Automapping of Mailbox in Outlook does not work if Full Access Permission assigned to a Group

INFORMATION

Many companies may have a number of shared mailboxes that their users or certain departments may require access to. Generally the easiest way to get this done based on Microsoft methodology is to add the individual users to a group and give the group permission to the resource – all nice so far!

One of the new improvements of Exchange 2010 SP1 was the possibility of an Outlook client to automatically map to its profile any mailbox that the logged on user has full access to!

SO HOW DOES IT WORK??

When you assign a user full access permission permissions in Exchange 2010 SP1 to a shared mailbox, Exchange will modify the multi-valued MsExchDelegateListLink attribute on the shared mailbox to include the distinguished name (DN) of the users who have been assigned the access permission.

At the same time, Exchange will not update the MsExchDelegateListBL attribute on each of the users who have been given the permission to include the DN of the shared mailbox. Next time the user opens Outlook, it will use AutoDiscover to locate the values of the MsExchDelegateListBL for the user and use it to automatically map the shared mailbox to the user’s Outlook profile.

This works perfect if you are assigning individual users the permission but many organizations use groups to assign such permissions. When a group is assigned this permission, all the members of the group will inherit the rights assigned HOWEVER Automapping will NOT work! This is because the group’s MsExchDelegateListLink attribute is modified and not the individual users within the group.

WORKAROUNDS

  1. Users will be able to add the shared mailbox manually by adding it to their Outlook profile.
  2. Use the following Exchange Powershell script that will read the membership of the distribution group and add each individual member to have full access permission to the shared mailbox (copy the code below and paste to a notepad file. Save the file with a NAME.PS1 extension):

$DL = Get-distributiongroupmember GROUPNAME | Select-Object -ExpandProperty Name

foreach ($D in $DL ) {

Add-MailboxPermission -Identity SHARED_MAILBOX_NAME -User $D -AccessRights ‘FullAccess’

write-host -FORE yellow “$D is a member of the distribution group GROUPNAME has been given full access permission to SHARED_MAILBOX_NAME mailbox” }

Please name sure to replace GROUPNAME with the name of the distribution group and SHARED_MAILBOX_NAME with the name of the shared mailbox

Advertisements

9 thoughts on “Automapping of Mailbox in Outlook does not work if Full Access Permission assigned to a Group

    • From what i’ve experienced in SP2, the behaviour is still the same ! I do not think it will be “fixed” because it is working the way it is supposed to. Try the script I have as a workaround and see if that works for you.

  1. Using your method, if someone is removed from the distribution group will their mapping to that shared mailbox automatically disappear? Thanks!

    • Unfortunately this script will only assign permissions to the users who are members of the group. Removing the user from the group does NOT remove this permission from the user.

  2. If you remove someone from the security group and re-run the script, will it un-map it then?
    Would there be a way to write a “Refresh Script” which makes the mappings match the current state of the group each time you run it?

    • Chris,

      Unfortunately removing the user from the group and re-running the script will not remove the association between the user and the shared mailbox. In order to do that, you must manually remove full access permission from the user.

      Writing a script definitely may help if you need to do this for multiple users on the same shared mailbox at the same time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s