I am having issues when adding mailbox delegation permissions.

I know before CU7 there was an issue which meant using ECP did not alays work so using the command shell was required. Since we installed CU7 neither ECP of the shell seems to do anything.

This morning I have added myself as a delegate to a mailbox using ECP, when I tried to open it via OWA it told me I did not have permission. I left it a few minutes then tried again, same issue. Using Outlook and adding the mailbox through account settings > account settings etc. I get Cannot expand the folder when I try to access it.

I then used "Add-MailboxPermission -Identity JDoe -User 'testuser22' -AccessRights FullAccess -InheritanceType All -AutoMapping $false"

and got an error telling me no changes were made, tried to open the mailbox again, same result.

I then used "Remove-MailboxPermission -Identity JDoe -User 'testuser22' -AccessRights FullAccess -InheritanceType All" which gave no error, checking ECP I saw I was no longer a delegate.

I ran the Add-mailboxPermissions script again, it ran and gave me the correct result, but I still get the same error when trying to open the mailbox.

What could cause this?
<o:p></o:p>

Maybe you're getting a Deny from someplace. Try running this:

Get-MailboxPermission -Identity <Mailbox You list permissions for> -User <User who should've been granted permission>

If you see your account or a group your account is a member of with the Deny permission, that's going to be your issue.  Try removing that and then readding permission for your account.

I tested by setting up a test account and giving that access, it worked, I then added it to the same groups I am in, one by one. It still works even when the test account mirrors mine but I still get the same error so it is not group membership causing the issue.

Did you run the Get-MailboxPermission command to see if you have any denies?

I just did, and I am listed with deny full access, allow full access and allow send as etc.

I know this means I will be denied access, but if using the script to allow does not remove this how do I remove the deny?

You will need to remove the deny permission.  The when you add the full access it does not override a deny.

Looking in AD, there is nothing indicating there is a deny permission for anybody on this account, same in Exchange so I don't see why this is listed, or how to remove it

Try:

Remove-MailboxPermission -Identity Test1 -User Test2 -AccessRights FullAccess -Deny

This gets stranger, I run the above and get this

WARNING: An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Deny]  and was
ignored on object

I checked the permissions again, and I see domain admins and enterprise admins are also denied access, run the command to remove this and I get the same error about inherited permissions.

Hi,

From your description, you can use ADUC to remove the "Deny" permission and check the result.

ADUC -> Users -> double click Domain Admins -> Security -> unchecked the Deny permission

Hope this can be helpful to you.

Best regards,

That is a bit of a risky thing to do, before I looked at doing it I decided to look at the permissions on this mailbox for Enterprise admins, this was the result

Identity	User	AccessRightd	IsInherited	Deny
domain.com/Employees/User	DOMAIN\Enterprise Admins	{FullAccess}	TRUE	TRUE
domain.com/Employees/User	DOMAIN\Enterprise Admins	{FullAccess, DeleteItem, ReadPermission, ChangePermission}	TRUE	FALSE

How can Enterprise admins be inheriting this? I checked it's group membership and no groups it is in have any permissions set for this mailbox.

I checked Domain admins again, same thing, it is inheriting a deny access from somewhere but no groups that is in have any deny permissions set

I believe that is default behavior.  I don't know why that's the default behavior, but it probably has to do with legal/administrative ramifications of all administrative accounts having full access to mailboxes through by default.  Also, Microsoft highly recommends giving each user who needs administrative access a regular user account for normal functions (stuff like workstation and email access) and a separate administrator account. This is probably one of their little ways of forcing you to follow that recommendation.

A little old, but backs up what I was saying about the deny permissions...

https://support.microsoft.com/en-us/kb/821897

That makes sense, in theory, but the issue here is with just 1 mailbox. If I give myself full access to any other (or at least any I have tested) I am able to access it. This one mailbox denies me access.

I am trying to get the management to go down the 2 account path for admins, but they are not buying into it despite it being best practice and a way to prevent accidental issues. I'll keep trying for that, but in the meantime I am still confused by this permissions issue.

Hi,

In your case, the issue only occurs to one mailbox. I recommend you move this problematic mailbox to another mailbox database and check the result.

Hope this can be helpful to you.

Best regards,

Hi,

Any update?

Best regards,