I have an Exchange 2007 SP1 Enterprise Edition server running on Windows 2003 Enterprise x64. The server is running the following roles: hub transport, client access, and mailbox I've created a shared mailbox and now I'm trying to assign permissions on that box so various users can have full access to the box.. I'm not concerned with 'send-as' permissions right now, I just need users to be able to pull this mailbox up and read the contents. The name of my shared mailbox is 'testuser3.' I'm trying to give access to testuser4, testuser5, and testuser6. Using either cmdlets from the powershell, or the GUI (since its now an available feature in SP1), I can assign FullAccess permission to the shared mailbox (testuser3)for any of those other individual users (testuser4-6). This works just fine. To simplify matters (and because in the future I'm planning on giving 20-50 users access to a shared mailbox) I have created a group in active directory called "Testuser3-MBX-Permission' ---- I added testuser4-6 as members of this new group. The group is a domain-local security group. Then, using both the add-mailboxpermission cmdlet and the GUI I give 'FullAccess' permission to my new group: 'Testuser3-MBX-Permission' ---- if I then remove the individual user accounts from the FullAccess control list and attempt to access the Testuser3 mailbox, it doesn't work. If I re-add the user accounts (individually that is) then it works again. Basically, what I'm seeing is that you cannot grant permissions to groups, only users. The documentation is clear that you should be able to grant permissions to groups... so I'm lost. I've tried using domain-global security groups, universal security groups, and mail-enabled universal security groups... all ended without success. I've also tried to supplement the FullAccess mailbox permission with the send-as ADpermission and 'Personal Information' permissions. This also didn't solve the problem. Any ideas? I appreciate any ideas anyone can offer.

Hi, I suggest we remove all the users permission to the shared mailbox (testuser3) After that, please recreate the new Universal Security Group, then add the users to this group. Then right click the shared mailbox in EMC, grant the permission again. You can also run the command in EMS Add-mailboxpermission identity shared box user universal security group accessrights fullaccess Now check this issue again. Please note: The Outlook needs to be reopened since the relevant configuration could be function. Thanks Allen

Allen, Thanks for your advice, but it didn't solve the problem. I have found the cause of the problem, and I think some people will be interested to know the answer (especially those folks on the MS-Exchange development team). I went ahead and recreated my universal security group, per your recommendation and then added the users I wanted to have fullaccess to the testuser3 shared mailbox. I cleared out the ACL on the shared box and then added the 'testuser3-mbx-permissions' universal security group. Now this is where it gets interesting... If I log into windows as testuser5 and then open up outlook, go through my config, yada yada.. I have outlook setup for that single user. I then add an additional mailbox to the outlook config (adding testuser3 as the additional mailbox). I hit ok ok ok and then bada bing I have access to both mailboxes. Worked perfect! Then, just because I know the majority of my users like to use OWA, I went ahead and tested all of this using the browser. I open OWA, log in as testuser5 and then in the top right I use the "OpenOther Mailbox" feature (by clicking on my own username ---- isn't that kind of non-intuitive? Anyways..) I type in testuser3 and hit ok and it pops up a new IE window saying, "You do not have permission toopen this mailbox" --- so now wait.. didn't I just have access in Outlook? Well yes, I do.. isn't that odd? Now, in troubleshooting I went ahead and added testuser5 to the fullaccess ACL for the shared mailbox, testuser3, using the ECM. After I do that, I can access the other mailbox using OWA. So, long story short is that granting permissions to groups on shared mailboxes only works if the user(s) nested in that group attempt to access the mailbox with outlook, not OWA. If you want to access shared mailboxes using OWA you need to have the users explicitly defined in the ACL for the shared mailbox. If anyone wants screenshots of this or would like to talk about it more you can email me at andrew.r.johnson@comcast.net Andrew

Old post but relevant. We ran into the same issue 100%. Security group works fine in Outlook when given FullACcess to the security group. It doesn't work in OWA. We need to give an AD account excplicit permissions for it to work in OWA.

Still the same behaviour, we have install all service packs and RUs. So waiting for Ex2010....