Exchange 2010 SP1 Resource Delegate Permission Problem
I have several room mailboxes on an Exchange 2010 SP1 server. All are configured to have the resource booking attendant enabled. Some of them additionally allow out of policy requests. These have a delegate set. The delegate also receives the forwards of
out of policy requests. However, it is not possible to approve them: Outlook 2010 says that it cannot open the "Calendar" folder of the room and OWA does not open the request at all, because the delegate user does not have the appropriate permissions.
What is the proper way to configure a resource delegate? I thought it would suffice to add it in the "Specify delegates of this mailbox" list of EMC. What else do I have to configure in order to make it work?
May 5th, 2011 3:18pm
Hi,
When the room mailbox specify a user, it can be opened by the user
To check whether the user is in the resource delegate list: Get-CalendarProcessing -Identity room | fl
If the user is not in the list, use cmdlet to add a user
http://technet.microsoft.com/en-us/library/bb124973.aspx
If it is still not working, try to grant a full access permission to the room to see if it is work or not.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2011 2:10am
Hi,
When the room mailbox specify a user, it can be opened by the user
To check whether the user is in the resource delegate list: Get-CalendarProcessing -Identity room | fl
If the user is not in the list, use cmdlet to add a user
http://technet.microsoft.com/en-us/library/bb124973.aspx
If it is still not working, try to grant a full access permission to the room to see if it is work or not.
The user is in the ResourceDelegates list in the output of Get-CalenderProcessing. I have also tried full access permissions, but without success. Regarding full access, I have two questions:
1. Should it not work if I set the resource delegate without full access permission? Setting permissions and delegates makes administration more complex and I do not see any advantage of having a resource delegate list which effectively does not work w/o
full access.
2. Is granting full access permissions dependent on AD replication, i. e. could it take some time to become effective? Do I need to restart anything on the server or on the client?
May 9th, 2011 5:50am
Hi,
>1. Should it not work if I set the resource delegate without full access permission?
It should work without full access permission. It is just for test.
>2. Is granting full access permissions dependent on AD replication,
Yes
After you set the resource delegate, check if the user has permission on the calendar folder
Get-MailboxFolderPermission -Identity "room:\calendar"
if not, add it
Add-MailboxFolderPermission -Identity "room:\calendar" -User delegateUser -AccessRights Editor
Try on different resource and users to check if it is a common problemPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2011 4:14am
After you set the resource delegate, check if the user has permission on the calendar folder
Get-MailboxFolderPermission -Identity "room:\calendar"
I cannot make the request for "room:\calendar", only for "room". It says The operation couldn't be performed because 'room:\calendar' couldn't be found. However, having full access permissions, I can see the calendar in Outlook now.
May 10th, 2011 11:42am
I cannot make the request for "room:\calendar", only for "room". It says The operation couldn't be performed because 'room:\calendar' couldn't be found. However, having full access permissions, I can see the calendar in Outlook now.
OK, that is because the mailbox is German. room:\Kalender works ... I gave myself permissions, but still cannot approve the forwarded request.
Edit: Found out that I cannot approve my own request, so I created a separate account. Now, I can approve out of policy requests for the one room I have edited. However, the problem seems to be common - I cannot approve any request for other room which I
have not edited in the way you described.
I assume this should be possible, right? I. e. the permissions should be set if I add a resource delegate. W/o this permission entry, it seems that the delegate cannot work. Is there any workaround (besides writing a powershell script that fixes all resource
mailboxes or - even worse - using full access permissions) or configuration that I have to change? It would be quite nasty if I had to set the permissions for all resources manually. Additionally, if I had to: would this work for Mail Universal Security Groups,
too? That would avoid setting the permissions for a bunch of people in the office who are allowed to approve room requests.
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2011 11:46am
I cannot make the request for "room:\calendar", only for "room". It says The operation couldn't be performed because 'room:\calendar' couldn't be found. However, having full access permissions, I can see the calendar in Outlook now.
OK, that is because the mailbox is German. room:\Kalender works ... I gave myself permissions, but Outlook cannot open the forwarded request.
May 10th, 2011 11:46am
One other idea: Could the problem result from the fact that we have a German room mailbox on an English server system? I mean, if adding a delegate performs
Add-MailboxFolderPermission -Identity "room:\calendar", this will not succeed.
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2011 5:59am
Hi,
On my personal idea, it could be the cause of this issue if you use an German Exchange Server on English version system.
I am sorry that it seems that you have requested support for a localized product. Since we do not familiar with this language, it is very difficult for us
to perform further troubleshooting steps, such as capture the log file. These newsgroups are geared to answer on the English version of the product. For support for localized versions we request that use the support resources appropriate to that language.
Please visit http://www.microsoft.com/partner and click on the Worldwide Sites link to find the
appropriate resources for your language.
If the issue is urgent to your business, it is recommended that you contact Microsoft
Product Support Services via telephone so that a dedicated Support Professional can assist you recover the server in a more efficient manner. Please be advised that contacting phone support will be a charged call.
To obtain the phone numbers for specific technology request please take a look at
the web site listed below.
http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS
If you are outside the US please see
http://support.microsoft.com for regional support phone numbers.
Thank you for your understanding.
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 13th, 2011 3:42am
Hi,
On my personal idea, it could be the cause of this issue if you use an German Exchange Server on English version system.
I do not have a German server. The W2K8 R2 Ent as well as the Exchange 2010 SP1 Std are both English. However, the mailbox language is German, because the Outlook client is too.
What I am interested in is what the expected behaviour of adding a delegate is: should there be a separate permission for that delegate? If so, I could script that if nothing else helps. However I would like to avoid setting dozens of special mailbox permissions
if this should work in a different way, because I consider it a potential security hole having such manually created "ACLs" everywhere.
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2011 8:59am
Hi, have you solved it ? I got a similiar issue, just created new rooms with powershell, and added room delegates to a mailenabled security group, and it doesn´t work to approve requests.
Any tips?
Thanks, Magnus
Magnus
June 20th, 2011 7:39am
Hi Magnus,
You can't add security group in delegate list. you have to add each memeber to delegate access permission list independtly.
Set-CalendarProcessing –Identity <Room Mailbox Name> –ResourceDelegates userID1,UserID2,...
Delegates also need Editor access to the free/busy and calendar folder of the mailbox itself so that they can manage meeting requests.
Grant the delegate Full Access Permissions to the Room Mailbox
Add-MailboxPermission -Identity <Room Mailbox Name> -User userID1,UserID2,... -AccessRights FullAccess
Thanks,
Vidyanand
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2011 10:07am
Hi, have you solved it ? I got a similiar issue, just created new rooms with powershell, and added room delegates to a mailenabled security group, and it doesn´t work to approve requests.
Any tips?
Unfortunately not. It works by settings the Editor permission and for the Full Access permission, but I do not consider this a real solution, because it requires touching any resource manually. Also, granting full access seems a bit of overkill for me.
June 28th, 2011 11:59am
You can't add security group in delegate list. you have to add each memeber to delegate access permission list independtly.
I have read that several times, but the interesting thing is: If I follow your instruction and grant full access, it also works for groups - actually, I tried any type of user/group/permission combination I could think of and all comes back to the mailbox permission.
Therefore, I tend to consider this some kind of permission problem that we do not yet understand completely.
Free Windows Admin Tool Kit Click here and download it now
June 28th, 2011 12:02pm