Exchange 2010 shared mailbox - read and write but no delete permission?
-
sexta-feira, 20 de abril de 2012 14:57
Hello.
We have a number of shared mailboxes on our Exchange 2010 SP2 system that are effectively used as a team archive. Currently people either have full access so they can create and delete items or none at all.
We would like to prevent most of them from being able to delete items (either by accident or maliciously) but still leave them able to create new subfolders and move emails into them, then only give full access to a couple of supervisors.
I'm testing this now using my account and had hoped that the explicit deny would override the full access as it would do with NTFS permissions but that doesn't seem to be the case.
Add-MailboxPermission sales -AccessRights fullaccess -user alex
Add-MailboxPermission sales -AccessRights deleteitem -deny -user alexIdentity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
domain.co.uk/Exc... DOMAIN\Alex {DeleteItem} False True
domain.co.uk/Exc... DOMAIN\Alex {FullAccess, ReadPermission} False FalseWith the permissions above I still appear to have full access and can delete other people's items.
Can anyone suggest how to achive this please?Thanks
Todas as Respostas
-
sexta-feira, 20 de abril de 2012 22:32
Full Access will trump everything else.
Therefore your only option is to set permissions at the folder level in the mailbox.
Simon.
Simon Butler, Exchange MVP
Blog | Exchange Resources | In the UK? Hire Me.- Marcado como Resposta Evan LiuModerator domingo, 29 de abril de 2012 02:54
-
sábado, 21 de abril de 2012 02:14
Maybe consider using a PF instead, although I know most people are trying to move away from this to SP which you can also consider.
Or you can let them have full mailbox and and put the mailbox on retension hold, you can then recover mail items, although they should go to the dumpster anyway. Maybe increase the dumpster.
Sukh
-
segunda-feira, 23 de abril de 2012 09:10Moderador
I don't think there is any good way to do as your required.
You can grant permission at the folder level, this can prevent users to delete items, but will not allow you to create new subfolders and move emails to them.
Thanks,
Evan
Evan Liu
TechNet Community Support
-
sexta-feira, 22 de junho de 2012 14:30
Hi,
I am currently setting up a new server and have been asked for the same setup to be added to the system.
After a lot of searching and testing the only way I can see of keeping a hard copy of all the emails is to set up a PC with pop3 and smtp setting.
All email accounts will be linked in to one outlook account so that it is picking up all email traffic and also acting as a back up that can be access fast.
Can anyone here tell me if there is a better solution for this or if this is a good option. I plan to add a large hard-drive to this account and keep it off the server with different access codes to keep security at its highest.
We have SBS 2011 and Exchange 2010
Regards
Brian Kelly
We-Fix
-
sexta-feira, 22 de junho de 2012 16:35
Hi,
I am currently setting up a new server and have been asked for the same setup to be added to the system.
After a lot of searching and testing the only way I can see of keeping a hard copy of all the emails is to set up a PC with pop3 and smtp setting.
All email accounts will be linked in to one outlook account so that it is picking up all email traffic and also acting as a back up that can be access fast.
Can anyone here tell me if there is a better solution for this or if this is a good option. I plan to add a large hard-drive to this account and keep it off the server with different access codes to keep security at its highest.
We have SBS 2011 and Exchange 2010
Regards
Brian Kelly
We-Fix
I don't see how this is the same at all.
If you want to keep a copy of all email then simply journal the email to another mailbox. Your objectives seem different so I would suggest that you post a new question with a full outline of what you are looking to achieve.
Simon.
Simon Butler, Exchange MVP
Blog | Exchange Resources | In the UK? Hire Me. -
sexta-feira, 7 de dezembro de 2012 16:28
I am struggling with this matter with no luck :(
Let me explain my setup:
I have SBS 2011 with Exchange 2010 and several users.
I also have a shared mailbox info@xxx.xx which all the users use and I want to give to the users almost full access permissions, everything except deleting items to all users. I try to do this to the user John.
John has an AD account (and therefore he has an email John@xxx.xx but he does not use it. He only uses info@xxx.xx so when I add the mail account to his outlook, i add the exchange server and the info@xxx.xx mailbox. I don't add the John@xxx.xx mailbox and then the info@xxx.xx as an additional mailbox.
If I give John FullAccess mailboxpermission on info@xxx.xx then I can add the email to his outlook and everything works ok.
Add-MailboxPermission -Identity info@xxx.xx -User John -AccessRights FullAccess
If john does not have FullAccess mailboxpermission but i.e. ReadPermission then outlook keeps asking for password and it does not accept the password of John.
Add-MailboxPermission -Identity info@xxx.xx -User John -AccessRights ReadPermission
I then tried to set permission at folder level of info@xxx.xx and I gave John Reviewer Accessrights, which means that his rights are: ReadItems and FolderVisible, but the problem remains.
If he has mailbox permission full access then he access the info@xxx.xx mailbox but can delete items and if he does not have full access permission then he cannot login to outlook!
Add-MailboxPermission -Identity info@xxx.xx:\inbox -User John -AccessRights Reviewer
I also tried a solution I found on this forum to add fullaccess permission to the user and then deny the deleteitem:
Add-MailboxPermission -Identity info@xxx.xx -User John -AccessRights FullAccess
Add-MailboxPermission -Identity info@xxx.xx -User John -Deny -AccessRights DeleteItem
It still does not work. John can still delete any message!
Any help please?? Why is it so hard to achieve??
.png)
