Hi, I'm trying to give all users on our domain and trusted forests read-only access to mailbox calendars for all other users in the Exchange 2007 Org. These articles seem to suggest that assigning 'Receive as' extended rights to each mailbox database should do the trick. http://technet.microsoft.com/en-us/library/bb310792(EXCHG.80).aspx http://msexchangeteam.com/archive/2006/01/25/418099.aspx http://technet.microsoft.com/en-us/library/aa996343.aspx However, I've tried the following PowerShell commands, and am still getting 'You do not have permission to view this calendar' when using File > Open > Other User's Folder: get-mailbox -database exchangeserver1\storagegroup1\mailboxdatabase1 | add-adpermission -user "authenticated users" -ExtendedRights Receive-As ... and this is despite waiting 2 hours for the Info Store Cache to clear, as well as dismounting and mounting the database for good measure. Any ideas as to why I can't view calendars read-only, or is this not possible? Many thanks, IR8

Have you tried to take full permission of the mailbox and then add it as your 2ndary calendar and setting the permission there?

Hi, To open a shared calendar from outlook, you need to configure the permission of the calendar folder. The folder level permission is difference than AD and mailbox permission. To configure the calendar folder share permission , you can only use the pfDAVAdmin tool to batch add the permission: http://msexchangeteam.com/archive/2010/04/09/454590.aspx How to use it, please refer the following article: http://www.msexchange.org/articles/PFDavAdmin-tool-Part1.html http://www.msexchange.org/articles/PFDavAdmin-tool-Part2.html Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT

Hi, To open a shared calendar from outlook, you need to configure the permission of the calendar folder. The folder level permission is difference than AD and mailbox permission. To configure the calendar folder share permission , you can only use the pfDAVAdmin tool to batch add the permission: http://msexchangeteam.com/archive/2010/04/09/454590.aspx How to use it, please refer the following article: http://www.msexchange.org/articles/PFDavAdmin-tool-Part1.html http://www.msexchange.org/articles/PFDavAdmin-tool-Part2.html Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT I believe that pfDAVAdmin is not the only option. Since this is Exchange 2007, you also have the option of scripting the addition of delegates to a folder using the EWS Managed API. Glen Scales provides the code to do exactly that with Powershell here: http://gsexdev.blogspot.com/2009/04/add-delegates-to-mailbox-with.html[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

Thanks both for your responses. I've managed to get a script working using the EWS Managed API for a single mailbox calendar and single delegate read-only access (see below). However, I'm lost with scaling this up with a For Each ... Next loop for adding all domain users as delegates to all mailbox calendars. Any help on this would be appreciated. Thanks in advance. +++++++++++++++++++++++++++++++++++++++++++++++++ $mbtoDelegate = "mailbox@domain.com" $delegatetoAdd = "delegate@domain.com" $dllpath = "C:\Program Files\Microsoft\Exchange\Web Services\1.1\Microsoft.Exchange.WebServices.dll" [void][Reflection.Assembly]::LoadFile($dllpath) $service = new-object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1) #$windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent() #$sidbind = "LDAP://<SID=" + $windowsIdentity.user.Value.ToString() + ">" #$aceuser = [ADSI]$sidbind #$service.AutodiscoverUrl($aceuser.mail.ToString()) $uri=[system.URI] "https://autosdiscover.domain.com/ews/exchange.asmx" $service.Url = $uri $service.ImpersonatedUserId = new-object Microsoft.Exchange.WebServices.Data.ImpersonatedUserId([Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress, $mbtoDelegate); $mbMailbox = new-object Microsoft.Exchange.WebServices.Data.Mailbox($mbtoDelegate) $dgUser = new-object Microsoft.Exchange.WebServices.Data.DelegateUser($delegatetoAdd) $dgUser.ViewPrivateItems = $false $dgUser.ReceiveCopiesOfMeetingMessages = $false $dgUser.Permissions.CalendarFolderPermissionLevel = [Microsoft.Exchange.WebServices.Data.DelegateFolderPermissionLevel]::Reviewer #$dgUser.Permissions.InboxFolderPermissionLevel = [Microsoft.Exchange.WebServices.Data.DelegateFolderPermissionLevel]::Reviewer $dgArray = new-object Microsoft.Exchange.WebServices.Data.DelegateUser[] 1 $dgArray[0] = $dgUser $service.AddDelegates($mbMailbox, [Microsoft.Exchange.WebServices.Data.MeetingRequestsDeliveryScope]::DelegatesAndMe, $dgArray);

I don't think you want add all the domain users as individual delegates to each mailbox, but the domain users group. If no one gets back sooner, I'll have a look at helping with getting a foreach loop set up to cycle through the mailboxes.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

Thanks mjolinor. I'm working on the loop also. Let me know if you get there before me! In the meantime, the mailbox and delegate account are specified by SMTP address in the EWS APO script. How would I go about specifying 'domain users' or 'authenticated users'? Thanks again in advance. IR8

Any delegate needs to have an identity to Exchange, which means being mail-enabled or mailbox-enabled. You should be able to mail-enable the Domain Users group, and then use the group's smtp address as the identity parameter for your delegate. [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

On Sun, 12 Dec 2010 13:14:44 +0000, mjolinor wrote: > > >Any delegate needs to have an identity to Exchange, which means being mail-enabled or mailbox-enabled. You should be able to mail-enable the Domain Users group, and then use the group's smtp address as the identity parameter for your delegate. Be careful using that (and other) built-in groups. They really don't have a populated "members" property. It might work, but it may have some odd side-effects, too. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP