Giving Permissions to a mailbox to a cross domain user RRS feed

  • Question

  • We are now running Exchange 2010. Previously ran Exchange 2003. We have several domains in our forest. Previously, if someone from another domain, lets say for the sake of this question it was the "Houston" domain, wanted to have access to a mailbox in the "Toronto" domain in active directory I would assign that users account houston\%username% to the mailbox toronto\%mailbox% with whatever level of permissions were being requested. However, since we have upgraded our domain controllers from 2003 to 2008 and upgraded exchange from 2003-2010 I no longer have the same permissions tab in AD as we use to. 

    Previously I would just go to the resource in AD and right click it, go to "Exchange Advanced" and then click on "Mailbox Rights" then 

    See picture:


    Then I would assign the persons account to the resource by selecting the domain to whom the user wishing to have access to the resource originates from. (see below - you can see that all of the trusted domains are listed)

    However, in Exchange 2010 when I click on "Manage Full Access" the "Picker Scope" only detects the parent domain (see below) to assign permissions for other users and not cross domains.

    I would like to know how do I add permissions for accounts from doamins other than my own in Exchange 2010.

    Please let me know if you have any questions or comments, thank you in advance for your assistance.

    Thank you, Chris

    Thursday, February 25, 2016 2:21 PM

All replies

  • This forum is for Exchange development questions. Please post questions about administration to the admin forum on TechNet.
    Thursday, February 25, 2016 2:32 PM
  • Hey Chris,

    In multi-Domain Forests you may encounter a situation where the Exchange is not displaying the results you are expecting.  The reason for this is what is known as the Recipient Scope.

    The Recipient Scope is the portion of Active Directory that the Exchange Management Shell or Console will use when managing recipients.  For example, you may set the scope to a single Domain, OU, or to the entire Forest.

    You can also modify the scope.  To modify the scope to the entire Forest you would issue this shell command.

    Set-AdServerSettings -ViewEntireForest $true

    Refer TechNet article- https://technet.microsoft.com/en-us/library/bb124527(v=exchg.141).aspx

    Regards, ASP _______________ Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Proposed as answer by EMMmmmmmm Friday, February 26, 2016 10:45 AM
    Friday, February 26, 2016 9:40 AM
  • When I perform those actions I still am not receiving any other domain information in the Scope Picker other than the parent domain.

    Thank you, Chris

    Thursday, March 3, 2016 3:35 PM