Minimum permissions necessary to access mailbox data

calendar permission

zhai — Thu, 26 Jan 2006 09:54:53 GMT

Hi Charlotte
Really enjoyed your post , I am encountering some difficulties with Exchange permission in my company and wondered if you could give me some advise .
We are a big Telco company located in the middle east .
Currently we are giving our telemarketing guys access to our door to door sales person's outlooks so they can look at there calendar and set up appointment for them.

The system guys are giving the telemarketing permission thought the sales person AD user witch mean the telemarketing are getting Full mailbox access.
We had complaints from the sales about telemarketing viewing their mail .
So we want to give the telemarketing access only to their calendar ( as it should be) is there a way to do that centrally from the AD ?
( I know I can do it from every sales person outlook but I prefer to do from a central location ) .

Thanks in advance

zhai

re: Minimum permissions necessary to access mailbox data

Charlotte Raymundo — Thu, 26 Jan 2006 20:48:56 GMT

Zhai,

Unfortunately granting permissions on specific Outlook folders can not be set in AD. That said, here is a post that will help you to set this using CDO code:

http://gsexdev.blogspot.com/2005/05/changing-default-permissions-on.html

Hope this helps!

dscflush

Luke Notley — Fri, 27 Jan 2006 06:28:38 GMT

What ever happened to that great utility dscflush for Exchange 2003? doesn't seem to work on Exchange 2003 servers I've tried it on.

Luke

re: Minimum permissions necessary to access mailbox data

Robert Hupf — Wed, 01 Feb 2006 03:54:02 GMT

We are having a problem where we are granting a user in one domain Send As rights to a mailbox in another domain (same forest) and the permission keeps "disappearing". I have tried it with different users and the same thing happens. We are on Exchange 2003 SP1.

re: Minimum permissions necessary to access mailbox data

Exchange — Wed, 01 Feb 2006 05:06:18 GMT

Robert,

Check this article - we see this relatively often in PSS:

Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/?id=817433

re: Minimum permissions necessary to access calandar information

Manju — Tue, 07 Feb 2006 19:39:34 GMT

Hi,
I'm Manju. I have a Question on the same.

If any user wants to access calendar information of other users, what is the normal procedure?

Do we need to grant full mailbox permissions at mailbox level and any role required at client.

re: Minimum permissions necessary to access mailbox data

Charlotte Raymundo — Tue, 07 Feb 2006 21:47:49 GMT

Manju,

To grant another user access to a second user's calendar you can either grant MAPI permissions on the second user's calendar or grant permissions on that user object in the Active Directory.

If you want to just share the calendar you will grant access from Outlook client. Here is the article with the steps:

290824 How to open another user's calendar or another folder in Outlook 2002
http://support.microsoft.com/default.aspx?scid=kb;EN-US;290824

If you want to grant permissions to access the calendar from the Active Directory side you will grant permissions on the second user's user object under "mailbox rights" (steps listed above).

The user being granted the permissions at the Active Directory level will need the full mailbox access and with that right the user will be able to access all folders in the second user's mailbox, not just the calendar. There is no way to specify the specific mailbox items the permissions are applied to at this level.

Hope this answers your question!

re: Minimum permissions necessary to access mailbox data

Igor — Thu, 16 Feb 2006 10:22:52 GMT

Hi Charlotte,
great article.
I have one question:
often we want give to user read permissions for another user mailbox (not only for specific folders, but for whole mailbox).
When we define "Read permissions" in Exchange advanced->Mailbox rights properties of the user it's doesn't work - user cannot open another user mailbox. However it is work if we give to user full mailbox access.
But we want to give only read access...
Any suggestions?
Currently we use PFDAVAdmin tool for give read permissions for whole mailbox, but we really want to do it with ActiveDirectory.
P.S. we use Exchange 2003 sp1 servers on windows 2003.

re: Minimum permissions necessary to access mailbox data

Charlotte Raymundo — Fri, 17 Feb 2006 21:11:38 GMT

Igor,

Granting permissions to allow users just the read permissions (even on the entire mailbox) has to be done at the MAPI level in Outlook.

The Full Mailbox Access right is the only one availble in the Active Directory. As you mentioned this gives the user more rights then just the read access. Unfortunately there is no way to break this down into specific permissions (read, write ...) in the Active directory.

With that said, you could grant these MAPI level permissions using CDO referenced in this blog:
http://gsexdev.blogspot.com/2005/05/changing-default-permissions-on.html

Hope that helps!

re: Minimum permissions necessary to access mailbox data

Igor — Sun, 19 Feb 2006 11:14:40 GMT

Hi Charlotte,
thanks for the answer.
Will be nice if Microsoft will remove "Read permissions" string in Exchange advanced->Mailbox rights properties or at least need to describe this behaviour in help/KB article.
Thanks, Igor

re: Minimum permissions necessary to access mailbox data

Charlotte Raymundo — Tue, 21 Feb 2006 18:36:03 GMT

Igor,

I can certainly understand the confusion as it is not well documented. The permissions in the mailbox rights section falls under more administrator type roles. The read permissions right is just that; this permission provides the ability for the user to read the permissions of the mailbox.

Regards,
Charlotte

re: Minimum permissions necessary to access mailbox data

PermanentMarker — Wed, 22 Feb 2006 13:45:17 GMT

why not make it a MMC exchange task
- share this mailbox, with user(s)
- share a folder of this mailbox

then have next steps like
readonly access
read and delete access
create /delete own items xx
full mailbox access xx

and in a xx > next step
send as

perhaps more easy to some users, ehmm exchange admins

Altough i think that users should share their mailboxes themself, from a legal standpoint.

HOWTO: Configure Exchange Event Service on Exchange 2003 with minimum permissions

The CDOs and CDONTS of Messaging Development — Wed, 08 Mar 2006 07:43:09 GMT

We have received several support calls in the past months relating to migrating Exchange Event Service Scripts from Exchange 5.5 to Exchange 2003. Because it isn’t straightforward or documented (to my knowledge), I came up with this information to help

re: Minimum permissions necessary to access mailbox data

Diego — Tue, 25 Apr 2006 18:02:16 GMT

Let's suppose the access was already given. If you give access to a group and somebody sends an e-mail to our Global List criticizing the company. How to know who send the e-mail?

HOWTO: Configure Exchange Event Service on Exchange 2003 with minimum permissions

mstehle: The CDOs and CDONTS of Messaging Development — Fri, 23 Jan 2009 07:26:48 GMT