Hi All,I need some script which will createlocal accountwith minimum rights and grant him accessto use Exchange calendar and task folders and deny access to the Inbox, Outbox, Sent folder.The idea is behid this is a service which will works under this account and on timer event enumerate all exchange user and do some work in they calendar, task folders. But for security reasons service should be unable to work with user's Inbox folders.How I can achieve this?

It depends on your version of Exchange, but a simple way to start testing is this. In Outlook 2007 you can go to File, New, then choose User Folder or mailbox, I dont have access to Outlook right now and Entourage is different. Anyways under there you can see you have the option to connect into someones Inbox, OutBox, Drafts, and Calendar. As you can see you can get very granular on the permission. Users have the ability to share out their own Calendars ONLY but giving permission, and you just find users in the GAL. Now since you didnt give to much details you might be able to start by testing out one or two calendar manually and giving permission to that service account. In Exchange 2003 it will be a lot of work, in Exchange 2007 I'm sure there is a cmdlet that would allow you to get that granular on permission, I'd have to look that up when I'm at work. If you can provide a bit more information about your network I might be able to come up with something that will help you out.

Hi Danil,Local user accounts on any other computer than exchange server wont be useful for this. Exchange and AD both need an AD account so that it can be granted access to the folders or mailboxes.You can try doing this if you like,Create a local user and add this user as a member of security group in Active Directory and then add that secuirty group the mailbox permissions. Now as far as permissions to the folders is concerned I dont believe its really that easy to grant them on so granular level unless you mail enable that security group and then allow access to each folder using outlook.Try giving a shot with PFDAVAdmin if that can help.Step by Step:Create a local user account that you want.Create a mail enabled security group in ADAdd the local user account as a member of mail enabled security group in ADUse outlook or PFDAVAdmin tool to add the mail enabled security group on every folder with desired permissions.MMilind Naphade | MCTS:M | http://www.msexchangegeek.com

Hi Milind, I created a local user account, created a mail-enabled security group in AD, added the local user account as a member of this group. But troubles started when I working with PFDAVAdmin tool. When I open PFDAVAdmin tool , I connect to my Exchange Server 2007 successfuly. On the left side I see tree with all mailboxes. But when I'm trying expand any of mailbox I get an error: "Could not expand https://WIN-BEWVA9LAN22/exadmin/admin/EXCHANGE.INTERNAL/mbx/test@exchange.internal/non_ipm_subtree/: Name cannot begin with the '0' character, hexadecimal value 0x30. Line 1, position 428. All I need is right for this account to full access on calendar folder on all user mailboxes and deny any other rights.

Hi Danil,Do you have full mailbox permissions on all those mailboxes to add extended permissions on folders? I meant you must have full mailbox access permissions on mailboxes to use PFDAVAdmin.Milind Naphade | MCTS:M | http://www.msexchangegeek.com

Hi Milind,Yes, I'm running from Administrator account. At least I should access to own Administrator mailbox.

Hello Danil,Could you check the article http://www.msexchange.org/articles/PFDavAdmin-tool-Part1.htmland http://www.msexchange.org/articles/PFDavAdmin-tool-Part2.htmlboth? You will find most of the common steps to work with PFDAVAdmin there. Let us know if this still does not help.MMilind Naphade | MCTS:M | http://www.msexchangegeek.com

Did it work for you further?Milind Naphade | MCTS:M | http://www.msexchangegeek.com

Hello Milind,I fix trouble with 'Name cannot begin with the '0' character, hexadecimal value 0x30. Line 1, position 428'. But there is another trouble arise with PFDAVAdmin.When I connect to Exchange server from PFDAVAdmin under administrator account (whichis member ofExchange Organization Administrators group) and choose all mailboxes I got list of all mailboxes on server. But when I try to expand any of them I get following error:"Could not expand https://WIN-BEWVA9LAN22/exadmin/admin/EXCHANGE.INTERNAL/mbx/test@exchange.internal/non_ipm_subtree/: The remote server returned an error: (403) Forbidden.So even if I disable SSL on Exadmin virtual directory of IIS I've got following error:"Could not expand https://WIN-BEWVA9LAN22/exadmin/admin/EXCHANGE.INTERNAL/mbx/test@exchange.internal/non_ipm_subtree/: The remote server returned an error: (401) Unauthorized.Any ideas?

Hi Danil,Try running the PFDAVAdmin on the exchange server itself. Also, make sure that you are a member of local administrtor group on the server. Use FQDN of the server if its failing on NETBIOS name.Milind Naphade | MCTS:M | http://www.msexchangegeek.com

Hi Milind,I can't run PFDAVAdmin on the exchange server, there is another issue with this, PFDAVAdmin requires .NET 1.1 Framework to be installed, but if I do this on Exchange Server it is big probability that I will break working environment.