Granting Access to a Shared Mailbox in Exchange 2007

As promised in my last post, I’m going to continue my ramblings about interesting Exchange 2007 topics. At this point, we have successfully created a shared mailbox and it now shows up in the Exchange Management Console (EMC). However, you may now be at a loss as to how access can be granted to your newly created masterpiece (shared mailbox). Well, as you may have guessed, managing permissions in Exchange 2007 is all done through the Exchange Management Shell (EMS). In fact, all management tasks can be done in the EMS. But, this is yet one more example of something that is in the EMS and not in the EMC. There are several cmdlets in Exchange 2007 that are used to manage and review permissions. For the purposes of granting access to the shared mailbox the cmdlets we are interested in are as follows:

  • Add-MailboxPermission
  • Add-ADPermission
  • As their names might suggest, the Add-MailboxPermission cmdlet is used to add permissions to a mailbox. While the Add-ADPermission cmdlet is used to add permissions to an Active Directory object. ***Words of Praise*** I would just like to say a couple words of praise for the Exchange team. All of the permission management cmdlets in Exchange 2007 are actually really cool because you never need to deal with the finer details (nightmare, yes it’s a nightmare for IT Pros) of AccessControl management via the .NET Framework. ******************* To utilize these cmdlets to delegate access to our shared mailbox we would use the following steps:

    1. Create a Domain Local Group named MBX- Ye_Marketing_Mailbox-Full. (Domain local is a preference of mine for representing access groups in Active Directory. Please follow your own standards.)
    2. Next, run the following command to grant MBX- Ye_Marketing_Mailbox-Full full access to the shared mailbox: get-mailbox -identity "Ye Marketing Mailbox" | add-mailboxpermission -user "MBX-Ye_Marketing_Mailbox-Full" -accessrights 'FullAccess'
    3. Finally, run the following command to grant MBX- Ye_Marketing_Mailbox-Full modify access to the mailbox’s “Personal Information” attributes: get-mailbox -identity "Ye Marketing Mailbox" | add-adpermission -user "MBX-Ye_Marketing_Mailbox-Full" -accessrights:ReadProperty, WriteProperty -properties 'Personal Information' -extendedrights 'Send-As'

    After running the above commands, members of the MBX-Ye_Marketing_Mailbox-Full group will be able to access and manage the Ye Marketing Mailbox. Mission Accomplished! For all of today's Microsoft news, visit Microsoft Subnet

    Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

    Copyright © 2007 IDG Communications, Inc.

    IT Salary Survey: The results are in