Grant or deny permissions to access a user's Exchange 2007 mailbox

The easiest way to allow a user access to another user's mailbox would be to share the user's password login credentials. However, because a user's password is associated with an account that allows access to more than just the user's Exchange Server mailbox, this poses an unnecessary security risk. Fortunately, it is fairly easy to configure Exchange Server 2007 to allow a user to open another user's mailbox without having to log in as that user.

To do this, you must first grant the necessary Exchange permissions by issuing a single command through the Exchange Management Shell. For example, if you want to grant User1 access to User2's mailbox, then open the Exchange Management Shell and enter the following command:

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Exchange Server Permissions Exchange users receiving email addressed to legacy users Restrict access to Outlook Web Access via Exchange System Manager Why you should secure Exchange 2007 using administrative policies Editing Exchange Server public folder permissions Can't delete old Microsoft Outlook public folders Why can't I grant users permissions to an Exchange public folder? Exchange public folder calendar can't be opened in Microsoft Outlook Set Outlook calendar permissions for group to view private meetings Exchange Admin 101: Exchange 2003 and Exchange 2007 admin privileges Selectively set email permissions for Exchange groups Microsoft Exchange Server Scripts and Programming Removing old disclaimers from Exchange Server 2003 How to run Exchange Management Shell cmdlets in Exchange Server 2007 Automate complex Exchange 2007 Management Shell tasks via scripting Exchange event sink scripting error when configuring email disclaimer EMS add-on tool generates graphical Exchange Server 2007 reports A primer on the Exchange Server 2007 Exchange Management Shell How to generate HTML reports with the Exchange Management Shell (EMS) Use the Exchange Management Shell Set command to block senders How to test Exchange Management Shell commands Control query results with Exchange Management Shell's Format command Microsoft Exchange Server 2007 How to install Forefront Security for Exchange Server Displaying Exchange 2007 public folders in SharePoint Don'ts for optimal Exchange 2007 mailbox server efficiency Is your Exchange 2007 hub transport server healthy? Top 5 Exchange ActiveSync tips Two useful tools for documenting an Exchange Server installation Controlling spam in Exchange 2007 at the edge transport server level Restore Exchange storage groups with DPM 2007 How a hosted Exchange service can help you Email issues after configuring hosted Exchange server on laptop Microsoft Exchange Server 2007 Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary privilege  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Add-MailboxPermission –ID User2 –AccessRights FullAccess –User User1

This command is fairly simple. Enter the Add-MailboxPermission command, followed by the mailbox name (User2). Then direct Exchange Server to assign full mailbox access rights to the designated user (User1).

It is important to note that the delegate user will not be able to simply open Microsoft Outlook to access the other user's mailbox. The delegate user must first create an Outlook profile associated with that mailbox. Another option is to open the alternate mailbox using Outlook Web Access (OWA).

This EMS command grants the delegate user full access rights to the mailbox. Any time that you grant a user full access rights to an Exchange Server mailbox, you give them permission to access any folder in the mailbox as well. The delegate user can open any item found in any of the folders. Likewise, they also can move or delete messages from mailbox folders.

Assigning a delegate full access to a mailbox does not grant the delegate the rights to send mail from the other user's mailbox however. If a delegate needs to send mail from another user's mailbox, then you must assign the user Send on Behalf of permissions.

This can be accomplished through a simple Exchange Management Shell command. Once you have granted User1 access to open User2's mailbox, you then need to grant Send on Behalf of permissions to User1. To do so, enter the following command:

Set-Mailbox –ID User2 –GrantSendOnBehalfTo User1

Granting a user delegate rights is simple, but it's also easy to lose track of who has rights to whose mailbox. If this happens, there is a way to check Exchange 2007 mailbox permissions.

To find out who has access to User2's mailbox, enter the following command:

Get-MailboxPermission –ID User2

This provides a list of users that have access to User2's mailbox, but does not provide a list of the permissions that were granted. To discover and display which permissions are specific to User1 for User2's mailbox, for example, enter the command:

Get-MailboxPermission –ID User2 –User User1 | Format-List

Now let's suppose that User1 has full access rights to User2's mailbox, but User1 should not have permissions to the mailbox. You can use the Remove-MailboxPermission command to deny access to a mailbox as shown below.

Remove-MailboxPermission –ID User2 –User User1 –AccessRights Full Access

This command is almost identical to the Set-MailboxPermission command, except the Remove verb is used in place of the Set verb.

About the author: Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Exchange Server, Windows Server and Internet Information Server (IIS). He has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.