locked
FullAccess Permissions - Users or Groups? RRS feed

  • Question

  • Trying to figure out what the most correct way to assign FullAccess permissions to a mailbox is.

    As all good IT admins know, the first rule of permissions is to always assign permissions to a group rather than a user, which I (almost) always stick too... excpet for when it comes to exchange permissions, I've always been of the school of thought that you assign FullAccess permissions to a user rather than a group.

    The reason I do it this way is because when a user is assigned FullAccess permissions, that mailbox will automatically be added to their outlook next time they log in, whereas if permissions are assigned to a group, those users will all need to add that mailbox in 'open these additional mailboxes'.

    What does everyone here think? Which way is more right? I still like the idea of changing permissions then telling the user to restart outlook and the mailbox just appears.

    Wednesday, October 17, 2012 5:35 AM

Answers

  • On Thu, 18 Oct 2012 22:53:05 +0000, Chris_d33 wrote:
     
    >
    >
    >>The reason would appear to be that automapping is performed by the Add-MailboxPermission cmdlet, and the cmdlet probably doesn't recurse groups to add that attribute setting to each user.
    >
    >Correct. But im just having a hard time seeing the logic here. We're always taught to use groups instead of users, but this seems like a good case for using users over groups.
     
    It is if you want auto mapping to work.
     
    >>I suppose the size of the ACL might have something to do with it.
    >
    >>Trying to manage the FMA permission when there might be 50 or more individuals in the list is a PITA, too.
    >
    >Agreed. But if I've got 50 users that all need access to sales@, its going to be more of a hassle trying to get 50 users to open that mailbox manually than it would be for me to do permissions on a user level and have that mailbox just appear for them next time outlook is started.
     
    Then assign FMA individually. Auto mapping may sound great, but think
    about what can happen if you've assigned a group of people FMA on
    several hundred (or thousand) mailboxes and then they try to open
    Outlook!
     
    >Sorry if I'm being difficult here, im not trying to be. I'm just trying to figure out why you would do things the right way (groups), when there is such an advantage to doing things the wrong way (users). It bugs me when we do things the way we do just because thats how its done even tho there is a flaw in the logic.
     
    The "right way" depends on whether you're going to remember to disable
    auto mapping when you assign FMA or if you're going to forget and have
    a bunch of people with more mailboxes open than Outlook will handle.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, October 19, 2012 2:09 AM

All replies

  • Really?  I wasn't aware that adding permissions to a mailbox would automatically add it to the user's profile.  That seems a reach to me, for Outlook would have to scan the mailbox rights of every mailbox every time it opens to see what mailboxes the user has rights on, and it would seem that would take a long time.

    Since mailbox rights are almost conferred to an individual user, such as in a manager-delegate relationship, or to the BESAdmin account, I think it's perfectly reasonable to confer rights to a user rather than putting the user into a group and conferring rights to the group.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Wednesday, October 17, 2012 4:13 PM
  • Yeah, true story. You add a user and they get the mailbox next time outlook is launched.

    Like you say, quite often it is a case of one user needing a mailbox, so this works well. When it becomes annoying is when you have something like a sales@ mailbox that all the members of the sales department need. Ideally you would add all the users to the sales group and give the group permission to sales@. But the problem there is you have to go to each users outlook and Open additional mailboxes.

    So in this case, at least in my opinion, there is a disadvantage to adding permissions based on groups.

    Wednesday, October 17, 2012 10:27 PM
  • And I've just discovered that little trick doesnt work with Office365. Even when giving a user FullAccess, you still have to open the additional mailbox manually.
    Wednesday, October 17, 2012 11:21 PM
  • On Wed, 17 Oct 2012 16:13:30 +0000, Ed Crowley wrote:
     
    >
    >
    >Really? I wasn't aware that adding permissions to a mailbox would automatically add it to the user's profile. That seems a reach to me, for Outlook would have to scan the mailbox rights of every mailbox every time it opens to see what mailboxes the user has rights on, and it would seem that would take a long time.
     
    I think he's referring to "auto mapping", Ed.
     
    http://www.stevieg.org/2010/08/auto-mapping-shared-mailboxes-in-exchange-2010-sp1-with-outlook-2010/
    http://technet.microsoft.com/en-us/library/hh529943.aspx
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, October 18, 2012 12:54 AM
  • Thanks Rich. Thats the one.

    But Im still unsure as to why group members dont auto map. Which brings me back to my original question... why would you add assign permissions to a group rather than a user?

    I know there's usually some logic to the way MS does things... Just trying to work out what it is here.

    Thursday, October 18, 2012 1:09 AM
  • Maybe you can follow this way to add users individually:

    get-distributiongroupmember -identity Groupname| foreach{ Add-mailboxpermission -identity usermailbox -user $_.Name -AccessRight FullAccess}

    I tested before, automapping not worked when you grant permission to one group.

    Thanks,

    Evan


    Evan Liu

    TechNet Community Support

    Thursday, October 18, 2012 10:10 AM
    Moderator
  • The reason would appear to be that automapping is performed by the Add-MailboxPermission cmdlet, and the cmdlet probably doesn't recurse groups to add that attribute setting to each user.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Thursday, October 18, 2012 4:27 PM
  • On Thu, 18 Oct 2012 01:09:19 +0000, Chris_d33 wrote:
     
    >Thanks Rich. Thats the one.
    >
    >But Im still unsure as to why group members dont auto map.
     
    http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/mailbox-auto-mapping-exchange-server-2010-part1.html
     
    >Which brings me back to my original question... why would you add assign permissions to a group rather than a user?
     
    I suppose the size of the ACL might have something to do with it.
    Trying to manage the FMA permission when there might be 50 or more
    individuals in the list is a PITA, too.
     
    >I know there's usually some logic to the way MS does things... Just trying to work out what it is here.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, October 18, 2012 8:27 PM
  • >The reason would appear to be that automapping is performed by the Add-MailboxPermission cmdlet, and the cmdlet probably doesn't recurse groups to add that attribute setting to each user.

    Correct. But im just having a hard time seeing the logic here. We're always taught to use groups instead of users, but this seems like a good case for using users over groups.

    >I suppose the size of the ACL might have something to do with it.

    >Trying to manage the FMA permission when there might be 50 or more individuals in the list is a PITA, too.

    Agreed. But if I've got 50 users that all need access to sales@, its going to be more of a hassle trying to get 50 users to open that mailbox manually than it would be for me to do permissions on a user level and have that mailbox just appear for them next time outlook is started.

    Sorry if I'm being difficult here, im not trying to be. I'm just trying to figure out why you would do things the right way (groups), when there is such an advantage to doing things the wrong way (users). It bugs me when we do things the way we do just because thats how its done even tho there is a flaw in the logic.

    Thursday, October 18, 2012 10:53 PM
  • I can't argue philosophy.

    You're welcome to suggest an enhancement request to mswish@microsoft.com.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Friday, October 19, 2012 12:33 AM
  • On Thu, 18 Oct 2012 22:53:05 +0000, Chris_d33 wrote:
     
    >
    >
    >>The reason would appear to be that automapping is performed by the Add-MailboxPermission cmdlet, and the cmdlet probably doesn't recurse groups to add that attribute setting to each user.
    >
    >Correct. But im just having a hard time seeing the logic here. We're always taught to use groups instead of users, but this seems like a good case for using users over groups.
     
    It is if you want auto mapping to work.
     
    >>I suppose the size of the ACL might have something to do with it.
    >
    >>Trying to manage the FMA permission when there might be 50 or more individuals in the list is a PITA, too.
    >
    >Agreed. But if I've got 50 users that all need access to sales@, its going to be more of a hassle trying to get 50 users to open that mailbox manually than it would be for me to do permissions on a user level and have that mailbox just appear for them next time outlook is started.
     
    Then assign FMA individually. Auto mapping may sound great, but think
    about what can happen if you've assigned a group of people FMA on
    several hundred (or thousand) mailboxes and then they try to open
    Outlook!
     
    >Sorry if I'm being difficult here, im not trying to be. I'm just trying to figure out why you would do things the right way (groups), when there is such an advantage to doing things the wrong way (users). It bugs me when we do things the way we do just because thats how its done even tho there is a flaw in the logic.
     
    The "right way" depends on whether you're going to remember to disable
    auto mapping when you assign FMA or if you're going to forget and have
    a bunch of people with more mailboxes open than Outlook will handle.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, October 19, 2012 2:09 AM
  • I tested in my lab (Exchange 2010 SP2) before, auto-map not work when you grant full access permission with group.

    One workaround is follow that command to add users individually.

    Thanks,

    Evan


    Evan Liu

    TechNet Community Support

    Tuesday, October 23, 2012 9:43 AM
    Moderator