locked
Explanation of Shared mailbox full access vs AD Security tab permissions RRS feed

  • Question

  • I need a good way to explain to a security team at work that when they create a shared mailbox using a script I provided that gives full access to a security group (send as and full access) that is all that is required. They insist they must go into AD and on that shared mailbox, add the security group and grant it full access under the security tab. Though the group is already listed in Exchange as full access. I can prove it to them by adding my teams security group and I'll get full access right and my security group isnt listed under the security tab.

    Granted the security group shows up when I grant send-as permissions.

    security groups are global groups rather than universal groups so yeah it takes about 10 minutes for a persoon to get access to the mailbox after being added to the security group, but they won't change to universal groups. (i've tried)

    maybe it was something needed in Exchange 2003 that they keep referring to, but I can't recall ever needing to do such a thing in E12 or E14 to give someone full access to a shared mailbox. Unless I'm just totally wrong

    thanks



    • Edited by shayne1980 Tuesday, September 17, 2013 2:36 PM re-wording
    Tuesday, September 17, 2013 2:32 PM

Answers

All replies

  • Assigning a Full Access Permission (Add-MailboxPermission)- wont show the granted user on the security Tab

    Where the Send-AS ( Add-ADPermission) will show the user with send as permission on security Tab

    Tuesday, September 17, 2013 3:12 PM
  • yes this i understand. I need to explain to the security team that they do not need to assign full access to that security group on the security tab to achieve full access and send-as access..

    they believe the security group has to be listed and MUST have everything checked under the security tab. which i argue is granting wrong type of permissions to a security group for a shared mailbox

    thanks

    Tuesday, September 17, 2013 3:24 PM
  • The way which security team is describing is the legacy way of adding permission which is not required in Exchange 2007 and later.

    Please wait for an MS update on this thread, later you can show this to them :)

    Tuesday, September 17, 2013 3:57 PM
  • Hi,

    Generally, to grant full access to a shared mailbox, we can use Active Directory Users and Computers (ADUC) on Exchange 2003 to achieve it. The security group can be added in Properties > Exchange Advanced > Mailbox Rights.

    Additionally, we can also grant Send As Permissions in ADUC by Exchange side. It can be achieved in Properties > Security.

    There are some related thread and official references about this topic, please refer to:

    1. Shared mailbox in exchange 2003

         http://social.technet.microsoft.com/Forums/exchange/en-US/667f9519-5366-4181-80fd-3959044f30e6/shared-mailbox-in-exchange-2003

    2. How to Give a User Full Access to Another User's Mailbox

         http://technet.microsoft.com/en-us/library/aa998707(v=exchg.65).aspx

    3. How to Manually Grant Send As Permissions to a User with Full Mailbox Access

         http://technet.microsoft.com/en-us/library/bb125118(v=exchg.65).aspx

    Hope it helps.

    Thanks,

    Winnie

    Wednesday, September 18, 2013 11:50 AM