Monday, March 5, 2007

Exchange 2007 and Shared Mailboxes

Exchange 2007 introduces many new recipient types; one of which is a 'shared mailbox'. Defining a mailbox as 'shared' creates a disabled active directory account to which the mailbox is connected. In the past, to create a shared mailbox you would create an enabled domain account and attach a mailbox. Chances are you would assign a password and give it to one or more users so that they could access the mailbox. In many instances this username and password combination was also used to authenticate onto a domain computer (e.g. receptionists, help desk students). How many people know the username/password combination for that account? Is this password changed when users leave the organization?

Disabled accounts act as a security measure. You will no longer be required to have extra username/password combinations for accessing your network. Using the method described below you can easily assign permissions specifically to those users requiring access. Because users will use their own domain credentials to access the shared mailbox you will be able to easily grant and revoke access without circulating new passwords.

Creating Shared Mailboxes


The Exchange Management Console does not give the option for creating a shared mailbox in the new mailbox wizard. To create shared mailboxes you must use PowerShell.

To create a shared mailbox you simply add the "-Shared" option while creating the mailbox using the New-Mailbox cmdlet.

[PS] C:\>New-Mailbox -Name:'Help Desk' -OrganizationalUnit:'Domain.com/Exchange Resources' -Database:'Mailbox Database' -UserPrincipalName:'helpdesk@domain.com' -Shared

In this sample, a disabled user account will be created in the 'Exchange Resources' organizational unit with an attached mailbox. Since the user account is disabled by default no initial password was required.

If desired, existing mailboxes can be converted to shared mailboxes using the Set-Mailbox cmdlet by using the -Type parameter.

[PS] C:\>Set-Mailbox helpdesk -Type:Shared

To convert a shared mailbox to a regular user mailbox use the -Type:Regular option.

Assigning Permissions


Shared mailboxes do not have an associated password so you must grant mailbox permissions for the users requiring access to the mailbox. Since, by definition, shared mailboxes will be accessed by multiple users, I suggest assigning permissions using security groups. The first step is to create a security group in your domain containing the users you want to access the shared mailbox. For this example I will name the group "Help Desk Permissions Group". Grant full mailbox permissions for the group you just created.

[PS] C:\>Add-MailboxPermission helpdesk -User:'Help Desk Permissions Group' -AccessRights:FullAccess

Users in the the "Help Desk Permissions Group" will now have full access to the mailbox. But you are not done yet...you MUST also add the active directory 'Send-As' permission so that members of the group can send mail with the shared mailbox's email address. Additionally, you may want to add permissions to read/write personal information so that users can setup delegates if needed.

[PS] C:\>Add-ADPermission helpdesk -User:'Help Desk Permissions Group' -ExtendedRights:Send-As -AccessRights:ReadProperty, WriteProperty -Properties:'Personal Information'

Now your users will have complete access to the shared mailbox.

Accessing Shared Mailboxes


One method for accessing the shared mailbox is to add it as an additional mailbox within Outlook. The mailbox can be added on the advanced tab of your Exchange mailbox account settings.


This method is great for allowing you to read email from the shared mailbox and sending as that email address when desired. Unfortunately, this method will not save items sent as that mailbox to its 'Sent Items' folder. All items sent within Outlook will be stored in the primary mailbox's 'Sent Items' folder.

Another option is to configure a separate Outlook profile for opening the shared mailbox. Use the mail icon within the control panel to add an additional Outlook profile. Configure the account normally; entering the shared mailbox display name or exchange alias as the user name. This method will allow you to use shared mailbox the same as a normal user mailbox. All items will be sent as the shared mailbox and saved to the 'Sent Items' folder.

Finally, shared mailboxes can be accessed via OWA. To open the shared mailbox simply add the mailbox email address to the end of your normal OWA URL. Authenticate using your normal domain credentials.


Hopefully this has been helpful for understanding shared mailboxes and the permissions needed. Granting mailbox permissions via this method can also be accomplished in Exchange 2003. However, granting active directory 'send-as' permissions on the user account and Exchange full mailbox access will have to be done manually using the the active directory users and computers MMC.

In an upcoming post I will detail how this method can be integrated into Exchange self-service request and provisioning process.

--Nick

53 comments:

Chad Markley said...

Nick, this is brilliant! This is exactly what I was looking for. Thank you so much!!!

Anonymous said...

How do you assign read only permission ? The full access to the another mailbox is not always desired

Garry Sollis said...

Nick

great post, i have a short question about using the FullAccess permission. Does it filter out items marked as "Private" as you can do by setting Delegates on a mailbox?

you can email me at garry.sollis AT imtech.nl if you like.

Thanks!
Garry

Anonymous said...

To force sent items will be stored in the shared mailbox's 'Sent Items' folder you can use this third-party utility for Outlook 2003/2007:
http://www.ivasoft.com/unisent.shtml

Nick Smith said...

Gary,

If you grant a user full access permissions, they will be able to see the content of private meetings.

--Nick

Anonymous said...

I created the shared mailbox, created a group that will have permissions. Added the Full Access Exch perms, added the AD perms.

However when I try to open the shared mailbox in Outlook, I get "the set of folders cannot be opened. You do not have permission to log on."

I've closed outlook, checked perms with get-mailboxpermission and get-adpermission. Am I missing a step?

Angie said...

Solved my own issue - I must not have waited long enough. It worked as expected this morning.
Thanks for the great article.

Anonymous said...

Great article, thank you.

I have followed your example for the sake of trial, but the last command brings up an error:

Add-ADPermission : helpdesk was not found. Please make sure you have typed it correctly.

All previous commands went through exactly as you described.

Can you shed any light on this?

Thank you.

Anonymous said...

Anon,

You need to have a Helpdesk mailbox created before hand in order to add permissions to the object

Anonymous said...

how do i restrict access for e.g i want to give only read only access so that the some users may only read and may not be able to delete any contents

HiLL said...

Hi,
Thank You for the nice post, but ... the last line will not work as You described.
You have to run this command:
[PS] C:\>Set-Mailbox -Identity helpdesk -GrantSendOnBehalfTo:'Help Desk Permissions Group'

Now the group will get real permission to send on behalf of the shared mailbox. If the Help Desk Permission Group is mail-enabled group, of course.

Vijey said...

Nick , thanks for your wonderful article. we have configured the shared mail box. How to configure the shared mail box so that it will be unread in my outlook eventhough if other read it.

Anonymous said...

Nick, great article and many thanks so far. I am desperately trying to move away from Public folders, the reason we use them is that it keeps read/unread item info per user whereas sharedmailbox is usually if read by one person shows read to all. Anyway of getting round this ? Many thanks again, Richard

Anonymous said...

You can also access the other mailbox by clicking on your name in the top right hand corner

Anonymous said...

sorry ok for share mailbox, but microsoft forgot how to show up in the address book the contact folder in the shared mailbox, for example i want use for my business contact.i try and i CAN'T in the properties show up contact folder other than personal or public.
this is a very old problem and also in 2007 ex administrator can 't set a share contact folder easyly.ok i can use a public folder but that folder have many problem: windows mobile sync, windows search 4 limit in non cached mode, and more other thing.A mailbox shared in the future but users need to see all contacts in yours address book.
please mail me if there is a solution to see shared malbox contact folder in address book.
l.anselmo@sclock.com

Anonymous said...

how do I set up the shared mailbox in outlook 2007?

Paul Wildgen said...

I like the idea of a Shared Mailbox for special occasions only. Thanks for the explanation Nick. I did have a funny thing happen though. I am in transition from e2k3 to e2k7 and moving the Legacy mailboxes to E2k7. On one occasion after the move it shows up as a Shared Mailbox not a user mailbox. The account is not disabled and looks like a normal user mailbox. Is there a way to fix this? Thanks p

Sahus_Pilwal said...

Would be good if you could add the shared mailbox from the add new mailbox wizard. On another note does anyone know if assigning these permissions requires some time to reflect on the client machines. I've made all the changes as stated above but after adding the mailbox and trying to open the new mailbox folder in my folders pane (Outlook 2007) it displays "the set of folders cannot be opened. You do not have permissions to log on."

Anonymous said...

Thanks, really great post...

Alex said...

At work with outlook usually I use easy passwords,but once I used difficult and forget it.In this situation for myself helped next tool-outlook 2000 pst recover password.It myself advised familiar.As he said it is free and can also recover forgotten or lost passwords for email accounts as well as for files with *.pst extension.

chad said...

Nick- Great article.
I have created a shared in box for 2 users.
I am curious if you know if it is possible to allow both users to receive access to this shared inbox via BES server? Active Sync is no longer an option. Any assistance is appreciated.

Anonymous said...

Mabey a stupid question.... but just to be sure ....

Will this cost me an extra CAL or is this the same as an mail-enabled public folder?

TIA,
Ivan

Anonymous said...

One cool thing to note is users can access the mailbox by hitting it directly in OWA.. https://owa1.XXX.com/owa/Shared.Mailbox@microsoft.com.. This was useful for me since some users did not have exchange mailboxes and still needed access..

David

Ivan said...

Anyone ?????

Maybe a stupid question.... but just to be sure ....

Will this cost me an extra CAL or is this the same as an mail-enabled public folder?

TIA,
Ivan

Ivan said...

Hi there,

I called Microsoft and ask the question.

Answer: If a user login (login also means, read mail from it) to a mailbox then an extra CAL is needed!

So Yes a shared mailbox needs an extra CAL.
Going for public folders cause then extra CAL isn't needed.

Tnx.

Gr.
Ivan

Anonymous said...

Simply superb!!!!!
G

Ivan said...

!!! UPDATE !!!

Shared mailboxes will NOT cost an extra license.

I contacted Microsoft again and the information they gave me was wrong!

You only need CALS for the users in Active Directory that use an mailbox.

When creating Disabled users (shared mailboxes) it will not count as an extra user.

Also it does not matter how many times you link a mailbox to a other mailbox.

Sorry for the will's/willnot's but I am glad that I called them again and got it clear now.

Gr.
Ivan

123 123 said...

Cool blog you got here. It would be great to read a bit more concerning that theme.
BTW check the design I've made myself A level escort

Anonymous said...

To Hill:

'send as' obviously is NOT the same as 'send on behalf'...

Anonymous said...

To Angie (03/08), or anyone who had the same problem, you most likely needed to log out and back in for the security permissions to apply for the group you just created and added yourself to. That's why it worked the following morning, I expect.

Great article. Just what I needed.

Anonymous said...

Great article indeed! Thank you. Is there any way to give shared mailboxes a display name other than an alias? For some reason, when I created a shared mailbox called AC-Jobs, I can't give it the "From:" display name: "Jobs Admin". Outside users only see "AC-Jobs", but I'd like them to see the actual name, such as with regular users. Any ideas?

Alexis said...

I usually use a lot of emails,but yesterday something happened and my emails were lost. I didn't know what to do next,but luckily I entered the Internet and perceived a new tool - how to convert from ost to pst. I was surprised,reason of it resolved my trouble for 30 seconds and gratis as far as I remembered.

Anonymous said...

This is a great article indeed, however, I'm having problems finding the proper database.

I used the following command to look up the database name of an existing shared mailbox:

get-mailbox -id |fl

I found the "database" name for the new shared mailbox, but I get the following error:

"Database "SERVER2009\Third Storage Group\Shared Mailboxes" was not found."

Any ideas?

There are no typos or anything like that.

Any help would be appreciated! Thanks!

dblanch said...

In Exchange Management Console,you can still use the "Manage Send As Permission..." and "Manage Full Access Permission..." links from the Action pane or menu, even if the mailbox type is Shared.

And "Send on Behalf" via Properties - Mail Flow settings - Delivery Options works also.

So the GUI is still useful apart from creating/converting the mailbox to Shared.

Other permissions would have to be done via PowerShell or Outlook.

Alex said...

Yesterday evening I opened my MS Outlook and saw an error. I couldn't send, receive and other things with emails. I was thinking about a determination of the problem. And I thought - ost convert pst. This software was founded on a soft blog and was effective in this situation.

Patrick M said...

Heres a tough one (maybe).

Exchange 2003-You have a shared mailbox with multiple subfolders that each have their own smtp address.

You want to have auto response to these folders come from the sub-folders smtp address not from the primary smtp of the shared mailbox... how can this be done?

Also is there an "easy" way to give send as rights to every smtp address assigned to the shared mailbox?

I noticed that at a minimum you have to create a contact for each smtp address in the folder otherwise when the user types the address in the "From" field in Outlook it resolves to the primary smtp....

lala said...

Thanks for your post and welcome to check: here
.

Anonymous said...

i have followed the instructions but still i get the message "you do not have the permission to send the message on behalf of the specified user". Do the user have to be mail users in their own right or can i add non mail users to the shared mailbox?

glob said...

So how do you get this sort of mailbox so sync via ActiveSync to a mobile device?

I guess this is not possible...

Paul W. Davis said...

Sort of helpful.

The "advanced" tab does not exist in Outlook 2007 Client. Adding a mailbox to open in this way is impossible.

A more exact description (version of outlook, etc.) would be helpful.

Marcus said...

I am trying to create the shared mailbox but I am getting an error.
Organizational unit "hbglus.com/Exchange Resources" was not found. Please make
sure you have typed it correctly.
At line:1 char:1
I don't know what to put for the organizational unit. It should be the default.
Thanks

Anonymous said...

Nick,
I create a share mailbox named archive. I create also a user group named SG_archive. This group have fullaccess on archive mailbox. I create some folder inside the inbox folder for each member of the group SG_archive. I want that each user have only access on his folder. So I changed the security setting under the permission tabs of each folder to set anonymus and default to none and give Owner to the good person. It's working well for users who have Outlook 2007 but users who have Outlook 2003 can access to all folder.

You have any idea?
Thanks!
Alex
alabelle "@T" bellex.com

Ed said...

Thanks Nick for this info. It was quite easy. Have one issue, not sure if I missed a step, or what:

Outlook Web Access could not connect to Microsoft Exchange.
Exception
Exception type: Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException
Exception message: Cannot open mailbox /o=%% Exchange/ou=Exchange Administrative Group (xxxFxYxDxIBxxxx)/cn=Recipients/cn=xxxxxxxxx.

Call Stack (omitted)

Inner Exception
Exception type: Microsoft.Mapi.MapiExceptionLogonFailed
Exception message: MapiExceptionLogonFailed: Unable to open message store. (omitted rest of message)

I followed exactly the steps for the Security Group and I am in that group.

On the OWA you stated to add the mailbox address, such as: https://mail....org/owa/"recipient"@.../ and to login "using your own login credentials"

What could I be missing?

Ed Resleff
ed.resleff "@t" rescue-mission dot org

Anonymous said...

Had to stop and restart the Exchange Information Store service to propagate the changes in order for Send As to work from OWA. Waiting a few hours would have accomplished the same thing.

Ross said...

I was wondering if it was possible to use the 'Alias' in the link instead of the full email address.

So instead of https://owa.domain.com/owa/helpdesk@domain.com

Can you use https://owa.domain.com/owa/helpdesk
When I try this I get a 404 file or directory not found error.

I have it setup working like this, for some accounts that were migrated from exchange 2003, but no new accounts seem to work this way!!
Is this at all possible?

Thanks!

Anonymous said...

shared mailboxes are great but do you have a script that will create a list of shared mailboxes on an Exchange server

Fredrik said...

Regarding the issue with "sent items" in Outlook 2003/2007 Microsoft has released an Outlook hotfix package.

Outlook 2007 -> http://support.microsoft.com/kb/970944/ (KB972148)

Outlook 2003 -> http://support.microsoft.com/kb/953803/ (KB953803)

In Outlook 2010 this isn't an issue anymore.

Thanks for a great article Nick!

Ankit said...

Hello All,

Have a question and requesting resposne

we are accessing shared mailbox with over 10 users working on it. -Each one has folder under it and it is like picking emails from inbox and then move to his folder (which is under shared mailbox only).

Question is - can we track it? if i have email, is there a way to see who move it or where was it moved (any Audit Trail)

requesting a soln, please help

Anonymous said...

Excellent write up. The accessing of the shared mailbox by adding the address to the end of the OWA was such a simple solution to what I was looking for. Thanks!

sabu said...

@Ankit
I have the same query as yours did you find an answer?

Rubber Soul said...

I am a novice. i haved created a mailbox and i need to add 50 users to send as and full mailbox access.
I cannot use the Console as i can only add 1 user at a time. it'll take forever. is there a script that lets me add all the 50 users to send as and full mailbox access using either the logon name and display name


Rubber Soul said...

can any one please assist?

Gabriel Smith said...
This comment has been removed by the author.