Exchange Server Share

July 7, 2009

How to: Setup Read Only Mailbox in Exchange 2003/2007

Filed under: Exchange,Exchange 2003,Exchange 2007,OWA — Amit Tank @ 9:52 pm
Tags: , , ,

This is frequently asked question, “How to setup Read-only Mailbox?” or “How to give Read-Only permission to access mailbox?” in Exchange 2003/2007. Procedure is tricky but moderately possible.

We have two places where we can give minimum permission to access any mailbox. Refer below article at MS Exchange Team blog for more details.
Minimum permissions necessary to access mailbox data

  1. Active Directory Mailbox ACLs – Full Mailbox Permission requires in the mailbox ACLs at Active Directory level to access mails, so this is not correct place where we can configure Read-Only permission.
  2. MAPI Folder Permissions – This is the correct place for our requirement. Let’s discuss how to do so.

As always let’s take an example. I am owner of mailbox called “Support” mailbox and I have Full Mailbox Access on it. Now I want to share Support mailbox with any user or a set of users (in from of group) but as a Read-Only and don’t want to allow them deleting any items inside.

If you are selecting a group to configure permission then it should be Mail Enabled Security group. If you are using distribution group to assign permission then it gives you an error while assigning permission in Outlook. It is always recommended to use security group while assigning permissions.

Let’s say I am going use “#Support Team”  Mail Enabled Security group to assigned read only permission on “Support” mailbox hence member of “#Support Team” will be able to open it.

 

 

Now to open any mailbox and view all folders inside it, we need to give MAPI permission starting from Top of the Mailbox object “Mailbox – <Mailbox Display Name>” in Outlook.

1. Right Click on “Mailbox – Support” and click “Change Sharing Permission…” (“Sharing…” if you are using Outlook 2003).

2. Click on Add and select “#Support Team” from GAL, give at least “Folder
Visible” (or you can also give Reviewer) permission to view all mailbox folders.

 

3. Now, Right click on “Inbox” and click on “Change Sharing Permission…” or “Sharing…”.

4. Click “Add”  and select the “#Support Team” from GAL and give “Reviewer” permission.

Follow step 3 & 4 for all folders which you want to share with group.

Sheldon Labrooy is one of the member of “#Support Team”.

 

So Sheldon can add “Support” mailbox into Outlook profile by going to Tools –> Account Settings –> Change Email Account –> More Settings –> Advance Tab –> Click Add in “Mailboxes – Open these additional Mailboxes:” and select Support mailbox.

 

 

Sheldon can see all items available in Support mailbox and he will be able to Reply or Forward.

But he is not allowed to Delete or Move any items in it.

  

Its pretty simple to add and open any mailbox in Outlook but how to open it in OWA? Reason is OWA requires Full Mailbox access to open full content of OWA site, otherwise it gives an error telling that you don’t have permission to access mailbox, so what you can do in Read-Only mailbox case?

Sometime back I discussed how to open shared calendar in OWA and user can use same method here to open “Inbox” of any read only mailbox.

User can use below direct links for respective folders and give their own user id and password to open it in OWA.

Inbox https://<FQDN of server>/owa/<smtpaddress>/?cmd=contents
Subfolder of Inbox https://<FQDN of server>/owa/<smtpaddress>/?cmd=contents&f=inbox%2fSubFolder
Calendar https://<FQDN of server>/owa/<smtpaddress>/?cmd=contents&module=calendar
Contacts https://<FQDN of server>/owa/<smtpaddress>/?cmd=contents&module=Contacts
Tasks https://<FQDN of server>/owa/<smtpaddress>/?cmd=contents&module=Tasks

About these ads

5 Comments

  1. Amit,

    Off of the topic itself, my question is “Which utility do you use for your screen captures, added highlighting, etc.?”

    Thanks,
    Daniel

    Comment by Daniel — August 19, 2009 @ 4:15 am

    • Hey Daniel,

      I use “SnagIt” and “FastStone Capture” to capture the screen and add the effects… :)

      Amit

      Comment by Amit Tank — August 19, 2009 @ 2:54 pm

  2. I needed to create a new mailbox called Dispatch and share it between three users. I did everything as outlined with one exception, I added the users manually instead of creating a security group and all three have access. The only issue I am having is that they can delete items even though under Reviewer that permission should not be available.

    Any suggestions on what my problem might be? One thought I had was that I didn’t use the security group to assign the mailbox (I’m a little uncertain as to what to do when creating the group) — the other thought I had was that there is really no “owner” of this mailbox since it was created as a user with a mailbox, but no computer was set up and no one logs into this account in outlook as the owner.

    Its not critical but I’d like any of my three users to have read access but no delete abilities

    Thanks in advance!!

    Comment by James — November 2, 2009 @ 10:42 pm

  3. Thank you for this tip! I’ve been looking for this solution.

    Comment by John Sayo — April 3, 2010 @ 7:13 am

  4. Kudos!

    Comment by Mohamed. — June 17, 2010 @ 1:00 pm


RSS feed for comments on this post.

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 30 other followers

%d bloggers like this: