Exchange 2003 – Assigning permissions to additional mailboxes…

by Andy Grogan on December 3, 2008 · 2 comments

in Exchange 2003, Exchange 2003 (Security)

I have seen this floating around forums for ages, essentially the question is “how can I create a mailbox in Exchange that either a single user or multiple users can access at the same time and send e-mail from?”

Well there are a number of schools of thought on this (mainly because each organisation has it own set of rules and methods of accomplishing such tasks) – the following article is based on how I prefer to do it within my own company and a couple of the support issues that I come across.

The following are the typical set of circumstances that crop up whereI work in regard to multi-user mailboxes:

  • Directors PA requires access to the Directors Mailbox
    • Here I would normally suggest that the PA goes to the Director and either asks the Director assign rights to his/her mailbox via the delegation wizard in Outlook to give him/her access to the mailbox
  • A Departmental Section require a functional mailbox (for example as I work in Government a mailbox such as “elections@myplace.com” is not un-common) where all users of the mailbox need to be able to see the mailbox from within Outlook, but Send From

 Delegation – Directors PA requires access to the Directors Mailbox:

The following is a very quick guide to how you can configure Delegate Access to a users mailbox via the Outlook client.

Open Outlook and log into the mailbox that you wish to configure Delegate access from then from the “Tools” Menu choose “Options” – see below

When you have selected the options menu the following dialog box will appear:

From here click on the “Delegates” tab which will change the view to look like the following:

On the delegates tab click on the “Add” button which will open the a dialog box which looks like the standard Global Address List – see below:

From here you can choose the [PA] and (or) others whom you wish to assign various rights to your (or) [Directors] mailbox – see below:

The following example gives you and example of where the Director has given the PA full rights on the Calendar and Inbox (note that using such settings will mean that items such as meeting requests will be sent to the PA’s mailboxas well as the Director’s):

When happy with the settings that have been configured above click “OK” and you will then be returned to the “Delegates” tab, which will now look like the following:

Down the bottom of the above tab you will see the following section:

Deliver meeting requests addressed to me and responses to meeting where I am the organiser to:

Which has the following three options:

  • My Delegates only, but send a copy of meeting requests and responses to me
  • My Delegates only
  • My Delegates and me

 

The reason why I raise this is because I have had a number of Helpdesk calls over the years where users forget about these settings – which results in calls such as:

My MD was invited to a meeting and three of us received the request but we were not invited plus I do not work for him any longer

Additionally in the case of Directors it is not uncommon for them to have management teams which via the delegation wizard are provided with access to the Director’s Calendar but then cannot understand why they start receiving meeting requests.

In such cases it is almost always down to the way in which the setting listed above have been configured – so if you have someone whom is getting meeting requests for someone else – it is normally the Delegation settings on the source mailbox.

Functional Mailboxes:

In this section I would like to go through my idea of a functional (or shared) mailbox and the permissions required to configure them – I will also explain how you can then add them into Outlook Profiles where people can “Send As” the account.

My definition of a functional mailbox is thus:

  • Is a separate mailbox on your Exchange Server with a specific “Theme” primary SMTP address (for example feedback@mydomain.com)
  • Greater than two users require access
  • Users need it to appear in their own Outlook folder list
  • Users need to be able to “Send From” the mailbox

How I create Functional Mailboxes:

On one of the Exchange Servers in your environment navigate to [ Start -> Programs -> Microsoft Exchange -> Active Directory Users and Computers ]

From within ADUC choose the container or the OU where you would like to the create the functional mailbox – then right click and from the context menu that appears choose [ New –> User ] – see below:

ad1

From the New User wizard populate the fields with the values that match the purpose of the mailbox that you wish to create (remember that the samAccountName (or user logon name) will be the primary part of both the alias and the primary SMTP address below is an example:

ad2

Many people have domains where (quite rightly) password complexity, minimum character length and periodic rules are set.

What I typically do is set a password for the Functional mailbox which remains unknown to the user (they do not need to know as they will have rights on the mailbox in any sense), then configure the account so that the password cannot be changed or expire – this prevents the account from becoming deactivated when the domain rule apply. This reduces calls to your Helpdesk – but, does present a slight security risk – ultimately this will be down to you – however the following is an example of the account password screen as I would configure it:

ad3

After the password configuration options we are presented with the mailbox configuration – essentially here you should place the mailbox in the most appropriate database – see below:

ad4

The final step of the account wizard is the summary page (see below) when you are happy click on the “Finish” button.

ad5

What I recommend is to check the SMTP address that has been assigned to your Functional account to ensure that it matches what you expect – see below:

ad6

We now have created an account in Active Directory and indeed what will become the mailbox in Exchange, what we now need to do is assign some permissions so that others in Active Directory can access this new mailbox as well as their own.

What I like to do is create a security group (even if the Functional Mailbox only has one user) – for the following reasons

  • If the single person leaves – or indeed you need a number of people to access the mailbox all you need to do is add or remove from the group

 

This eliminates the problem of having to repeat the configuration of permissions on the Functional Account in AD over and over again.

The following is the group creation procedure that I use (generally creating a group is just that – However I have included the process here for completeness).

From Active Directory Users and Computers navigate to the OU or Container where you would like your security group to be placed and then Right Click on it.

From the context menu that appears choose [ New -> Group ] – see below:

ad1

Follow through the create group Wizard completing the details of you group like so:

ad7

When asked about creating an Exchange e-mail alias ensure that the check box is NOT checked – see below;

ad8

When happy with the configuration of the security group – click on the “Finish” button – see below.

ad9

Now that both the mailbox and security group have been created we are now ready to apply the security group to the mailbox so that members of the group can have access.

Firstly in Active Directory Users and Computers go to [ View -> Advanced Features ] – see below:

ad10

Then navigate to the location of the functional mailbox that has been created and bring up its properties – from the list of tabs that are available choose the “Exchange Advanced” tab:

ad12

Click on the “Mailbox Rights” button which will open the following dialog box:

ad13

Add in the Security Group that you have created and assign it the following permissions:

  • Delete Mailbox Storage
  • Full Mailbox Access

When happy with the configuration click on “Apply” and then “OK” – this will then return you to the Properties of the Functional Mailbox – from here choose the “Security” Tab – see below:

ad14

Again here add in the security group and then assign it the following permissions on the mailbox:

  • Full Control – not set
  • Read – allow
  • Write – not set
  • Create all child objects – not set
  • Delete all child objects – not set
  • Allowed to authenticate – not set
  • Change Password – deny
  • Recieve As – allow
  • Reset password – not set
  • Send as – allow
  • Read account restrictions – allow
  • Write account restrictions – not set
  • Read General information – allow
  • Write General information – not set
  • Read Group Membership – allow
  • Write Group Membership – not set
  • Read Logon Information – allow
  • Write Logon Information – not set
  • Read Personal Information – allow
  • Write Personal Information – allow
  • Read Phone and Mail Options – allow
  • Write Phone and Mail Options – allow
  • Read Public Information – allow
  • Write Public Information – not set
  • Read Remote Access Information – allow
  • Write Remote Access Information – not set
  • Read Web Information – allow
  • Write Web Information – allow

 

I have placed a down-loadable copy of the above permissions in PDF format below for future reference:

adobeGroupPermissions [52.4KB]

When the permissions have been applied as per above – click on the “OK” button.

Should now add the people to the Security whom you wish to access the mailbox – see below;

ad11

When you have finished adding users to the security group I advise that you allow about 15 minutes for Exchange to get its “act together” and then when the 15 minutes has passed ask each user to log out of Outlook and the go back in.

We should now be in a position to add the new mailbox to each users profile in Outlook which is accomplished like so (again most of you will know this, but I have included it for completeness):

The steps represented in this next section are based around Outlook 2007 – however, they are generally the same for Outlook 2003:

From the Tools Menu in Outlook select “Account Settings” – see below:

When will open up the following dialog box – see below:

From the List on the “Email” tab choose the entry entitled “Microsoft Exchange” and then click on the “Change” button which will open the following dialog box:

Click on the “More Settings” button which will open the following dialog box:

Click on the “Advanced” tab then click on the “Add” button which is located in the “Mailboxes” section in the top quadrant which will open up the following dialog box:

Here type in the name of the functional mailbox that has beencreated and then click on the “OK” button – you screen should then change to look like the following:

Click “OK” then “Next” then “Finish” then “Close” – this should return you to Outlook.

What you should notice now is that the Functional Mailbox is visible in the Folders list of Outlook – see below:

Users whom have been placed in the security group should now have full access to the mailbox – if they wish to send a mail as the functional account all they need to do is open a new mail message (based on Outlook 2007 – in previous versions of Outlook the “View From” option is available in the “View” menu) then choose the “Options” tab from the “Ribbon” – see below:

Then choose the “Show From” button – this will give them an additional addressing field where the name of the functional mailbox can either selected from the Global Address list or typed in – see below:

The above concludes my overview of sharing mailbox resources in Exchange 2003 – I hope that you find it useful.

Social

{ 2 comments… read them below or add one }

aa December 22, 2011 at 2:52 am

This is a great article, saved my ass several times! Thanks you ..

Reply

F L February 22, 2013 at 7:35 pm

Very thorough.

Reply

Leave a Comment

Previous post:

Next post: