I was asked the following question recently:  What are the minimum permissions necessary I need to grant a user in order for that user to be able to access the data in another user’s mailbox?

 

Automatically I referenced following article 821897 that states Send As and Receive As permissions are necessary.  What we came to find out was that the Receive As permission was the only permission necessary to access information in the mailbox.

 

After some research I have the answer to the question:

 

There are two methods to grant permission for a user to access another user’s mailbox through Outlook by selecting File -> Open -> Other User’s Folder.  If it is a custom application that is accessing the mailbox using WebDav or CDO code yet another set of permissions are needed.  

 

MAPI permissions

 

To begin we can use MAPI permissions assigned at the top level mailbox object.

 

The “reviewer” role gives the user the ability to read items and files only.  In order for all folders to be viewed the Folder Visible permission must be present on the top level.  Here are the steps:

 

Here’s what I would suggest:

1. Open the target mailbox

2. Right click on the particular folder you want to grant the access to and choose Properties

a.    Choose the Permissions tab

b.    Click Add and from the address list choose the user to grant access to and then click okay

c.    Choose the reviewer right and then click okay

3. Right-click on the Mailbox – <Target Mailbox Display Name> folder and choose Properties.

a.    Choose the Permissions tab

b.    Click Add and from the address list choose the user to grant access to and then click okay

c.    Leave the role as None and select the “Folder Visible” permission and then click okay

 

Outlook folder permissions

http://office.microsoft.com/en-us/assistance/HP052422871033.aspx

 

Full Mailbox Access at the Active Directory Level

 

The second way to grant access to access the items in the mailbox through Outlook is to assign the full mailbox permissions to the mailbox in the Active Directory. 

 

There are a couple of scenarios that could occur depending on which version of store is installed on the Exchange server.  If no hotfixes have been applied then the user will be able to delete messages, create messages, read items and files.  The user will also be able to send email from that mailbox.  If the server is at store.exe hotfix builds 7233.51 and higher for Exchange Server 2003 Service Pack 1 (SP1) or Store.exe hotfix builds 7650.23 and higher for Exchange Server 2003 Service Pack 2 (SP2) then the user will have the all the same permissions to delete messages, create messages, read items and files, but will no longer be able to send messages from the mailbox. 

 

The following article has more information:

 

A delegate user who has "Full mailbox access" permissions for another user's mailbox can send e-mail messages as the mailbox owner in Exchange Server 2003
http://support.microsoft.com/kb/895949/

 

This change was also discussed in this blog post.

 

When using a custom application

 

When a custom application is accessing the mailbox the Receive As permission is necessary.  The Receive As permission on the mailbox gives the user access to the same tasks as when granting Full Mailbox Access: delete messages, create messages and send email (as the user who is accessing/logged into the mailbox), read items and files, but also gives the user the permission to copy data out of the mailbox.

 

1.  Open the Exchange System Manager

2.  Expand the Organization

3.  Right click and choose the Delegate control…

a.    Click next and then Add and browse.  From the object picker choose the user or group you want to grant access and click okay

b.    Make sure the Exchange View Only Administrator is chosen and click okay

c.    Click next and finish

Note:  The Exchange View Only Administrator can also be set on the administrative group level using step 3

 

264733 How to enable the Security tab for the organization object in Exchange 2000 and in Exchange 2003

http://support.microsoft.com/default.aspx?scid=kb;EN-US;264733

 

4.  Next expand the Administrative Groups container

5.  Expand <administrative group name>, Servers container, <server name>, the Storage Group and <storage group name>

a.    Right click on the store containing the mailboxes you want to grant access to and choose properties

b.    Click on the security tab and choose the user from the list.  If the user was added as part of a group at the View Only Administrator level then that individual user will need to be added at this time if the entire group is not going to be granted Receive As permissions here.

c.    Scroll down the list of permissions and check allow for the Receive As permission and then click okay

Note:  The Receive As permission can be set at any level under the Organization

 

6.  The Information store may cache this data and it can take up to 2 hours for this cache to be flushed.  Dismount and remount the store to flush this cache immediately

 

If the user is already an Exchange Full Administrator you will need to follow the steps in either of the following two articles (depending on the version of Exchange you are using) as the Receive As permission will be inherited as a deny:

 

821897 How to assign service account access to all mailboxes in Exchange Server 2003

http://support.microsoft.com/default.aspx?scid=kb;EN-US;821897

 

262054 XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000

http://support.microsoft.com/default.aspx?scid=kb;EN-US;262054

 

Working with Store Permissions in Microsoft Exchange 2000 and 2003

http://www.microsoft.com/downloads/details.aspx?familyid=2ae266f0-16b7-40d7-94d9-c8be0e968a57&displaylang=en

 

- Charlotte Raymundo