Grant or deny permissions to access a user's Exchange 2007 mailbox

Need to access another user's Exchange 2007 mailbox? Learn how to grant or deny permissions to access a user's mailbox using the Exchange Management Shell.

There may be valid reasons for allowing a user in an Exchange Server organization to access another user's mailbox...

(e.g., vacation, illness, etc.). In this tip, learn how to grant or deny permissions to access a user's mailbox, and then monitor these mailbox permissions via the Exchange Management Shell (EMS).

The easiest way to allow a user access to another user's mailbox would be to share the user's password login credentials. However, because a user's password is associated with an account that allows access to more than just the user's Exchange Server mailbox, this poses an unnecessary security risk. Fortunately, it is fairly easy to configure Exchange Server 2007 to allow a user to open another user's mailbox without having to log in as that user.

To do this, you must first grant the necessary Exchange permissions by issuing a single command through the Exchange Management Shell. For example, if you want to grant User1 access to User2's mailbox, then open the Exchange Management Shell and enter the following command:

Add-MailboxPermission –ID User2 –AccessRights FullAccess –User User1

This command is fairly simple. Enter the Add-MailboxPermission command, followed by the mailbox name (User2). Then direct Exchange Server to assign full mailbox access rights to the designated user (User1).

It is important to note that the delegate user will not be able to simply open Microsoft Outlook to access the other user's mailbox. The delegate user must first create an Outlook profile associated with that mailbox. Another option is to open the alternate mailbox using Outlook Web Access (OWA).

This EMS command grants the delegate user full access rights to the mailbox. Any time that you grant a user full access rights to an Exchange Server mailbox, you give them permission to access any folder in the mailbox as well. The delegate user can open any item found in any of the folders. Likewise, they also can move or delete messages from mailbox folders. 

More on this topic

  • Configure admin rights to access Exchange 2003 mailbox
  • Audit Exchange Server mailbox permissions in Active Directory

Assigning a delegate full access to a mailbox does not grant the delegate the rights to send mail from the other user's mailbox however. If a delegate needs to send mail from another user's mailbox, then you must assign the user Send on Behalf of permissions.

This can be accomplished through a simple Exchange Management Shell command. Once you have granted User1 access to open User2's mailbox, you then need to grant Send on Behalf of permissions to User1. To do so, enter the following command:

Set-Mailbox –ID User2 –GrantSendOnBehalfTo User1

Granting a user delegate rights is simple, but it's also easy to lose track of who has rights to whose mailbox. If this happens, there is a way to check Exchange 2007 mailbox permissions.

To find out who has access to User2's mailbox, enter the following command:

Get-MailboxPermission –ID User2

This provides a list of users that have access to User2's mailbox, but does not provide a list of the permissions that were granted. To discover and display which permissions are specific to User1 for User2's mailbox, for example, enter the command:

Get-MailboxPermission –ID User2 –User User1 | Format-List

Now let's suppose that User1 has full access rights to User2's mailbox, but User1 should not have permissions to the mailbox. You can use the Remove-MailboxPermission command to deny access to a mailbox as shown below.

Remove-MailboxPermission –ID User2 –User User1 –AccessRights Full Access

This command is almost identical to the Set-MailboxPermission command, except the Remove verb is used in place of the Set verb.

About the author: Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Exchange Server, Windows Server and Internet Information Server (IIS). He has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Dig Deeper on Exchange Server setup and troubleshooting