Archive

Posts Tagged ‘permissions’

Exchange read-only mailbox rights

April 11th, 2013 1 comment

Couple of days I’ve got question from my friend if there is way to setup Exchange mailbox to be Read-only for other users in company. I never needed it, because when someone else needed to access other’s mailbox, I just set FullAccess rights on mailbox and everythin worked fine.

Testing scenario

Exchange 2010

Tester user called Tester with following content of mailbox:

Tester mailbox

Tester user called Tester02 wich wants to access whole mailbox of user Tester, but Read-only.

When I set Reviewer for user Tester02 on mailbox Tester under Outlook:

Reviewer permissions

Problem

When I connect Tester’s mailbox into Tester02’s Outlook profile I can see following:

Inbox view

So I can see only Inbox. I don’t see any folder underneath it. We can check this permissions also using Powershell:

Get-MailboxFolderPermission

When we look on mailbox folder permissions underneath Inbox, for example “Inbox\My friends” folder, we can see following:

Permission on subfolder

This means that mailbox folder permissions are not inherited. So we can set permission per folder. So let’s test to add permission to folder Inbox and subfolder “My friends”:

Set-Folder Permissions

and now we can see also subfolders under account Tester02:

Accessible subfolders

This means that using Outlook or powershell commandlet Add-MailboxFolderPermission can set permissions only on one folder and these settings are not inherited! This is really weird. I couldn’t find any setting to allow inheritance.

Another way to set permissions of mailbox folders is set permissions on whole mailbox. This can be set by users which have rights to manage exchange mailboxes. Let’s look on powershell cmd-let Add-MailboxPermission. This cmdlet allows you to set just following access rights: FullAccess, SendAs, ExternalAccount, DeleteItem, ReadPermision, ChangePermision and ChangeOwner. Neither one of these rights define Read-only access to mailbox.

Solution

So there is no easy way to share whole mailbox between users in read-only manner. Only way I can think of is to run some powershell script. For example:

Add-MailboxFolderPermission tester -User tester02 -AccessRights Reviewer

 

ForEach($folder in (Get-MailboxFolderStatistics -Identity tester) )

{

$fname = “tester:” + $folder.FolderPath.Replace(“/”,”\”);

Add-MailboxFolderPermission $fname -User tester02 -AccessRights Reviewer

}

where “tester” is account with shared mailbox and “tester02” is account which want to access shared mailbox.

After this powershell commands are done, Tester02 can see Tester’s mailbox:

 

Shared mailbox accessible

 

But when user Tester creates new folder in his mailbox, user Tester02 will not see it unless user Tester sets permissions on new mailbox folder.

I hope guys from Microsoft will solve this issue in next release of Exchange. 🙂

 

Exchange ActiveSync insufficient permissions

February 19th, 2012 No comments

I couldn’t connect via ActiveSync on my account. I’ve checked events on CAS server and I found:

 

Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=Zilinec Ondrej – testovaci TS uzivatel,OU=TESTUSERS,OU=UZIVATELIA,OU=XXX,DC=XXX,DC=in,DC=XXX,DC=XX” container under Active Directory user “Active Directory operation failed on DCB1.XXX. This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

“.

Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type “msExchActiveSyncDevices” and doesn’t have any deny permissions that block such operations.

Details:%3

 

Read more…