Exchange Server mailboxes are often thought of as something personal that belongs to one specific user. At times, however, you may need to give one user access to another user's mailbox or you may need to monitor a mailbox yourself. This tip explains the processes for both.
Delegating mailbox access in Outlook 2007
It's common for higher-ranking employees in an organization to have an assistant who may need to screen messages or send messages on behalf of the manager. In another instance, one user may be out of the office for an extended period and another user may need to check that person's email. In either case, an Outlook user can delegate access of his or her mailbox to another user.
The delegation process is fairly simple. In Microsoft Outlook 2007, select Tools -> Options. When the Options properties sheet appears, select the Delegates tab. Click Add and select the user you want to give access to your mailbox. Once you've specified the delegate for your mailbox, you'll be taken to the Delegate Permissions dialog box (Figure 1).
Figure 1. You can set the level of permissions that delegates have over your mailbox.
As you can see, the delegate is given the ability to read, modify and create calendar and task list items by default. However, they are not allowed to access the Inbox, Contacts, Notes or Journal. Additionally, although the delegate has full access to the user's calendar, he cannot read private calendar items unless you select the Delegate Can See My Private Items check box.
You can set one of four different permission levels on mailbox objects (Calendar, Inbox, etc.).
- None: The delegate has no access to mailbox objects.
- Reviewer: The delegate has read-only access to mailbox objects.
- Author: The delegate has full read and write access to mailbox objects.
- Editor: The delegate has full read and write access to mailbox objects, as well as the ability to modify existing items.
After clicking OK, you're returned to the Options properties sheet. If you look at Figure 2, you'll notice that, by default, meeting requests and responses are sent to delegates and a copy is sent to the mailbox owner. There are also options to only send these requests and responses to only the mailbox owner or only the delegates.
Opening a delegated mailbox in Outlook 2007
Once a user has delegated mailbox access to another user, the delegate can open the other user's mailbox by selecting the Open -> Other User's Folder command. Outlook 2007 will display a dialog box similar to the one shown in Figure 3, which prompts a user to enter the name of the user whose mailbox they'd like to open and the individual folder within the mailbox to open.
Monitoring a user's Outlook mailbox
in some cases, you may need to access a mailbox without the employee knowing that you're doing so. But before I begin, it's important to know that in most organizations it's illegal to monitor an employee's email without his or her knowledge or consent. Therefore, be sure to check with your company's legal department before using this technique.
The method used to monitor a mailbox isn't that different from delegating mailbox access. When a user delegates access to his mailbox, he's granting mailbox permissions to another user. When you want to monitor a mailbox, you still have to grant permission to the mailbox. The difference between the two is that, as the Exchange administrator, you grant permissions, not the owner of the Outlook mailbox.
Another difference is that while normal mailbox delegation is performed through Outlook, this procedure uses the Exchange Management Shell. The person granting the permissions must be either the Exchange Server administrator or an Exchange Organization administrator.</ p> The command used to grant mailbox permissions is Add-MailboxPermission.
To give you an idea of how this command works, imagine that you wanted to grant User1 full access to User2's mailbox. To do so, enter the following command:
Add-MailboxPermission –Identity "User2" –User User1 –AccessRight FullAccess –InheritanceType all
This command requires the use of several command line switches. Here is a breakdown of the switches and their functions:
- -Identity: The Identity switch tells Exchange Server to which mailbox the new permissions will apply. The Identity must be the user's full name and must be enclosed in quotation marks.
- -User: The User switch tells Exchange Server which user is being granted permission to access the mailbox.
- -AccessRight: The AccessRight switch indicates what level of mailbox access the specified user will be granted. The command above uses FullAccess, but there are other access rights that you can set including SendAs, ExternalAccount, DeleteItem, ReadPermission, ChangePermission and ChangeOwner.
- -InheritanceType: The InheritanceType switch tells Exchange Server how far down the Active Directory object structure the permission should propagate. This value is normally set to All.
About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.
Do you have comments on this tip? Let us know.
This was first published in February 2010