amset.info
from Sembee Ltd.
UK MS Exchange Consultants

Exchange - Net Admin - Outlook
Windows Mobile - Windows

Contact - Director's Blog

AddThis Social Bookmark Button

Exchange Server Home

Exchange Consultancy

Exchange Resources

Microsoft Exchange
Amazon Store

Basic Email Gateway Server

Company wide Contact List

Disabled User Account

Distribution Lists

DNS Configuration

Exchange and a
Dynamic IP Address

Event ID 1221

Filter Unknown Users

Global Mailbox Folder
Permissions from Server

Intelligent Message Filter

Internal Email Address
for External People

Mailbox and Management
Account

Message Tracking

Migrating to a new server

Multiple Domains

Offline Address Book Errors

Options when a Staff Member
Leaves

Outlook Web Access

PDAs, OMA and EAS

Permissions Best Practises

Post Install Configuration

Public Folders

Prerequisites for Exchange
System Tools

RPC over HTTPS

Secure your SMTP Relay

Shutdown Script

SMTP Services and Exchange

SMTP Diagnostics

Spam Cleanup

Switching From POP3
to SMTP Delivery

Telnet Test

Username Change

 Microsoft Exchange Server
Page Last Reviewed: 04/03/2009

Exchange Server
Compatibility Information
Exchange
Server Version
Compatibility		 5.5 Yes
2000 Yes
2003 Yes
2007 Yes
Permissions on Mailbox Folders
Author: Simon Butler, Exchange MVP, MCSE

A common request is for all staff to have access to a particular folder on every account, often the calendar. This means that everyone can see what  everyone else is up to. 

Note: Before deploying this sort of change, make sure that everyone is aware of the location of the "Private" button. This restricts who can see the content of certain entries.

There are a number of ways of deploying this strategy, but there is no "magic button" on the server that sets these permissions.

  1. Get the user's to set the permissions themselves.
    It is probably a good idea to show the users how to do this, even if they the initially permissions are set using one of the other methods. This will allow users to set their own permissions - perhaps to allow individual users to have a higher permission than everyone else (the classic Manager/Assistant scenario). More Information.
  2. Grant yourself Full Mailbox permissions, login to the mailbox and adjust the permissions yourself.
    Good for doing one or two mailboxes, but company wide changes are not really practical.
  3. Use tools to make the changes in bulk for you.
    By using a combination of tools available on the Internet, you can make the changes with very little interaction from the administrator.

Using Tools to Make the Permission Changes

If you need to make the permission change across the entire company or a large group, then use tools to make the changes. The same procedure will work for other folders - not just Calendar.

To use this method, you will need the following:

  1. An account to use for setting the permissions (but not THE administrator account)
  2. ADModify.net ( http://www.codeplex.com/admodify  )
  3. Setperm (get here)

Do not use the administrator account for this task as that account is denied access by default in Exchange.
When setting the permissions on the mailbox, use your explicit account, not a group - particularly not the "Domain Admins" group. Better still - create an account for this purpose then dispose of it afterwards. The account needs to be mail enabled so that you can use Outlook.

You should probably test this procedure with one or two accounts before making the change to the entire domain.

Grant Mailbox Rights

  1. Login to a machine with the account that you want to use to make the setting changes. This machine needs to have Outlook installed, and preferably the Exchange System Manager tools.
  2. Start ADMODIFY and select the users that you want to change.
  3. Click Next and choose the tab "Mailbox Rights".
  4. The setting you want to change is "Add User to Mailbox Rights", enter the username of the account you are using in the format domain\username and select the option "Full Mailbox Rights".

Setup "Setperm"

  1. Download setperm from here.
  2. Extract the file in to its own folder.
  3. Copy the file acl.dll in to c:\ windows \ system32
  4. Run the following command: "regsvr32.exe acl.dll"

Start Setperm

  1. Setperm needs to be run from a command line, initially connecting to a specific mailbox.
    Open a command prompt in the folder where you have extracted the setperm.exe utility.
  2. Start the application using the following command:

    setperm /Mailbox:alias\servername

    For example, if your mailbox is jsmith and the server is mail1 then you would enter:

    setperm /Mailbox:jsmith\mail1
     
  3. If you get an ActiveX error such as
    "Run-time error '429':
    ActiveX component can't create object "
    Then you haven't registered the dll file correctly - repeat and try again.
  4. Once you have brought up the box, adjust the permissions as required.
    Setting the permissions: Your best option is to set the "Reviewer" permission to your equivalent to "All Staff". Then set higher permissions on an individual or group basis. Don't use the default setting - choose "Custom" and then select the group.
  5. Select the mailboxes that you want to set these permissions on - you cannot use a group - but you can select all the mailboxes using the standard methods.
  6. Once satisfied, click "Set Permissions".

The tool will now connect to each mailbox and set the permissions as required. Note that you can only do one set of permissions at a time - so if you want some users to have "Reviewer" and others to have higher permissions, you will need to run the tool again to set the alternative permissions.

Once the tool has finished, check the permissions are correct. You should then remove the rights to the mailbox that you granted to yourself.

Remove Mailbox Rights

You should remove the mailbox rights so that they are set as before. This is not only good practise from a security point of view, it also ensures that you do not come under suspicion of illicit mailbox access.

Repeat the process that you used to grant the mailbox rights. EXCEPT:

  • Do not select the account you are using - otherwise you will lock yourself out of the mailbox.
  • Select the option to remove the full mailbox rights.

New Users

Don't forget that the permission changes need to be made on all new user accounts added after the bulk phase. It will be quicker to use one of the individual methods for that - more info.

Related Articles

There are various ways of accessing the data once you have shared it out. More information can be found on our "Shared Folders" page here.

If you would like to create a special account for access to the mailboxes, then follow the our instructions here.

Last Page Update:
04/03/2009
More Content from Sembee Ltd.
 
Resources on amset.info Other Sites Sembee Ltd.
Microsoft Exchange Command Prompt Getting Started Guide Microsoft Exchange Consultancy
Microsoft Outlook Login Scripts Director's Blog
Network Administration MS Exchange Resources  
Internet Explorer Knowledge Base search  
Microsoft Windows Recovery of MS Office content from Temp Files  
Microsoft Windows Mobile Troubleshoot the Automatic Updates Client  
Amazon Store    

© Sembee Ltd. 1998 - 2010.

Reproduction of any content on this web site is prohibited without express written consent. Use of this web site is subject to our terms and conditions. All trademarks and registered trademarks are property of their respective owners. This site is not endorsed or recommended by any company or organisation mentioned on this site. This site is to provide guidance only and as such we cannot be held responsible for any consequences of following the advice given.