Automapping of Mailbox in Outlook does not work if Full Access Permission assigned to a Group

INFORMATION

Many companies may have a number of shared mailboxes that their users or certain departments may require access to. Generally the easiest way to get this done based on Microsoft methodology is to add the individual users to a group and give the group permission to the resource – all nice so far!

One of the new improvements of Exchange 2010 SP1 was the possibility of an Outlook client to automatically map to its profile any mailbox that the logged on user has full access to!

SO HOW DOES IT WORK??

When you assign a user full access permission permissions in Exchange 2010 SP1 to a shared mailbox, Exchange will modify the multi-valued MsExchDelegateListLink attribute on the shared mailbox to include the distinguished name (DN) of the users who have been assigned the access permission.

At the same time, Exchange will not update the MsExchDelegateListBL attribute on each of the users who have been given the permission to include the DN of the shared mailbox. Next time the user opens Outlook, it will use AutoDiscover to locate the values of the MsExchDelegateListBL for the user and use it to automatically map the shared mailbox to the user’s Outlook profile.

This works perfect if you are assigning individual users the permission but many organizations use groups to assign such permissions. When a group is assigned this permission, all the members of the group will inherit the rights assigned HOWEVER Automapping will NOT work! This is because the group’s MsExchDelegateListLink attribute is modified and not the individual users within the group.

WORKAROUNDS

  1. Users will be able to add the shared mailbox manually by adding it to their Outlook profile.
  2. Use the following Exchange Powershell script that will read the membership of the distribution group and add each individual member to have full access permission to the shared mailbox (copy the code below and paste to a notepad file. Save the file with a NAME.PS1 extension):

$DL = Get-distributiongroupmember GROUPNAME | Select-Object -ExpandProperty Name

foreach ($D in $DL ) {

Add-MailboxPermission -Identity SHARED_MAILBOX_NAME -User $D -AccessRights ‘FullAccess’

write-host -FORE yellow “$D is a member of the distribution group GROUPNAME has been given full access permission to SHARED_MAILBOX_NAME mailbox” }

Please name sure to replace GROUPNAME with the name of the distribution group and SHARED_MAILBOX_NAME with the name of the shared mailbox

Advertisements