- Objective 1.1: Plan the mailbox role
- Objective 1.2: Configure and manage the mailbox role
- Objective 1.3: Deploy and manage high availability solutions for the mailbox role
- Objective 1.4: Monitor and troubleshoot the mailbox role
- Objective 1.5: Develop backup and recovery solutions for the mailbox role and public folders
- Objective 1.6: Create and configure mail-enabled objects
- Objective 1.7: Manage mail-enabled object permissions
Objective 1.7: Manage mail-enabled object permissions
In a collaborative environment, enabling users to be able to delegate permissions or use shared resources effectively requires permission manipulation on mail-enabled objects. Some permissions are manageable by users, while others could require administrative action.
Configuring mailbox permissions
In scenarios such as a manager and their assistants, tasks are delegated to assistants when needed. These tasks might include responding to emails, accepting or rejecting meeting requests, and other organizational tasks.
To address such scenarios, Exchange allows the setting up of permissions on the mailbox. Users also have the ability to set up permissions using Outlook to delegate tasks by assigning appropriate permissions.
As an administrator, you can use EAC or Shell to assign permissions to delegates, as needed. Permissions can be assigned, so users have access to the mailbox, have the ability to send on behalf of, or to send as, a recipient. The permissions can also be assigned to distribution groups.
Earlier, in the section Configure Team Mailboxes, you learned about using the Add-MailboxPermission cmdlet to assign permissions. When a permission is assigned by an administrator to a mailbox using Shell or EAC, the change isn’t visible to the user whose mailbox the permissions are assigned to. By default, Exchange Trusted Subsystem and Exchange Servers groups have full access on all mailboxes in the environment. This is required for the system to take necessary mailbox-related actions.
When assigning the permissions using Add-MailboxPermission, use of the InheritanceType parameter enables the administrator to specify whether or not all of the subfolders inherit the assigned permissions. To provide an inheritance on all subfolders of a mailbox when assigning the permissions, set the InheritanceType parameter to All.
Setting up room mailbox delegates
A room mailbox was created earlier in the section, Configure resource mailboxes and scheduling. In the example, room was configured to accept or decline booking requests automatically. You can configure room mailbox delegates to manage bookings manually instead.
To assign delegates, using EAC, edit the room mailbox, select the Booking Delegates option, and then click Select Delegates Who Can Accept Or Decline Booking Requests. Once selected, you need to add the delegates who can manage resource scheduling for the room mailbox. Figure 1–11 provides an example.
FIGURE 1-11 Configure delegates for room mailbox
You can also perform the same task using Shell, using the following cmdlet:
Set-CalendarProcessing -Identity 'New York Executive Briefing Room' -ResourceDelegates @ ('Administrator')
In this example, an administrator was assigned as a delegate to the room mailbox. Figure 1-12 displays a resource booking request sent to the room being forwarded to the administrator for processing.
FIGURE 1-12 Resource booking request forwarded to administrator for processing
You can also decide whether the resource mailbox should automatically process the requests and other parameters, discussed earlier in the section Configure resource mailboxes and scheduling. And you can granularly control which users can request to book the resource automatically if the resource is available, and which users must require approval before they can schedule the resource. From EAC, select your Administrator Account drop-down menu located in the upper-right corner of EAC and select Another User. Select the room resource you want to configure. A new window opens, displaying the room resource’s Options window. Select Settings and the Resource tab. Here you can configure scheduling permissions as needed. Figure 1-13 shows an example configuration, where user Ray Chow is allowed to schedule the resource automatically if the resource is available. The same can also be configured from Shell, using the Set-CalendarProcessing cmdlet.
FIGURE 1-13 Configure scheduling permissions on a room mailbox
Setting up auto-mapping
When a user is assigned full permissions on a mailbox, the mailbox is automatically mapped to the user’s profile. If the user is using an Outlook client that’s configured to use the Autodiscover process, the auto-mapped mailbox is visible in the user’s Outlook profile without any user intervention.
While this auto-mapping process eliminated manual configuration by the user, the user might have access to multiple mailboxes and might not like to have all of the mailboxes automatically mapped to their profile.
You can configure the auto-mapping feature only when assigning the permissions. The following example assigns user Ray Chow full access permissions to the shared mailbox and disables auto-mapping.
Add-MailboxPermission –Identity "Shared Mailbox" -User "Ray Chow" -AccessRights FullAccess -InheritanceType All –AutoMapping $false
Auto-mapping can only be configured when assigning the permissions, and it can’t be changed after the assignment. If you need to change the auto-mapping permissions, you can do so by removing the user’s permissions and reassigning permissions with the desired auto-mapping configuration.
- While schedule processing for room mailboxes can be delegated to a user or a group of users, exceptions can be configured to allow in-policy or out-policy requests to be handled in an automated way for certain users. This depends on resource availability. This can be helpful to reduce the burden on delegates, while still providing the necessary controls.
- Auto mapping can be helpful to eliminate the manual steps required by the user to connect to other mailboxes they have permissions to. But, it’s possible for the administrator to disable auto-mapping when configuring permissions on the mailbox object.
Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
You have configured a shared mailbox and delegated approval tasks to a user. You need to allow CEO of the company to be able to request the room resource regardless of room scheduling restrictions. What must you do?
- Run Set-CalendarProcessing cmdlet with AllBookInPolicy parameter
- Run Set-CalendarProcessing cmdlet with AllRequestInPolicy parameter
- Run Set-CalendarProcessing cmdlet with AllRequestOutOfPolicy parameter
- Run Set-CalendarProcessing cmdlet with RequestOutOfPolicy parameter
You would like the room resource mailbox to stop from automatically accepting scheduling requests tentatively. What must you do?
- Configure AddNewRequestsTentatively parameter
- Configure AutomateProcessing parameter
- Configure Confirm parameter
- Configure ScheduleOnlyDuringWorkHours parameter
You have configured a shared mailbox and assigned full permissions to a user. The user reports that he is unable to send email as the shared mailbox. What must you do to fix the issue?
- Run Set-Mailbox cmdlet
- Run Add-ADPermission cmdlet
- Run Set-CASMailbox cmdlet
- Run Set-SharingPolicy cmdlet