Understanding the difference between explicit logon and accessing another users calendar using Web Parts in Exchange 2007



EDIT 4/2/2010: correction around permissions required.


Introduction


One of the most common questions we hear is, "How do I open another user's Calendar in Exchange 2007?" One of the most common misconceptions around this functionality is the level of permissions that are required. This Tech Tip was written to clarify the requirements necessary to open another person's shared Calendar using OWA and how they differ from the requirements that are necessary to open another user's mailbox using the new explicit logon feature in OWA.

Opening another user's Calendar


In legacy Exchange, users who had permission to another user's Calendar could open the Calendar in OWA by entering a simple URL in the form of http(s)://mail.fourthcoffee.com/exchange/alias/calendar. It was the inclusion of ExIFS in legacy Exchange which made it possible to make simple http requests to items and folders on the M: drive. Since we no longer have this in Exchange 2007, we use 'web parts' and the syntax has changed. In order to open another user's Calendar in Exchange 2007 you now need to enter a URL using the following syntax.:

https://mail.fourthcoffee.com/owa/e2k7user@fourthcoffee.com/?cmd=contents&f=calendar

The example above opens the Calendar in Day view. The URL can be further modified to open the user's Calendar in Weekly view:

https://mail.fourthcoffee.com/owa/e2k7user@fourthcoffe.com/?cmd=contents&f=calendar&view=weekly

In Exchange 2007, Full Access (or Associated External Account) is required for your account on the target user’s mailbox.  See the following article from Microsoft TechNet:


http://technet.microsoft.com/en-us/library/aa998830(EXCHG.80).aspx


Opening another user's Mailbox


Provided you have the appropriate permissions, you are still able to open another user's mailbox using a Url similar to https://mail.fourthcoffee.com/owa/e2k7user@fourthcoffee.com as in Exchange 2003. However, OWA in Exchange 2007 also includes a new method for accomplishing the same through a feature in the UI.


To open another user's mailbox, simply click the drop-down arrow next to your user name and enter the other user's name or alias in the "Select mailbox" field and click Open.

Like accessing a single folder in another user's mailbox (such as the Calendar), this functionality requires that you have full mailbox access to the target user's mailbox. To achieve this level of permission you use the Exchange Management Shell and enter the command as documented in the following example:

Add-MailboxPermission e2k7user1 –AccessRights FullAccess –user fourthcoffee\e2k7user2

Where, e2k7user1 owns the target mailbox and e2k7user2 is the user you're granting permissions to. Note, granting e2k7user2 access as described will allow them to open e2k7user1's mailbox but not send mail on behalf of e2k7user1.

If you need to later remove the FullAccess right from e2k7user2, use the Remove-MailboxPermission task in the same manner.

For additional information, please see previous post called Web Part URLs supported by Exchange 2007 Outlook Web Access.

- Joe Turick

Comments (7)
  1. Pablo Martinez says:

    is possible to add permissions to the calendar only to another user with the cmdlet Add-MailboxPermission?

    Thanks!

  2. Joe Turick says:

    Hi Pablo, no..this task is not that granular. To set folder permissions you need to do it in Outlook. For future reference, you can learn more about what a particular task can do by entering get-help before the task. For example, "get-help add-mailboxpermission" (excluding quotes).

  3. Is there any way to add a layer in IIS that will allow for backward compatibility in accessing OWA with the old URL syntax? The new syntax is MUCH more cumbersome for end users to have to remember and type out for folder access. I can’t see anyone, except for the very tech savvy, remembering the syntax you have shown. This holds true for users accessing their own folders via url as well, not just others’ folders. I use the old style url syntax all of the time to access a few of my subfolders directly. I could probably remember the syntax after using it for a while, but I definitely do not want to. I see the new syntax as going backward, not forward! Could we see this functionality added back in SP1 as well? Please!!!!

    – Jared Pickerell (Techie and Director of a small IT Department)

  4. Joe Turick says:

    I’m not aware of ANY method for accomplishing this in Exchange 2007 and I don’t believe it’s technically possible. If it is, and we receive enough requests for the "old method" I’m sure it will be considered to be included in a service pack. However, I can’t comment on plans for those service packs since we’re only in the planning stages for SP1 and things can change as the SP1 beta progresses.

  5. Rob says:

    Is there a way to add mailbox rights to all of the mailboxes in the organization?  All that I can find are ways to do it individually, such as above.

  6. Exchange says:

    Rob,

    You can do it on the database by running:

    get-mailboxdatabase server1db1 | add-adpermission -user someuser -accessRights <rights> -extendedrights <exrights>

    Exchange 2007 documentation has more info and a sample.

  7. Greg Williams says:

    We have an Exchange 2007 infrastructure that supports users in multiple time zones. All the CAS servers are set to Pacific Time. We’ve granted a number of users in Eastern Time read access to a series of resource mailboxes, and another set of users full access to those same resource mailboxes. The resource mailboxes have all had their regional settings set to Eastern Time. The users with full access can open these calendars in OWA and they are displayed with the correct (Eastern) time zone. When the same calendars are opened in OWA by the users with only read access, the calendars are displayed in Pacific Time (the time zone of the CAS servers).

    Are these users with only read access somehow being blocked from reading the resource mailboxes’ regional settings? If so, is there a way to grant them access to the regional settings without granting full access to the mailbox? If not, what else might be causing this problem?

    Thanks.

Comments are closed.

Skip to main content