Disabled accounts act as a security measure. You will no longer be required to have extra username/password combinations for accessing your network. Using the method described below you can easily assign permissions specifically to those users requiring access. Because users will use their own domain credentials to access the shared mailbox you will be able to easily grant and revoke access without circulating new passwords.
Creating Shared Mailboxes
The Exchange Management Console does not give the option for creating a shared mailbox in the new mailbox wizard. To create shared mailboxes you must use PowerShell.
To create a shared mailbox you simply add the "-Shared" option while creating the mailbox using the New-Mailbox cmdlet.
[PS] C:\>New-Mailbox -Name:'Help Desk' -OrganizationalUnit:'Domain.com/Exchange Resources' -Database:'Mailbox Database' -UserPrincipalName:'firstname.lastname@example.org' -Shared
In this sample, a disabled user account will be created in the 'Exchange Resources' organizational unit with an attached mailbox. Since the user account is disabled by default no initial password was required.
If desired, existing mailboxes can be converted to shared mailboxes using the Set-Mailbox cmdlet by using the -Type parameter.
[PS] C:\>Set-Mailbox helpdesk -Type:Shared
To convert a shared mailbox to a regular user mailbox use the -Type:Regular option.
Shared mailboxes do not have an associated password so you must grant mailbox permissions for the users requiring access to the mailbox. Since, by definition, shared mailboxes will be accessed by multiple users, I suggest assigning permissions using security groups. The first step is to create a security group in your domain containing the users you want to access the shared mailbox. For this example I will name the group "Help Desk Permissions Group". Grant full mailbox permissions for the group you just created.
[PS] C:\>Add-MailboxPermission helpdesk -User:'Help Desk Permissions Group' -AccessRights:FullAccess
Users in the the "Help Desk Permissions Group" will now have full access to the mailbox. But you are not done yet...you MUST also add the active directory 'Send-As' permission so that members of the group can send mail with the shared mailbox's email address. Additionally, you may want to add permissions to read/write personal information so that users can setup delegates if needed.
[PS] C:\>Add-ADPermission helpdesk -User:'Help Desk Permissions Group' -ExtendedRights:Send-As -AccessRights:ReadProperty, WriteProperty -Properties:'Personal Information'
Now your users will have complete access to the shared mailbox.
Accessing Shared Mailboxes
One method for accessing the shared mailbox is to add it as an additional mailbox within Outlook. The mailbox can be added on the advanced tab of your Exchange mailbox account settings.
This method is great for allowing you to read email from the shared mailbox and sending as that email address when desired. Unfortunately, this method will not save items sent as that mailbox to its 'Sent Items' folder. All items sent within Outlook will be stored in the primary mailbox's 'Sent Items' folder.
Another option is to configure a separate Outlook profile for opening the shared mailbox. Use the mail icon within the control panel to add an additional Outlook profile. Configure the account normally; entering the shared mailbox display name or exchange alias as the user name. This method will allow you to use shared mailbox the same as a normal user mailbox. All items will be sent as the shared mailbox and saved to the 'Sent Items' folder.
Finally, shared mailboxes can be accessed via OWA. To open the shared mailbox simply add the mailbox email address to the end of your normal OWA URL. Authenticate using your normal domain credentials.
Hopefully this has been helpful for understanding shared mailboxes and the permissions needed. Granting mailbox permissions via this method can also be accomplished in Exchange 2003. However, granting active directory 'send-as' permissions on the user account and Exchange full mailbox access will have to be done manually using the the active directory users and computers MMC.
In an upcoming post I will detail how this method can be integrated into Exchange self-service request and provisioning process.