Sharing Non-Default Outlook Folders in Exchange (Online and On-Premise)

A client came to me one day and asked how he can share his Outlook folder to his executive assistant so that he can have read only access to one folder and its subfolders. Didn’t think it was really that difficult of a task until he showed me his Outlook folder structure. This user literally had over 1,500 folders in Outlook and the hierarchy was intense!

SNAG-0050

The user did not want to share the full mailbox so assigning full mailbox access was out of the question. He only wanted to share the “2011-2015” folder and all the subfolders under it, which itself was a series of at least 50 folders.

One way to do this is to go to each folder, right click and open properties. On the permissions tab, assign the executive assistant Reviewer rights – NOT GOING TO HAPPEN! Too many chances of error and takes too long.

Assigning Permissions to Outlook Folders

After researching online, I came across a blog (https://blogs.technet.microsoft.com/tips_from_the_inside/2011/11/03/set-outlook-folder-permissions-using-powershell/) that had a script doing this same thing. I have attached a copy of this and customized it for this example.

  • The user who wants to share the folder is called BWayne@thebatcave.com
  • His executive assistant is called Alfred@thebatcave.com
  • The folder we want to share is only the 2011-2015 with its subfolders

 

ForEach($f in (Get-MailboxFolderStatistics BWayne@thebatcave.com | where {$_.Folderpath.contains(“/Investments/2011-2015”) -eq $true} ) )
{
 $fname = “BWayne@thebatcave.com:” + $f.FolderPath.Replace(“/”,”\”);
 Add-MailboxFolderPermission $fname -User Alfred@thebatcave.com -AccessRights Reviewer
 Write-Host $fname
 Start-Sleep -Milliseconds 1000
}

Accessing Non-Default Outlook Shared Folders

Now that the permissions have been assigned how can Alfred access these shared folders. In order to do this, Alfred needs to be able to see the folder structure. These next steps must be performed from Outlook – you can either use Bruce Wayne’s machine or being the administrator, give yourself full access to his mailbox and open it in your Outlook

  1. In Outlook, right click the mailbox name and select Data File Properties.
  2. Click the Permissions tab.
  3. Click the Add button to select Alfred from the address list
  4. Select Folder Visible and click OK

    SNAG-0051
    Note: Permission for Alfred is still set to “None”
  5. Go down to the next folder in the hierarchy and open its Properties
  6. Repeat steps 2 to 4. This needs to be done for every folder Alfred needs to traverse through to get to the shared folder. In this example this would be:
    • BWayne@thebatcave.com mailbox \Real Estate\Investments
    • It must be noted that the Folder Visible permission only allows Alfred to view the folder but not its content.

Now that Alfred has been assigned the permission to view the folders (but not their content) he needs to get into the shared folder, he can open them using Outlook.

  1. On Alfred’s Outlook, open the properties of his account settings. Click on the File menu (in Outlook 2013 and 2016), Account Settings\Account Settings    
  2. On the Account Settings window, click Change SNAG-0053
  3. On the Server Settings page, click More Settings   SNAG-0054
  4. Go to the Advanced tab and click the Add button to add BWayne’s mailbox to Alfred’s Outlook. Note that Alfred will not be able to see the entire mailbox – only the folders that have been set to Folder Visible and the ones he has reviewer permissions to.
  5. After adding the mailbox as an additional mailbox, make sure to uncheck the Download Shared Folders  checkbox.              SNAG-0056
  6. Click OK and Next to close the windows.

 

 

Advertisements

Exchange 2010 Retention Policy to Clear Deleted Items

Creating Exchange 2010 Retention Policy Tags and Retention Policies

Retention policies can be used by organizations to limit the amount of data stored in their mailboxes and at the same time keep the amount of unnecessary mail items to a minimum.

Scenario – An organization would like to implement a policy that performs the following:

  1. Clear deleted items folder of items that have past their retention deadline of 30 days
  2. Only the last 365 days work of mail items should be in the mailbox
  3. These policies should not apply to default folders such as Notes and Contacts

Depending on how they’re applied to mailbox items, retention tags are categorized as the following three types.

  • Default Policy Tags (DPTs), which apply to untagged items in the mailbox – untagged items being items that don’t have a retention tag applied directly or by inheritance from parent folder. You can create three types of DPTs: an archive DPT, a delete DPT and a DPT for voicemail messages
  • Retention Policy Tags (RPTs), which are retention tags with a delete action, created for default folders such as Inbox and Deleted Items. Not all default folders are supported. Notably, Calendar, Tasks and Contacts folders aren’t supported
  • Personal Tags, which are retention tags that users can apply to items and folders in Outlook 2010 and Outlook Web App. Personal tags can either be delete tags or archive tags. They’re surfaced in Outlook 2010 and OWA as Retention policies and Archive policies

Create Retention Policy Tags

First step is to create the various tags for each of the tasks that need to be done. The first tag we are creating is for the Deleted items.

“Clear Deleted Items” Policy Tag

  1. In the console tree, expand the forest you want, and then navigate to Organization Configuration > Mailbox
  2. In the action pane, click New Retention Policy Tag
  3. the New Retention Policy Tag page, complete the following fields
    1. Tag Name Use this box to type a name for the retention tag. This is the name of the retention tag object in Active Directory. This name can contain up to 64 characters.
    2. Tag Type Use this list to select the type of retention tag that you want to create. To create a RPT for a default folder (for example, Inbox), select the default folder name. To create a DPT, select All other folders in the mailbox. To create a personal tag, select Personal Folder.
    3. Age limit for retention (days) Click this button to specify that items have a retention period. In the corresponding text box, type the number of days in the retention period. (The range of values is from 1 through 24,855 days.)
    4. Action to take when the age limit is reached After clicking Age limit for retention (days), you can use this list to specify what should happen to an item when it’s past the age limit for retention. The choices include:
  • Delete and Allow Recovery If you select this option, messages are deleted but can be recovered by using the Recover Deleted Items feature in Outlook or Outlook Web App
  • Permanently Delete If you select this option, messages are permanently deleted and aren’t recoverable by the user
  • Move to Archive If you select this option, messages are automatically moved to the user’s archive mailbox. If you haven’t created an archive mailbox for the user, no action is taken.
  1. Disable this tag Click this button to disable the processing of this tag. The Managed Folder Assistant won’t process messages that have a disabled tag applied.
  2. Comments Use this box to type a comment that will be displayed to the user in Outlook. For example, to alert users that MRM is enabled on the folder, you could type the following message: “Messages are removed from this folder after 120 days.” The maximum length of this comment is 255 characters.
  1. On the Completion page, click Finish to close the wizard

000 2-4-2013

“Retain 365 Days’ Worth of Mail Data” Policy Tag

This policy tag will be configured to remove any mail item in the mailbox that is over a year old – this would mean that the mailbox would only contain items that are 365 days in age.

Follow the same steps identified in the previous section to create a new retention policy tag with the following changes:

  • In the Tag Type option, select All other folders in the mailbox
  • In the Age Limit for Retention option, enter 365 days
  • In the Action to take when the age limit is reached select the desired action

002 2-4-2013

Default Folder Tags

To prevent the DPT from being applied to a default folder, you can create a disabled RPT for that folder (or disable any existing RPT for that folder). The Managed Folder Assistant, a mailbox assistant that processes mailbox items and applies retention policies, does not apply the retention action of a disabled tag. Since the item/folder still has a tag, it is not considered untagged and the DPT isn’t applied to it.

Create a retention policy tag for each of the folders (contacts, Notes, tasks and so on) you do not want a policy to apply to as shown in the image below

Create a Retention Policy to be associated with Retention Policy Tag

Using retention policies, you can group one or more retention tags and apply them to mailboxes. A mailbox can’t have more than one retention policy. Retention tags can be linked to or removed from a retention policy at any time. A retention policy with the same name as the one being created doesn’t already exist in your Exchange organization. One or more retention tags should exist so you can associate them to the new retention policy.

You can create a retention policy without linking any retention tags to it. Retention tags can be added or removed from a retention policy at any time. However, tags aren’t applied to a mailbox until they’re linked to a retention policy and the Managed Folder Assistant processes the mailbox.

  1. In the console tree, expand the forest you want, and then navigate to Organization Configuration > Mailbox
  2. In the action pane, click New Retention Policy
  3. On the Introduction page, complete the following fields:
    1. Name Use this box to type a name for the retention policy
    2. Add Click this button to add retention tags to the policy
  1. On the Select Mailboxes page, click Add to select the mailboxes to which you want to apply the retention policy
  2. On the New Retention Policy page, review your configuration settings. To create the retention policy, click New then click Finish to close the wizard

004 2-4-2013

Apply the policy to a mailbox

You can use retention policies to group one or more retention tags and apply them to mailboxes to enforce message retention settings. A mailbox can’t have more than one retention policy.

Messages are expired based on settings defined in the retention tags linked to the policy. These settings include actions such moving messages to the personal archive or permanently deleting them. Before applying a retention policy to one or more mailboxes, it is recommended that you test the policy and inspect each retention tag associated with it.

  1. In the console tree, expand the forest you want, and then navigate to Recipient Configuration > Mailbox
  2. In the result pane, select the mailbox to which you want to apply the retention policy. You can select multiple mailboxes by using the Shift or Ctrl keys
  3. In the action pane, click Properties
  4. In <Mailbox User> Properties, on the Mailbox Settings tab, select Messaging Records Management, and then click Properties
  5. In Messaging Records Management, select the Apply Retention Policy check box, and then click Browse to select the retention policy you want to apply to the mailbox.
  6. Click OK, and then in <Mailbox User> Properties, click Apply

014 2-4-2013

Automapping of Mailbox in Outlook does not work if Full Access Permission assigned to a Group

INFORMATION

Many companies may have a number of shared mailboxes that their users or certain departments may require access to. Generally the easiest way to get this done based on Microsoft methodology is to add the individual users to a group and give the group permission to the resource – all nice so far!

One of the new improvements of Exchange 2010 SP1 was the possibility of an Outlook client to automatically map to its profile any mailbox that the logged on user has full access to!

SO HOW DOES IT WORK??

When you assign a user full access permission permissions in Exchange 2010 SP1 to a shared mailbox, Exchange will modify the multi-valued MsExchDelegateListLink attribute on the shared mailbox to include the distinguished name (DN) of the users who have been assigned the access permission.

At the same time, Exchange will not update the MsExchDelegateListBL attribute on each of the users who have been given the permission to include the DN of the shared mailbox. Next time the user opens Outlook, it will use AutoDiscover to locate the values of the MsExchDelegateListBL for the user and use it to automatically map the shared mailbox to the user’s Outlook profile.

This works perfect if you are assigning individual users the permission but many organizations use groups to assign such permissions. When a group is assigned this permission, all the members of the group will inherit the rights assigned HOWEVER Automapping will NOT work! This is because the group’s MsExchDelegateListLink attribute is modified and not the individual users within the group.

WORKAROUNDS

  1. Users will be able to add the shared mailbox manually by adding it to their Outlook profile.
  2. Use the following Exchange Powershell script that will read the membership of the distribution group and add each individual member to have full access permission to the shared mailbox (copy the code below and paste to a notepad file. Save the file with a NAME.PS1 extension):

$DL = Get-distributiongroupmember GROUPNAME | Select-Object -ExpandProperty Name

foreach ($D in $DL ) {

Add-MailboxPermission -Identity SHARED_MAILBOX_NAME -User $D -AccessRights ‘FullAccess’

write-host -FORE yellow “$D is a member of the distribution group GROUPNAME has been given full access permission to SHARED_MAILBOX_NAME mailbox” }

Please name sure to replace GROUPNAME with the name of the distribution group and SHARED_MAILBOX_NAME with the name of the shared mailbox