This is frequently asked question, “How to setup Read-only Mailbox?” or “How to give Read-Only permission to access mailbox?” in Exchange 2003/2007. Procedure is tricky but moderately possible.
We have two places where we can give minimum permission to access any mailbox. Refer below article at MS Exchange Team blog for more details.
Minimum permissions necessary to access mailbox data
- Active Directory Mailbox ACLs – Full Mailbox Permission requires in the mailbox ACLs at Active Directory level to access mails, so this is not correct place where we can configure Read-Only permission.
- MAPI Folder Permissions – This is the correct place for our requirement. Let’s discuss how to do so.
As always let’s take an example. I am owner of mailbox called “Support” mailbox and I have Full Mailbox Access on it. Now I want to share Support mailbox with any user or a set of users (in from of group) but as a Read-Only and don’t want to allow them deleting any items inside.
If you are selecting a group to configure permission then it should be Mail Enabled Security group. If you are using distribution group to assign permission then it gives you an error while assigning permission in Outlook. It is always recommended to use security group while assigning permissions.
Let’s say I am going use “#Support Team” Mail Enabled Security group to assigned read only permission on “Support” mailbox hence member of “#Support Team” will be able to open it.
Now to open any mailbox and view all folders inside it, we need to give MAPI permission starting from Top of the Mailbox object “Mailbox – <Mailbox Display Name>” in Outlook.
1. Right Click on “Mailbox – Support” and click “Change Sharing Permission…” (“Sharing…” if you are using Outlook 2003).
2. Click on Add and select “#Support Team” from GAL, give at least “Folder
Visible” (or you can also give Reviewer) permission to view all mailbox folders.
3. Now, Right click on “Inbox” and click on “Change Sharing Permission…” or “Sharing…”.
4. Click “Add” and select the “#Support Team” from GAL and give “Reviewer” permission.
Follow step 3 & 4 for all folders which you want to share with group.
Sheldon Labrooy is one of the member of “#Support Team”.
So Sheldon can add “Support” mailbox into Outlook profile by going to Tools –> Account Settings –> Change Email Account –> More Settings –> Advance Tab –> Click Add in “Mailboxes – Open these additional Mailboxes:” and select Support mailbox.
Sheldon can see all items available in Support mailbox and he will be able to Reply or Forward.
But he is not allowed to Delete or Move any items in it.
Its pretty simple to add and open any mailbox in Outlook but how to open it in OWA? Reason is OWA requires Full Mailbox access to open full content of OWA site, otherwise it gives an error telling that you don’t have permission to access mailbox, so what you can do in Read-Only mailbox case?
Sometime back I discussed how to open shared calendar in OWA and user can use same method here to open “Inbox” of any read only mailbox.
User can use below direct links for respective folders and give their own user id and password to open it in OWA.
|Inbox||https://<FQDN of server>/owa/<smtpaddress>/?cmd=contents|
|Subfolder of Inbox||https://<FQDN of server>/owa/<smtpaddress>/?cmd=contents&f=inbox%2fSubFolder|
|Calendar||https://<FQDN of server>/owa/<smtpaddress>/?cmd=contents&module=calendar|
|Contacts||https://<FQDN of server>/owa/<smtpaddress>/?cmd=contents&module=Contacts|
|Tasks||https://<FQDN of server>/owa/<smtpaddress>/?cmd=contents&module=Tasks|