Recipe 5.14. Granting Full Access to MailboxesProblemYou need to give one user complete access to another's mailbox. SolutionUsing a graphical user interface
DiscussionYou can assign delegate access to individual mailbox folders using the Outlook user interface; this is commonly done to give executive assistants access to their principals' calendars without giving them access to messages contained in the Inbox. However, Outlook's tool for setting mail folder permissions are best suited for providing delegate access, including the ability to send on the other user's behalf. There are other scenarios in which you might want to give one user full access to another's mailbox. For example, if you have a user who's out on extended medical leave, another user might require access to that user's Inbox and saved mail; another sadly common example is when an employee is being investigated for wrongdoing and the legal or HR departments request mailbox access. The technique described above gives one account or group full access to the target mailbox, meaning that users who have access can log on to the mailbox and use it as the original user couldno "Sent on behalf of" tags or other telltale signs that delegate access is in use. If you instead use ESM to grant these permissions to a mailbox store, the grantee will have that same level of access for all mailboxes in that database. Note that when you assign full mailbox access rights using the ADUC snap-in, the delegate doesn't automatically get Send As permissions (see Recipe 5.21 to grant these). See AlsoRecipe 5.21 to grant Send As permissions, Recipe 5.15 to get the list of existing delegates on a mailbox, MS KB 295558 for using MAPI in Visual Basic to assign delegate permissions to individual folders, and MS KB 821900 for using OWA 2003 to get delegate access |