Hidden Microsoft

Tyson Kopczynski

Previous Article Next Article

Granting Access to a Shared Mailbox in Exchange 2007

By tyson.kopczynski on Sun, 06/24/07 - 6:56pm.

As promised in my last post, I’m going to continue my ramblings about interesting Exchange 2007 topics. At this point, we have successfully created a shared mailbox and it now shows up in the Exchange Management Console (EMC). However, you may now be at a loss as to how access can be granted to your newly created masterpiece (shared mailbox). Well, as you may have guessed, managing permissions in Exchange 2007 is all done through the Exchange Management Shell (EMS). In fact, all management tasks can be done in the EMS. But, this is yet one more example of something that is in the EMS and not in the EMC.

There are several cmdlets in Exchange 2007 that are used to manage and review permissions. For the purposes of granting access to the shared mailbox the cmdlets we are interested in are as follows:

Add-MailboxPermission

Add-ADPermission

As their names might suggest, the Add-MailboxPermission cmdlet is used to add permissions to a mailbox. While the Add-ADPermission cmdlet is used to add permissions to an Active Directory object.

***Words of Praise***
I would just like to say a couple words of praise for the Exchange team. All of the permission management cmdlets in Exchange 2007 are actually really cool because you never need to deal with the finer details (nightmare, yes it’s a nightmare for IT Pros) of AccessControl management via the .NET Framework.
*******************

To utilize these cmdlets to delegate access to our shared mailbox we would use the following steps:

Create a Domain Local Group named MBX- Ye_Marketing_Mailbox-Full. (Domain local is a preference of mine for representing access groups in Active Directory. Please follow your own standards.)
Next, run the following command to grant MBX- Ye_Marketing_Mailbox-Full full access to the shared mailbox: get-mailbox -identity "Ye Marketing Mailbox" | add-mailboxpermission -user "MBX-Ye_Marketing_Mailbox-Full" -accessrights 'FullAccess'
Finally, run the following command to grant MBX- Ye_Marketing_Mailbox-Full modify access to the mailbox’s “Personal Information” attributes: get-mailbox -identity "Ye Marketing Mailbox" | add-adpermission -user "MBX-Ye_Marketing_Mailbox-Full" -accessrights:ReadProperty, WriteProperty -properties 'Personal Information' -extendedrights 'Send-As'

After running the above commands, members of the MBX-Ye_Marketing_Mailbox-Full group will be able to access and manage the Ye Marketing Mailbox. Mission Accomplished!

For all of today's Microsoft news, visit Microsoft Subnet

Tags

Microsoft

About Hidden Microsoft

With more than ten years of experience in IT, Tyson Kopczynski has become a specialist in Active Directory, Information Assurance, Windows automation, PKI, and IT security practices. Tyson is also the founding author of the Windows PowerShell Unleashed series and has been a contributing author for such books as Microsoft Internet Security and Acceleration (ISA) Server 2006 Unleashed and Microsoft Windows Server 2008 R2 Unleashed. He has also written many detailed technical papers and guides covering various technologies. As a consultant at Convergent Computing, Tyson works with and provides feedback for next generation Microsoft technologies since their inception and has also played a key role in expanding the automation and security practices at CCO. Tyson also holds such certifications as the Certified Information Systems Security Professional (CISSP), the SANS Security Essentials Certification (GSEC) and SANS Certified Incident Handler (GCIH), and the MCTS (Application Platform, Active Directory, and Network Infrastructure).

Certifications: