Situations arise when a user -- maybe you -- needs to access another user's mailbox. You can accomplish this in a variety of ways: The user can delegate access to you or another user, you can give access to yourself, or you can grant access to another user.
Delegating mailbox access
When an executive or senior manager wants her administrative assistant to screen her email and handle routine items, she can use Outlook to delegate access to her inbox and calendar. Or a user might go on vacation and want some other user to monitor his messages.
An Outlook user can delegate access permissions to another user. The Outlook Options window
(Tools -> Options in the Outlook menu) has a
Delegates tab for this purpose. Figure 5.56 shows an example.
Click Add to add a delegate. Once you select a delegate from the Global
Address List, the Delegate Permissions window opens, as shown in Figure 5.57.
By default, a delegate gets Editor (read, create, modify) rights only to the Calendar and Tasks folders. The user can include other folders or change the level of access using the dropdown box next to the folder.
Accessing a delegated mailbox
Once a user has been delegated access to another user's mailbox folders, the delegate can access the folders by selecting the File -> Open -> Other User's Folder option from the main menu, as shown in Figure 5.58.
If the mailbox owner delegates Editor rights for the Inbox, the delegate can use the From field in Outlook (shown in Figure 5.59) to send mail on behalf of the primary mailbox owner. This highly privileged operation should not be delegated without some thought as to the suitability (trustworthiness, maturity, and so forth) of the delegate.
Granting access to another user
Sometimes you don't have the opportunity to ask a user to delegate mailbox access to you or someone else. The user might have been fired or the security team has the user under investigation. Also, human nature being what it is, sometimes you'll encounter situations where a manager wants to see a subordinate's mailbox without the subordinate being aware of this access. (Don't do this in production until you have a chat with someone in your legal department. You don't want to inadvertently violate a privacy law.)
Grant a user access to another user's mailbox via Active Directory Users and Computers as follows:
- Open the Properties window for the user's mailbox to which you want to grant access.
- Select the Exchange Advanced tab, as shown in Figure 5.60.
- Click the Mailbox Rights button. This opens the Permissions window for the user's
mailbox. If the permission list has only SELF, as shown in Figure 5.61, then the user has not yet
received any messages and therefore does not have a mailbox. Send the user an email and then the
security list will include all the inherited permissions from the mailbox store.
- Click Add and select the name of the user you want to have access to the mailbox. Give this user Read permission if they just want to look at the messages and Full Mailbox Access if they need to send messages on behalf of the user.
Once you have assigned access to another user, the user can open the mailbox in Outlook using the procedure shown in the "Accessing a Delegated Mailbox" section of this chapter.
Granting yourself access to a user's mailbox
By default, Exchange denies mailbox access to any Domain Admin, Enterprise Admin, the Administrator account, and any account that has been delegated the Exchange Administrator or Exchange Full Administrator role. Figure 5.62 shows the Security tab of the Organization object in Active Directory where the Deny settings reside. If you delegate the Exchange a Full Administrator or an Exchange administrator role on an Administrative Group, then Exchange places the Deny entries on the Administrative Group object.
You can override a Deny inherited from the organization or an Administrative Group by placing an Allow permission on the mailbox itself in Active Directory Users and Computers. Because of the inheritance rules in Active Directory, an Allow applied directly to an object takes precedence over an inherited Deny. You can grant full access to mailboxes on a per-store or per-server basis as well. See Microsoft Knowledge Base article 262054 for details.
Figure 5.62 Exchange organization object showing how to override default Deny for administrators by applying an Allow for Receive As and Send As permission on mailboxes. (Click on image for enlarged view.)
15 tips in 15 minutes: Managing recipients and distribution lists
Tip 1: Exchange security groups
Tip 2: Group membership expansion
Tip 3: Managing Exchange group email properties
Tip 4: Exchange 2003 Query-Based Distribution Groups
Tip 5: DSAccess for Exchange
Tip 6: DSProxy for Exchange
Tip 7: Managing Exchange recipient policies
Tip 8: Exchange Recipient Update Service and proxy addresses
Tip 9: Restricting mail storage on an Exchange server
Tip 10: The Exchange server mailbox management service
Tip 11: Blocking a user's email access
Tip 12: Accessing another user's mailbox in Outlook
Tip 13: Exchange mail retention
Tip 14: Managing recipients with system policies
Tip 15: Managing recipients with Global Settings
This chapter excerpt from Learning Exchange Server 2003 by William Boswell is printed with permission from Addison-Wesley Professional, Copyright 2004. Click here for the chapter download or to purchase the book.