Mailbox Folder Permissions
A common request is for all staff to have access to a particular folder on every account, often the calendar. This means that everyone can see what everyone else is up to.
Note: Before deploying this sort of change, make sure that everyone is aware of the location of the "Private" button. This restricts who can see the content of certain entries.
There are a number of ways of deploying this strategy, but there is no "magic button" on the server that sets these permissions.
- Get the user's to set the permissions themselves.
It is probably a good idea to show the users how to do this, even if they the initially permissions are set using one of the other methods. This will allow users to set their own permissions - perhaps to allow individual users to have a higher permission than everyone else (the classic Manager/Assistant scenario). More Information.
- Grant yourself Full Mailbox permissions, login to the mailbox and adjust the permissions yourself.
Good for doing one or two mailboxes, but company wide changes are not really practical.
- Use tools to make the changes in bulk for you.
By using a combination of tools available on the Internet, you can make the changes with very little interaction from the administrator.
Using Tools to Make the Permission Changes
If you need to make the permission change across the entire company or a large group, then use tools to make the changes. The same procedure will work for other folders - not just Calendar.
To use this method, you will need the following:
- An account to use for setting the permissions (but not THE administrator account)
- ADModify (http://www.codeplex.com/admodify )
- Setperm (get here)
Do not use the administrator account for this task as that account is denied access by default in Exchange.
When setting the permissions on the mailbox, use your explicit account, not a group - particularly not the "Domain Admins" group. Better still - create an account for this purpose then dispose of it afterwards. The account needs to be mail enabled so that you can use Outlook.
You should probably test this procedure with one or two accounts before making the change to the entire domain.
Grant Mailbox Rights
- Login to a machine with the account that you want to use to make the setting changes. This machine needs to have Outlook installed, and preferably the Exchange System Manager tools.
- Start ADMODIFY and select the users that you want to change.
- Click Next and choose the tab "Mailbox Rights".
- The setting you want to change is "Add User to Mailbox Rights", enter the username of the account you are using in the format domain\username and select the option "Full Mailbox Rights".
- Download setperm from here.
- Extract the file in to its own folder.
- Copy the file acl.dll in to c:\ windows \ system32
- Run the following command: "regsvr32.exe acl.dll"
- Setperm needs to be run from a command line, initially connecting to a specific mailbox.
Open a command prompt in the folder where you have extracted the setperm.exe utility.
- Start the application using the following command:
For example, if your mailbox is jsmith and the server is mail1 then you would enter:
- If you get an ActiveX error such as
"Run-time error '429':
ActiveX component can't create object "
Then you haven't registered the dll file correctly - repeat and try again.
- Once you have brought up the box, adjust the permissions as required.
Setting the permissions: Your best option is to set the "Reviewer" permission to your equivalent to "All Staff". Then set higher permissions on an individual or group basis. Don't use the default setting - choose "Custom" and then select the group.
- Select the mailboxes that you want to set these permissions on - you cannot use a group - but you can select all the mailboxes using the standard methods.
- Once satisfied, click "Set Permissions".
The tool will now connect to each mailbox and set the permissions as required. Note that you can only do one set of permissions at a time - so if you want some users to have "Reviewer" and others to have higher permissions, you will need to run the tool again to set the alternative permissions.
Once the tool has finished, check the permissions are correct. You should then remove the rights to the mailbox that you granted to yourself.
Remove Mailbox Rights
You should remove the mailbox rights so that they are set as before. This is not only good practise from a security point of view, it also ensures that you do not come under suspicion of illicit mailbox access.
Repeat the process that you used to grant the mailbox rights. EXCEPT:
- Do not select the account you are using - otherwise you will lock yourself out of the mailbox.
- Select the option to remove the full mailbox rights.
Don't forget that the permission changes need to be made on all new user accounts added after the bulk phase. It will be quicker to use one of the methods where it is done through Outlook for that - more info.
- Granting Permissions to View Outlook Data and Accessing Shared Folders
There are various ways of accessing the data once you have shared it out.
- Mailbox Access Account (Exchange 2003 - Exchange 2007)
A special account for access to the mailboxes