locked
Outlook\Exchange 2010 Account Delegation and setting Permissions - Multiple delegates, folders and subfolders RRS feed

  • Question

  • Outlook\Exchange 2010 Account Delegation and setting Permissions

    Background:

    I’m new to Outlook and Exchange. We are in the initial stages of migrating users from Lotus Notes and Domino to Outlook and Exchange 2010. We are attempting to determine the best method for granting delegate access to a shared email account, calendar, folders and subfolders for multiple different users with varying permission needs.

    We’ve determined configurations necessary to delegate an account (manager account) so people (Delegates) can act ‘on behalf of’ Manager.

    The issue we have is with setting specific permissions on all the individual folders that some accounts contain. The only way we have found so far is to add permissions to each folder and subfolder that the manager wants to delegate. In some cases this wouldn’t be that big a deal, however, in other cases where an account has 100’s of folders containing subfolders requiring multiple delegates with varying permission requirements, this seems very unreasonable.

     

    I’ve searched for days to find a better method for assigning permissions, but have not uncovered anything to date. We could grant delegates ‘Full access control’ in EMC, but this doesn’t appear to allow for granular permission control and it would allow delegates to ‘Send as’ rather than ‘on behalf of’ the Delegator.

    Does anyone know of any alternative processes, Powershell scripts, or Outlook Add-ins, that will simplify this process?  

    Additionally, is there a way to add individual users to a distribution or security group and then provide these groups the delegate and permissions setting required so configuration is quicker and more manageable. In some cases, we have a couple hundred users requiring various permissions to certain email or calendars within accounts. Adding each person individually will be very time consuming and difficult to manage.  In the Lotus Notes Domino environment this is a simple and straight forward process.  There really has to be a better method for managing these scenarios. Any suggestions or feedback would be greatly appreciated.

     

    Friday, February 3, 2012 12:49 AM

Answers

  • Hi rstricke1,

    Per my know, if you want to grant the permission to the folders, Using the script is the efficient and easiest way, it is better than through the client end.
    Yet, you may need several "add-mailboxfolderpermission" cmdlets to grant the needed permission on many different folder(inbox, calander and so on) for a group users; but, no need to the subfolders.

    Regards!

    Gavin

    TechNet Community Support

    • Proposed as answer by Gavin-Zhang Monday, March 5, 2012 5:04 AM
    • Marked as answer by Gavin-Zhang Monday, March 5, 2012 5:15 AM
    Friday, February 10, 2012 6:38 AM

All replies

  • Hi rstricke1,

    Please refer to some information from below:
    http://technet.microsoft.com/en-us/library/dd298062.aspx
    If you still have some issue, please tell me.

    Regards!

    Gavin

    TechNet Community Support

    Monday, February 6, 2012 9:43 AM
  • Gavin,

    I appreciate the link. I will test these options out to see how to best utilize them in our environment. Is there a way to use these commands to grant a specific level of access to multiple people, folders and subfolders at the same time? We have many examples of shared accounts with extensive folder structures requiring that multiple users can view or make vaying degrees of changes. In addition to being a new Exchange Admin, I'm also new to Powershell so sorry if I am missing something obvious.

     

     

    Monday, February 6, 2012 6:58 PM
  • Hi rstricke1,

    If you want to grant a specific level access permission for a group of people, you could create a DG and add them, then use the add-mailboxfolderpermission to do it.
    Related discussion:
    http://social.technet.microsoft.com/Forums/zh/exchange2010/thread/4bd0202e-ef23-46fc-a2c9-9666acc06b45

    Regards!

    Gavin

    TechNet Community Support

    Thursday, February 9, 2012 6:24 AM
  • We've finally gotten Security Groups to successfully add as delegates or during the configuration of permissions for shared and delgate accounts. Unfortunately, we still have not determined an efficient method to propogate these permissions to all parent and child folders and subfolders within a given account. Unless I'm missing something obvious, the scripts and suggestions we've seen so far are for assigning permissions to specific folders.

    we are new to both Exchange and Powershell scripting, so please pardon my ignorance. If anyone can provide a script to assign specific granular permissions to all the folders contained in a mail file for either an individual or a group, I would greatly appreciate it.

    EXAMPLE:

    I have a shared mail account that is accessed by 5 individuals, which I've added to a Security Group, all requiring owner level permission to 'all' folders and subfolders. This account has contains almost 500 folders and subfolders. I can't simply grant 'Full Administration' permissions in EMC, because the users on 'Behalf of' rather than 'as' the account owner when sending or replying to email from this account.  

    Question:

    What is the most efficient and easiest method to grant and administrate (over time) the required permissions for these users to all the required folders and subfolders.  

    Thursday, February 9, 2012 4:24 PM
  • Hi rstricke1,

    Per my know, if you want to grant the permission to the folders, Using the script is the efficient and easiest way, it is better than through the client end.
    Yet, you may need several "add-mailboxfolderpermission" cmdlets to grant the needed permission on many different folder(inbox, calander and so on) for a group users; but, no need to the subfolders.

    Regards!

    Gavin

    TechNet Community Support

    • Proposed as answer by Gavin-Zhang Monday, March 5, 2012 5:04 AM
    • Marked as answer by Gavin-Zhang Monday, March 5, 2012 5:15 AM
    Friday, February 10, 2012 6:38 AM
  • I appreciate all the feedback. I must state however, that for all the talk of how much better Outlook and Exchange are than Lotus Notes and Domino, I've yet to experience anything to convince me of this so far. Maybe from an end-user perspective, since Outlook ties in with the Office suite and provides a more uniform experience, but from an Administration and support standpoint, so far it seems very lacking.

    Opinion aside, we are stuck with Outlook and Exchange and must uncover the tools and processes we will need to maintain this environment.

    Problem: Still looking for a simple solution for assigning and propogating permissions for a delegate(s) or a group to 'all' folders in a shared account without having to adjust them individually.

    We can not believe that there isn't a better method for propagating granualar permissions to 'all' folders and content in a particular delegated or shared account. We have many accounts that contain 50-500 folders. It seems ridiculous that we would have to process a command or select and adjust permissions for each and every folder. We should be able to select the top level folder, enter the appropriate permissions for a user or group and have the option to propagate this to all folders and subfolders as in Windows Explorer. We can't use the EMC 'Assign Full Permissions' however, since 'Send on Behalf' doesn't seem to work for this option, plus, we don't always want to assign 'Full Access' rights.

    We hope in our ignorance as a nubes, that  we are simply missing the obvious and that a simple solution exists. This is a simple and easy to administer task in Lotus Notes. I look forward to hearing how easy this task is to perform in Outlook\Exchange.

    Monday, February 13, 2012 2:41 PM
  • Hi rstricke1,

    As I referred above, you could refer to below to learn how to use the cmdlet:
    http://technet.microsoft.com/en-us/library/dd298062.aspx
    It is a pity that we have to use the cmdlets to achieve the target, unless to some customized development.
    I will close the case, you will be free to reopen it anytime, and if you want to get some other addational help, it is better to call MS.

    Regards!

    Gavin

    TechNet Community Support



    Monday, March 5, 2012 5:13 AM
  • Gavin,

    Thanks for the information, we will test these cmdlets out to see what they do and if they work for our particular requirements. Hopefully Microsoft will come up with a better solution for this process in the near future however. Considering how popular Outlook and Exchange have become, I was expecting a much more polished product. Our experience so far has not been very positive from an Administrative or client perspective. We almost feel as though we are using a beta application compared to the much older Lotus/ Domino environment we are moving from. Hopefully we are just ignorant at the moment and missing all that is 'great' or 'better' about Outlook.

    Tuesday, March 6, 2012 2:23 PM