If you missed the first part in this article series please read Exchange 2007 SP1 Mailbox Management Features – Part 1
Although the Exchange product group’s strategy with Exchange Server 2007 is to let all mailbox management occur from within the Exchange Management Console (EMC) and Exchange Management Shell (EMS) and not the Active Directory Users and Computers (ADUC) snap-in as was the case in Exchange Server 2000/2003, the Exchange Server 2007 RTM version didn’t offer us the option of managing features such as Send As and Full Access permissions from within the EMC, but only from the EMS. These were just some of the features that the product group had planned for, but didn’t make it in time in order to be included in the EMC in the Exchange 2007 RTM version. This meant that you had to manage Send As and Full Access permissions using the EMS. With Exchange Server 2007 SP1 these features are now part of the EMC GUI as I’ll show you throughout this article.
Managing Send As Permissions
As most of you are aware, the Send As permissions feature is used to grant a user or group “send as” permissions to another user’s mailbox as illustrated in Figure 1 below.
Figure 1: How the “Send As” Permission works
“Send As” permissions should not be confused with “Send on behalf” permissions, which permit a user to send mail on behalf of the respective mailbox owner. When a user sends a mail on behalf of another user, the name in the From: box of the mail message will appear as “Test01 on behalf of Test02”.
Note:
You probably recall that giving a user Full Mailbox permission to a mailbox implicitly granted that user “Send As” permissions to the mailbox as well. Back with Exchange 2003, the Exchange product group changed this based on customer feedback, so that it was possible to grant full mailbox permissions to a mailbox without also granting “Send As” permission. Read more about this change in this KB article.
With Exchange 2007 RTM, we could grant a user or group “Send As” permissions to a mailbox using the Exchange Management Shell, more specifically with the Add-ADPermission cmdlet. This meant that in order to grant a user called Test01 “Send As” permission to Test02’s mailbox, we would need to use the following command:
Add-ADPermission “Test02” -User “Test01” –AccessRights extendedright -ExtendedRights “send as”
With Exchange 2007 SP1, we can grant “Send As” permission to Test01using the Exchange Management Console as well. To do so, expand the Recipient Configuration work center then click the Mailbox node. Now we need to select the user mailbox to which we want to give another user or group “Send As” permissions. With the user mailbox selected, click Manage Send As permission link in the Action pane as shown in Figure 2 below.
Figure 2: Manage Send As Permission link in the Action Pane
In the Manage Send As Permission wizard, you can see who, if any besides the mailbox owner, currently have this type of permission to the selected user mailbox. In order to give a user Send As permissions, we have to click the Add button (Figure 3).
Figure 3: Manage Send As Permission Wizard
Now select the user that should be granted send as permissions in the Select User or Group window shown in Figure 4. When the user or group has been selected, click OK.
Figure 4: Selecting the users or groups that should be granted “Send As” Permissions
Click Manage then Finish to exit the wizard (Figure 5).
Note:
The Select User or Group window also lets you select multiple users or groups, so you can set the “Send As” permission for users in bulk.
Figure 5: Manage Send As Permission Completion Page
Managing Full Access Permissions
The Full Access permissions feature is used to grant a user or group full access to another user’s mailbox as illustrated in Figure 6 below. When a user has been granted full access, he/she can log on to the user’s mailbox and do pretty much the same as the mailbox owner, that is open all folders in the mailbox, etc. Full access is often used when dealing with resource mailboxes, where a group of users typically need full access to the respective mailbox, for example, during a project.
Figure 6: How Full Mailbox Access Permissions works
With Exchange 2007 RTM version, we had to grant full mailbox access to a user or group using the Exchange Management Shell, more specifically the Add-MailboxPermission cmdlet. This meant that in order to grant a user called Test02 full mailbox access to Test01’s mailbox, we needed to use the following command:
Add-MailboxPermission “Test01” -AccessRights FullAccess -user “Test02”
With Exchange Server 2007 Service Pack 1, we have the option of granting a user or group full access permissions to a mailbox using the new Manage Full Access Permission wizard in the Exchange Management Console. This is done in a similar way as to how you grant “Send As” permissions, that is you select the respective user mailbox under the Mailbox node in the Recipient Configuration work center then click the Manage Full Access Permission link in the Action pane as shown in Figure 7.
Figure 7: Manage Full Access Permission Link in the Action Pane
This will bring up the Manage Full Access Permission wizard in Figure 8. Here we can see that the only account that has full mailbox access is the NT AUTHORITY\SELF account. Let’s click Add.
Figure 8: Granting Users or Groups Full Access Permissions to the Mailbox
Just like with the Select User or Group window in the Manage Send As Permission wizard you now need to select the users or groups that should be granted full mailbox access to the respective mailbox (Figure 9). When you have done so, click OK, Manage and then finally Finish to exit the wizard.
Figure 9: Selecting the users or groups that should be granted Full Access to the Mailbox
Conclusion
Although features such as the “Send As” and Full Mailbox access permission wizards really should have been included in the Exchange 2007 RTM version, it’s good to see them arrive with Exchange 2007 SP1. What’s even better is that both wizards allow you to set these permissions on users or group in bulk. With Exchange 2007 SP1 we’re getting very close (note I say close as there’s always room for improvement) to a perfect Exchange Manage Console GUI for Exchange 2007, which should satisfy the many non-PowerShell admins out there.
If you missed the first part in this article series please read Exchange 2007 SP1 Mailbox Management Features – Part 1
