Outlook Delegate permissions with Exchange 2010 RBAC.
Environment:
Exchange 2010
Windows 2008
Outlook 2007 Service pack 2
Issue:
A mailbox enabled user have the following permissions on a Room mailbox.
- Full Access Permission
- Send As Permission
When this user tries to give another user delegate permissions to the room mailbox it fails with the bellow Outlook Dialog box.
The Delegates settings were not saved correctly. Cannot activate send-on-behalf-of list. You do not have permission...
Fix as listed for Exchange 2010
http://blogs.msdn.com/b/pepeedu/archive/2010/02/04/outlook-delegate-with-exchange-2010-rbac-implementation.aspx
My issue is I don't want to allow system wide send of half rights or even per OU for generic mailboxes but allow only one user send of behalf right too one mailbox... without creating a crazy amount of RBAC roles.
Idea's??
January 9th, 2012 10:03pm
Those commands create one custom role, and then assign that role to a group. From there, you would need to put people in that group for them to receive those permissions. The group will be empty by default. So if you use that solution, just put the one person
who needs those rights in the "Delegate GrantSendOnBehalf Mailboxes" group.
If you don't want to create the group, you could just assign the role directly to one user. For example, skip the last command and replace with:
New-ManagementRoleAssignment -Role GrantSendOnBehalf -User nameofuserMike Pfeiffer | blog: mikepfeiffer.net | twitter: @mike_pfeiffer
Free Windows Admin Tool Kit Click here and download it now
January 9th, 2012 10:24pm
Thanks Mike, Good blog BTW I check it every couple of weeks.
RBAC Triangle always does my head in... Can you limit permission/scope to the CMDlet for grantsendonbehalf to a single mailbox.
Just from a security point of view if we use the given example
New Role Group
Write Scope: Default
Roles: Delegate GrantSendOnBehalf Mailboxes
Members: UserA
Will UserA have rights to GrantSendOnBehalf to all mailboxes in the Org?
January 10th, 2012 1:54am
Yeah, so you could get around that using a custom management scope. For example, instead of using the New-RoleGroup cmdlet at the end, you could do the following:
New-ManagementScope -Name "GrantSendOnBehalfScope" -RecipientRestrictionFilter {DistinguishedName -eq "CN=UserB,CN=Users,DC=domain,DC=local"}
New-ManagementRoleAssignment -Role GrantSendOnBehalf -User UserA
Then, UserA would only have those rights to UserB
Mike Pfeiffer | blog: mikepfeiffer.net | twitter: @mike_pfeiffer
Free Windows Admin Tool Kit Click here and download it now
January 10th, 2012 9:40am
Adds a bit of extra work from our 2003 to 2010 migration but it is what it is....
Thanks Mike for the help
January 10th, 2012 6:57pm
Hi Mike,
Not sure if you have seen this or not but it appears that this was resolved in SP1 RU6 with the new role group
MyMailboxDelegation
http://support.microsoft.com/kb/2559814
You register this new Role and giver the users full Mailbox Access plus Send As and Write Personal Information permissions, users are able to set delegates onto mailboxes, where they are supposed to have the Full Mailbox Permissions
Thanks
Josh
Free Windows Admin Tool Kit Click here and download it now
February 12th, 2012 7:33pm
Hi Mike,
Not sure if you have seen this or not but it appears that this was resolved in SP1 RU6 with the new role group
MyMailboxDelegation
http://support.microsoft.com/kb/2559814
You register this new Role and giver the users full Mailbox Access plus Send As and Write Personal Information permissions, users are able to set delegates onto mailboxes, where they are supposed to have the Full Mailbox Permissions
Thanks
Josh
February 13th, 2012 3:29am