Minimum permissions necessary to access mailbox data


I was asked the following question recently:  What are the minimum permissions necessary I need to grant a user in order for that user to be able to access the data in another user’s mailbox?


 


Automatically I referenced following article 821897 that states Send As and Receive As permissions are necessary.  What we came to find out was that the Receive As permission was the only permission necessary to access information in the mailbox.


 


After some research I have the answer to the question:


 


There are two methods to grant permission for a user to access another user’s mailbox through Outlook by selecting File -> Open -> Other User’s Folder.  If it is a custom application that is accessing the mailbox using WebDav or CDO code yet another set of permissions are needed.  


 


MAPI permissions


 


To begin we can use MAPI permissions assigned at the top level mailbox object.


 


The “reviewer” role gives the user the ability to read items and files only.  In order for all folders to be viewed the Folder Visible permission must be present on the top level.  Here are the steps:


 


Here’s what I would suggest:


1. Open the target mailbox


2. Right click on the particular folder you want to grant the access to and choose Properties


a.    Choose the Permissions tab


b.    Click Add and from the address list choose the user to grant access to and then click okay


c.    Choose the reviewer right and then click okay


3. Right-click on the Mailbox – <Target Mailbox Display Name> folder and choose Properties.


a.    Choose the Permissions tab


b.    Click Add and from the address list choose the user to grant access to and then click okay


c.    Leave the role as None and select the “Folder Visible” permission and then click okay


 


Outlook folder permissions


http://office.microsoft.com/en-us/assistance/HP052422871033.aspx


 


Full Mailbox Access at the Active Directory Level


 


The second way to grant access to access the items in the mailbox through Outlook is to assign the full mailbox permissions to the mailbox in the Active Directory. 


 


There are a couple of scenarios that could occur depending on which version of store is installed on the Exchange server.  If no hotfixes have been applied then the user will be able to delete messages, create messages, read items and files.  The user will also be able to send email from that mailbox.  If the server is at store.exe hotfix builds 7233.51 and higher for Exchange Server 2003 Service Pack 1 (SP1) or Store.exe hotfix builds 7650.23 and higher for Exchange Server 2003 Service Pack 2 (SP2) then the user will have the all the same permissions to delete messages, create messages, read items and files, but will no longer be able to send messages from the mailbox. 


 


The following article has more information:


 


A delegate user who has "Full mailbox access" permissions for another user's mailbox can send e-mail messages as the mailbox owner in Exchange Server 2003
http://support.microsoft.com/kb/895949/


 


This change was also discussed in this blog post.



 


When using a custom application


 


When a custom application is accessing the mailbox the Receive As permission is necessary.  The Receive As permission on the mailbox gives the user access to the same tasks as when granting Full Mailbox Access: delete messages, create messages and send email (as the user who is accessing/logged into the mailbox), read items and files, but also gives the user the permission to copy data out of the mailbox.


 


1.  Open the Exchange System Manager


2.  Expand the Organization


3.  Right click and choose the Delegate control…


a.    Click next and then Add and browse.  From the object picker choose the user or group you want to grant access and click okay


b.    Make sure the Exchange View Only Administrator is chosen and click okay


c.    Click next and finish


Note:  The Exchange View Only Administrator can also be set on the administrative group level using step 3


 


264733 How to enable the Security tab for the organization object in Exchange 2000 and in Exchange 2003


http://support.microsoft.com/default.aspx?scid=kb;EN-US;264733


 


4.  Next expand the Administrative Groups container


5.  Expand <administrative group name>, Servers container, <server name>, the Storage Group and <storage group name>


a.    Right click on the store containing the mailboxes you want to grant access to and choose properties


b.    Click on the security tab and choose the user from the list.  If the user was added as part of a group at the View Only Administrator level then that individual user will need to be added at this time if the entire group is not going to be granted Receive As permissions here.


c.    Scroll down the list of permissions and check allow for the Receive As permission and then click okay


Note:  The Receive As permission can be set at any level under the Organization


 


6.  The Information store may cache this data and it can take up to 2 hours for this cache to be flushed.  Dismount and remount the store to flush this cache immediately


 


If the user is already an Exchange Full Administrator you will need to follow the steps in either of the following two articles (depending on the version of Exchange you are using) as the Receive As permission will be inherited as a deny:


 


821897 How to assign service account access to all mailboxes in Exchange Server 2003


http://support.microsoft.com/default.aspx?scid=kb;EN-US;821897


 


262054 XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000


http://support.microsoft.com/default.aspx?scid=kb;EN-US;262054


 


Working with Store Permissions in Microsoft Exchange 2000 and 2003


http://www.microsoft.com/downloads/details.aspx?familyid=2ae266f0-16b7-40d7-94d9-c8be0e968a57&displaylang=en


 


- Charlotte Raymundo

Comments (15)
  1. zhai says:

    Hi Charlotte

    Really enjoyed your post , I am encountering some difficulties with Exchange permission in my company and wondered if you could give me some advise .

    We are a big Telco company located in the middle east .

    Currently we are giving our telemarketing guys access to our door to door sales person’s outlooks so they can look at there calendar and set up appointment for them.

    The system guys are giving the telemarketing permission thought the sales person AD user witch mean the telemarketing are getting Full mailbox access.

    We had complaints from the sales about telemarketing viewing their mail .

    So we want to give the telemarketing access only to their calendar ( as it should be) is there a way to do that centrally from the AD ?

    ( I know I can do it from every sales person outlook but I prefer to do from a central location ) .

    Thanks in advance

    zhai

  2. Zhai,

    Unfortunately granting permissions on specific Outlook folders can not be set in AD. That said, here is a post that will help you to set this using CDO code:

    http://gsexdev.blogspot.com/2005/05/changing-default-permissions-on.html

    Hope this helps!

  3. Luke Notley says:

    What ever happened to that great utility dscflush for Exchange 2003? doesn’t seem to work on Exchange 2003 servers I’ve tried it on.

    Luke

  4. Robert Hupf says:

    We are having a problem where we are granting a user in one domain Send As rights to a mailbox in another domain (same forest) and the permission keeps "disappearing". I have tried it with different users and the same thing happens. We are on Exchange 2003 SP1.

  5. Exchange says:

    Robert,

    Check this article – we see this relatively often in PSS:

    Delegated permissions are not available and inheritance is automatically disabled

    http://support.microsoft.com/?id=817433

  6. Manju says:

    Hi,

    I’m Manju. I have a Question on the same.

    If any user wants to access calendar information of other users, what is the normal procedure?

    Do we need to grant full mailbox permissions at mailbox level and any role required at client.

  7. Manju,

    To grant another user access to a second user’s calendar you can either grant MAPI permissions on the second user’s calendar or grant permissions on that user object in the Active Directory.

    If you want to just share the calendar you will grant access from Outlook client.  Here is the article with the steps:

    290824 How to open another user’s calendar or another folder in Outlook 2002
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;290824

    If you want to grant permissions to access the calendar from the Active Directory side you will grant permissions on the second user’s user object under "mailbox rights" (steps listed above).  

    The user being granted the permissions at the Active Directory level will need the full mailbox access and with that right the user will be able to access all folders in the second user’s mailbox, not just the calendar.  There is no way to specify the specific
    mailbox items the permissions are applied to at this level.

    Hope this answers your question!

  8. Igor says:

    Hi Charlotte,

    great article.

    I have one question:

    often we want give to user read permissions for another user mailbox (not only for specific folders, but for whole mailbox).

    When we define "Read permissions" in Exchange advanced->Mailbox rights properties of the user it’s doesn’t work – user cannot open another user mailbox. However it is work if we give to user full mailbox access.

    But we want to give only read access…

    Any suggestions?

    Currently we use PFDAVAdmin tool for give read permissions for whole mailbox, but we really want to do it with ActiveDirectory.

    P.S. we use Exchange 2003 sp1 servers on windows 2003.

  9. Igor,

    Granting permissions to allow users just the read permissions (even on the entire mailbox) has to be done at the MAPI level in Outlook.

    The Full Mailbox Access right is the only one availble in the Active Directory.  As you mentioned this gives the user more rights then just the read access.  Unfortunately there is no way to break this down into specific permissions (read, write …) in the Active directory.

    With that said, you could grant these MAPI level permissions using CDO referenced in this blog:

    http://gsexdev.blogspot.com/2005/05/changing-default-permissions-on.html

    Hope that helps!

  10. Igor says:

    Hi Charlotte,

    thanks for the answer.

    Will be nice if Microsoft will remove "Read permissions" string in Exchange advanced->Mailbox rights properties or at least need to describe this behaviour in help/KB article.

    Thanks, Igor

  11. Igor,

    I can certainly understand the confusion as it is not well documented.  The permissions in the mailbox rights section falls under more administrator type roles.  The read permissions right is just that; this permission provides the ability for the user to read the permissions of the mailbox.  

    Regards,

    Charlotte

  12. PermanentMarker says:

    why not make it a MMC exchange task

    – share this mailbox, with user(s)

    – share a folder of this mailbox

    then have next steps like

    readonly access

    read and delete access

    create /delete own items xx

    full mailbox access xx

    and in a xx > next step

    send as

    perhaps more easy to some users, ehmm exchange admins

    Altough i think that users should share their mailboxes themself, from a legal standpoint.

  13. Anonymous says:

    We have received several support calls in the past months relating to migrating Exchange Event Service Scripts from Exchange 5.5 to Exchange 2003.  Because it isn’t straightforward or documented (to my knowledge), I came up with this information to help

  14. Diego says:

    Let’s suppose the access was already given. If you give access to a group and somebody sends an e-mail to our Global List criticizing  the company. How to know who send the e-mail?

  15. Anonymous says:

    We have received several support calls in the past months relating to migrating Exchange Event Service Scripts from Exchange 5.5 to Exchange 2003. Because it isn’t straightforward or documented (to my knowledge), I came up with this information to help

Comments are closed.

Skip to main content