none
Exchange 2010 - Calendar Permissions for alternate non mail-enabled user RRS feed

  • Question

  • This might not be possible, but I thought i'd ask anyway.

    My boss has an Admin account which is not mail-enabled.  Call it Domain\BossAdmin for reference.     He has a non-Admin account that IS mail-enabled called Domain\BossUser        Domain\BossAdmin has full mailbox access to that of Domain\BossUser so when he's logged in as Domain\BossAdmin, he can open Outlook up... configured for Domain\BossUser, and use his mailbox as if it were his own regardless of which account he happens to log in with.

    This works great for mail and he's almost always just logged in with his BossAdmin account.     Here comes the rub.

    Myself,  Domain\Brian for instance, I have my default calendar permissions set to 'Free/Busy time" as I do not want 'everyone' to be able to see my calendar details.      I have specifically added the only available option in the GAL,  Domain\BossUser, to the permissions as Reviewer.     

    While logged in as Domain\BossAdmin, he can open his outlook, send/receive mail just fine, but when he goes to view my calendar even though he's able to access his own mailbox, his BossAdmin account is being treated like 'default' and is only able to see Free/Busy, not the details.

    Is there a way to add permissions so that the BossAdmin ID, without having a mailbox, can still be a reviewer of my calendar without having to actually be logged in as BossUser?   Any AD Security settings that can be done, etc...      i thought about just mail-enabling his BossAdmin account, but if I do that it'd also have to be in the GAL for this and that wouldn't be good :)    We have reasons why we won't move the mailbox to his admin account, or i'd do that also.

    Brian


    Brian / ChevyNovaLN

    Thursday, October 10, 2013 7:02 PM

All replies

  • Hi Brian,

    I can't claim to know for sure either way, so I can't positively tell you it's impossible (I don't know a way to make it work though).

    How about mailactivating the admin account but hide him from the GAL? (can be set in exchange admin console on the "General" Tab of the mailboxes' properties menu) Would that meet your requirements? (You may need to assign permissions before hiding the mailbox though)

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Friday, October 11, 2013 7:02 AM
  • That was a thought I had earlier today as I was leaving, though I kind of figured it had to remain visible in the GAL.   I'm definitely going to try that, though logic dictates that it should only work while visible in the GAL.    It's possible maybe with the Exchange 2010 Management Shell that even if it's not in the Gal the Powershell set-mailboxpermission cmdlet might still be able to see the mailbox and assign perms.   I guess i'll find out :)

    Thanks for the reply!


    Brian / ChevyNovaLN

    Friday, October 11, 2013 8:03 AM
  • Hi Brian,

    based on my experience with GAL hiding so far (moderate but fairly sufficient I'd think), the easiest way is to leave him visible for as long as it takes to grant permissions. Hiding him afterwards won't affect the permissions.

    If you want to prevent others seizing on the few minutes - if they get GAL updates fast enough to even notice the new mailbox before it's hidden - you can disallow anybody but his non-admin account from sending his admin account mails. This way, even if they can see it for a few minutes, they can't do anything about it.

    So the worst you could get using this path is some users that are slightly confused this morning.
    Most users I know of only use auto-complete to choose recipients anyway, if they can help it, so I'd give you fair odds of nothing happening at all.

    Cheers,
    Fred

    P.s.: Should you try the PowerShell way, I'd be interested in what you tried and how it worked out.


    There's no place like 127.0.0.1

    Friday, October 11, 2013 8:17 AM

  • P.s.: Should you try the PowerShell way, I'd be interested in what you tried and how it worked out.


    There's no place like 127.0.0.1

    I will absolutely let you know.    My experience with the PowerShell method is that it does require that the account at least be mail enabled, but I have not yet ever tried when an account is hidden from the GAL.  Otherwise I already know the cmdlet to make it quite easy to adjust calendar permissions.

    I'll report back in the next few days.   He may just not want to deal with it since OWA works fine (non admin account) if he really needs to see someone's calendar, but I have a feeling annoyance will win out and I'll get to try :)

    Brian

    (Bedtime... done with maintenance for work tonight)


    Brian / ChevyNovaLN

    Friday, October 11, 2013 8:28 AM
  • Just enable Bossadmin account as mail enable and hide it from gal. while giving permission you are not searching in GAL, instead you are searching against AD so it will work. There is no issue in giving permission for an account which hidden from GAL. And one more option is just try to set the security group for Boss Admin account to Universal and provide permission it might also work. Please let me know the outcome. Thanks

    Monday, November 18, 2013 10:50 AM