locked
Delegate page is not available. Cannot access Outlook folder. RRS feed

  • Question

  • Hello,

    We are running Exchange 2013 with Outlook 2013 clients.

    We created a Shared Mailbox and gave a couple users Full Access and Send As permissions via the EAC.

    What we are trying to accomplish is to be able to allow the user with Full Access to be able to delegate rights to other users for this shared mailbox. However, I'm not sure if our method is even supported as I can't find any MS article doing it this way.

    Once the full access user is setup, they'll open their Outlook and via the Account Settings page add the Shared mailbox as a separate account next their own.

    After that, they will open the Account Information page and change the account to the Shared mailbox and open the Delegate Access page.

    However, here we have been seeing different results for different users. One user will be able to get the Delegates window to open and be able to add users to it, but once they try to click OK it will give them an error stating "The Delegates settings were not saved correctly. Cannot activate send-on-behalf-of list. You do not have sufficient permissions to perform this operation on this object."

    We then setup another user exactly the same way and when they try to access the Delegate page, they get an error stating "The Delegates page is not available. Cannot access Outlook folder."

    Both of these users have been normal users with no Admin rights. I added myself (Domain Admin rights) to the Shared mailbox and was able to successfully add delegates to the mailbox without any problems.

    Any suggestions?

    Thanks

    Wednesday, December 30, 2015 3:12 PM

Answers

  • Hi,

    To manage the delegation of shared mailbox, user must be assigned to Organization Management and Recipient Management role group.

    Normal users with just full access permission cannot manage delegation of shared mailbox, that's why your account (with Domain Admin rights) can perform this action.

    The Full Access permission lets a user log into the shared mailbox and act as the owner of that mailbox. While logged in, the user can create calendar items; read, view, delete, and change email messages; create tasks and calendar contacts. However, a user with Full Access permission can’t send email from the shared mailbox unless they also have Send As or Send on Behalf permission.

    For your requirement: allow the user with Full Access to be able to delegate rights to other users for this shared mailbox. I suggest to customize a role to allow specific users to manage delegation rights of shared mailbox or other mailbox based on RBAC. More information about RBAC, see this document.

    https://technet.microsoft.com/en-us/library/dd298183%28v=exchg.150%29.aspx

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    • Marked as answer by Lynn-Li Friday, January 8, 2016 2:56 AM
    Thursday, December 31, 2015 6:53 AM

All replies

  • As long as you have added the shared mailbox as additional account, the method above should work. The delegates page often times out, so just try again. Permissions shouldn't be the issue, afaik it uses EWS to setup the delegates, so even if you have restricted the availability of the Sendonbehalfof parameter, it should still work.

    You can also try creating a separate profile for just the shared mailbox, see if it makes a difference.

    Wednesday, December 30, 2015 8:55 PM
  • Hi Vasil,

    It's definitely not a time out issue as I have been trying this now for days.

    I tried your suggestion of setting up the separate profile just for the shared mailbox and for my one user who keeps getting the error "The Delegates page is not available. Cannot access Outlook folder.", it now allows them to open the delegates window just like the first person.

    However, just like the first person they are unable to add any user and save it.

    While typing this up, I took another look at KB2593557 (I ignored this the first time because I didn't believe it applied to me) and realized that it may actually have merit.

    Under the Cause, there are 3 possible reasons this could happen. The first two were not the case but the last one about the SELF object could very well be.

    I checked the effective permissions for my two users and found in fact they do not have "Write Personal Information" permissions.

    I added the registry key per the KB article now my user can add delegates without any errors.

    However, the user we added as a delegate is now unable to open the shared mailbox. We added the shared to the users main account under the Advanced tab "Open these additional mailboxes". It shows up in their folder pane but gives the error "cannot expand the folder". We've seen this in the past but it usually goes away after a short while so I'll give it some more time.

    Thanks for your help so far!


    • Edited by Zick2500 Wednesday, December 30, 2015 10:22 PM
    Wednesday, December 30, 2015 10:21 PM
  • Hi,

    To manage the delegation of shared mailbox, user must be assigned to Organization Management and Recipient Management role group.

    Normal users with just full access permission cannot manage delegation of shared mailbox, that's why your account (with Domain Admin rights) can perform this action.

    The Full Access permission lets a user log into the shared mailbox and act as the owner of that mailbox. While logged in, the user can create calendar items; read, view, delete, and change email messages; create tasks and calendar contacts. However, a user with Full Access permission can’t send email from the shared mailbox unless they also have Send As or Send on Behalf permission.

    For your requirement: allow the user with Full Access to be able to delegate rights to other users for this shared mailbox. I suggest to customize a role to allow specific users to manage delegation rights of shared mailbox or other mailbox based on RBAC. More information about RBAC, see this document.

    https://technet.microsoft.com/en-us/library/dd298183%28v=exchg.150%29.aspx

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    • Marked as answer by Lynn-Li Friday, January 8, 2016 2:56 AM
    Thursday, December 31, 2015 6:53 AM
  • Hi Lynn

    Thank you, that seems to partially work. However, I do have a couple questions and issues still. 

    1. You said "user must be assigned to Organization Management and Recipient Management role group." but during my testing I found that if the user is assigned to either one of these groups and not both, they can still delegate access to other users. Is there a reason I would need to use both groups?

    2. Also when a user is granted Delegate access, is there a corresponding Active Directory Attribute that is set on the delegates user object? There seems to be times we make changes in Exchange that take time to replicate into Active Directory and instead of playing the trial & error game, it would be nice to examine the AD account and see when the attribute gets modified.

    After being able to add a user to the delegate of the shared mailbox, that delegate was still unable to expand the shared mailbox folder. Kept getting the "cannot expand the folder" error.

    To work around this, I modified the shared mailbox root folder permissions. I added the delegate and enabled "Folder visible" option only. This now allowed the delegate user to expand the shared folder but was only able to see the Inbox (was able to see emails). I would have thought the delegate would be able to see all the folders but it appears that it only gives them rights to the Inbox.

    I guess this goes back to one of my original questions; Is this the correct way to give users access to a shared mailbox? Seems like no matter which way we do it, it is a multiple step process that is very confusing to everyone.

    Thursday, December 31, 2015 8:17 PM
  • Hi, Zick

    1.    I apologize for my mistake, user only needs to be assigned with Organization Management permission. See "Permissions and delegation" entry in the Recipients Permissions topic.

    https://technet.microsoft.com/en-us/library/dd638132%28v=exchg.160%29.aspx

    2.    msExchDelegateListLink AD attribute stores the delegate permission. You can check this attribute or use Get-MailboxPermission cmdlet

    For error "cannot expand the folder". Check the error via OWA first. And try to add this shared mailbox account to outlook with delegate logon credential. 

    3.    The correct way to give users access to a shared mailbox, refer to the section "Use the EAC to edit shared mailbox delegation" from this document.

    https://technet.microsoft.com/EN-US/library/jj150570%28v=exchg.150%29.aspx

    Or use add-mailboxpermission with AutoMapping parameter.

    For now, I suggest to remove all permissions from Server side and Outlook side, then try the way via EAC/EMS

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support


    • Edited by Lynn-Li Monday, January 4, 2016 1:55 AM
    Monday, January 4, 2016 1:54 AM