Room mailbox. - Full Access Permission - Send As Permission When this user tries to give another user delegate permissions to the room mailbox it fails with the bellow Outlook Dialog box. The Delegates settings were not saved correctly. Cannot activate send-on-behalf-of list. You do not have permission... Fix as listed for Exchange 2010 http://blogs.msdn.com/b/pepeedu/archive/2010/02/04/outlook-delegate-with-exchange-2010-rbac-implementation.aspx My issue is I don't want to allow system wide send of half rights or even per OU for generic mailboxes but allow only one user send of behalf right too one mailbox... without creating a crazy amount of RBAC roles. Idea's??

Those commands create one custom role, and then assign that role to a group. From there, you would need to put people in that group for them to receive those permissions. The group will be empty by default. So if you use that solution, just put the one person who needs those rights in the "Delegate GrantSendOnBehalf Mailboxes" group. If you don't want to create the group, you could just assign the role directly to one user. For example, skip the last command and replace with: New-ManagementRoleAssignment -Role GrantSendOnBehalf -User nameofuserMike Pfeiffer | blog: mikepfeiffer.net | twitter: @mike_pfeiffer

Thanks Mike, Good blog BTW I check it every couple of weeks. RBAC Triangle always does my head in... Can you limit permission/scope to the CMDlet for grantsendonbehalf to a single mailbox. Just from a security point of view if we use the given example New Role Group Write Scope: Default Roles: Delegate GrantSendOnBehalf Mailboxes Members: UserA Will UserA have rights to GrantSendOnBehalf to all mailboxes in the Org?

Yeah, so you could get around that using a custom management scope. For example, instead of using the New-RoleGroup cmdlet at the end, you could do the following: New-ManagementScope -Name "GrantSendOnBehalfScope" -RecipientRestrictionFilter {DistinguishedName -eq "CN=UserB,CN=Users,DC=domain,DC=local"} New-ManagementRoleAssignment -Role GrantSendOnBehalf -User UserA Then, UserA would only have those rights to UserB Mike Pfeiffer | blog: mikepfeiffer.net | twitter: @mike_pfeiffer

Adds a bit of extra work from our 2003 to 2010 migration but it is what it is.... Thanks Mike for the help

Hi Mike, Not sure if you have seen this or not but it appears that this was resolved in SP1 RU6 with the new role group MyMailboxDelegation http://support.microsoft.com/kb/2559814 You register this new Role and giver the users full Mailbox Access plus Send As and Write Personal Information permissions, users are able to set delegates onto mailboxes, where they are supposed to have the Full Mailbox Permissions Thanks Josh

Hi Mike, Not sure if you have seen this or not but it appears that this was resolved in SP1 RU6 with the new role group MyMailboxDelegation http://support.microsoft.com/kb/2559814 You register this new Role and giver the users full Mailbox Access plus Send As and Write Personal Information permissions, users are able to set delegates onto mailboxes, where they are supposed to have the Full Mailbox Permissions Thanks Josh