How to access multiple resource mailboxes in Exchange Web Services (EWS)


In Exchange 2007 Web Services it is very convenient to access and manage other user's mailbox accounts by using Exchange Impersonation.  This feature enables a caller to impersonate a given account so that the caller can perform operations by using all the original user's permissions.  But for resource mailboxes (room, equipment), because they are created as disabled accounts in Active Directory, Windows can't resolve the specified identity to disabled user accounts, resulting in EWS Impersonation for resource mailboxes to always fails with an "Impersonation fails" error.

Well, since enabling a disabled account on a resource mailbox is NOT a supported configuration, we don't have a workaround for Exchange impersonation to work for resource mailboxes. Instead, the only way to access mailboxes with disabled accounts in EWS is to use Delegate Access.

Below are the steps needed, along with a sample to add delegates on a number of existing resource mailboxes.

1. Setup a webservice account and grant permission for it to access resource mailboxes.

The webservice account is the account set in the ExchangeServiceBinding. Credentials property to send requests to the Exchange Server. We need to add mailbox permissions for this account to allow accessing of resource mailboxes. I wrote a PowerShell script that will do AD searches for all mailboxes associated with disabled accounts, and then automatically add FullAccess permission for service account to all those mailboxes.

Please note: this script is not officially supported by Microsoft.

To use the script, simply put it somewhere on Exchange 2007 Server, specify the alias of the service account as the only parameter. Here is an example:

>.\Add-Res-Mailbox-Permission.ps1 "ServiceAccount"

You should consider testing the script in your lab before using it in your live environment. You can also uncomment the add-content line in the script to output the list of resource mailboxes to a file, and then use it as input info at the next step to add the delegate account.

2. Use EWS AddDelegate function to add a delegate account to those resource mailboxes

The use of AddDelegate and other Delegate access methods along with sample code can be found in Exchange Server 2007 SDK, available at

http://www.microsoft.com/downloads/details.aspx?FamilyID=7A44A56A-1DFD-4C26-B99A-1E680E914444&displaylang=en

Hopefully this will save you some time when developing application in EWS to access resource mailboxes!

You can get the script itself here.

- Jian LI

Comments (7)
  1. GoodThings2Life says:

    So, my boss and I are rolling out Exchange 2007 to a new server in our environment, and while we installed IIS we inadvertently left out the SMTP service (oops). Unfortunately, Exchange installed anyway after "passing" the prerequisites check, so obviously the check isn’t being very thorough about all the requirements.

    Hopefully this is something addressed, and luckily we caught it on our own to fix it.

  2. GoodThings2Life says:

    Very cool stuff, however, in Exchange 2007 with Outlook 2007. :) We are looking forward to diving into it further.

  3. Exchange says:

    GoodThings2Life,

    Well… actually…

    Exchange 2007 has a prerequisite check that will block Setup if SMTP is INSTALLED on the box and will tell you to remove it 1st. That is because in E2007, we have our own SMTP stack and do not need the IIS SMTP service on the box. In fact, if you do install SMTP service on a transport server, you are very likely to have issues as there are two services fighting over the same port…

  4. Hans de Jongh says:

    does anybody know if i still can download exchange 2k7 sp1 beta 2. Cause otherwise i can`t upgrade from sp1 beta 1 to rtm..

  5. Robert B.Goldman says:

    Certainly worth a try. I’ve not joined into this or any other program before.

    Robert B.

  6. Jensen says:

    I’m doing some research for a project I’m about to start where I want to create AppointmentItems in the users private Calendar, but the user should not be allowed to delete the appointment.

    Can this be done with EWS or WebDav, or does the user always have full access to his private calendar?

  7. Manju says:

    User always has full contorl on his private calendar.

    you can consider posting a read only item..or other forms of publishing

    calendar item

    – Manju

Comments are closed.

Skip to main content