3. Assigning a Mailbox to a User from the EMS
In a larger organization, you will probably want to
streamline or script the creation of new mailboxes and/or user
accounts. The EMS allows you to do this easily. For now, though, let's
look at the example you just completed from the EMC graphical user
interface. You enabled a mailbox for an existing user, assigned that
user a mailbox on the MBX-002 mailbox database, and assigned that user
the Standard User Managed folder policy and the Default ActiveSync
policy. The cmdlet executed is as follows:
Enable-Mailbox -Identity 'ithicos.local/Corporate/Bharat Suneja' -Alias
'Bharat.Suneja' -Database 'MBX-002' -ManagedFolderMailboxPolicy 'Standard
User Managed Folder Policy' -ActiveSyncMailboxPolicy 'Default'
The Exchange Management Console created this command
and used object names to identify the user and the home mailbox
database in explicit terms. However, we want to show you another
example and simplify it just a bit. In this case, you have another
existing user whose account is Luke.Husky and he is in the ITHICOS
Active Directory domain. We will simplify this command as much as
possible and here is the result:
Enable-Mailbox ithicos\luke.husky -Alias:Luke.Husky -Database:MBX-002
Name Alias ServerName ProhibitSendQuota
---- ----- ---------- -----------------
Luke Husky Luke.Husky hnlmbx01 unlimited
This command works because there is only a single
mailbox database in the entire organization called MBX-002. If you have
not established a naming standard for databases so that each database
name is not only readable but also unique, you need do so. Unique
database names are required for Exchange Server 2010. When considering
database names, we recommend against including the server name since a
database may move from one server to another if you are using database
availability groups.
3.1. Assigning Permissions to a Mailbox Using the EMS
On some occasions, you may need to assign a user the
permission necessary to access another user's mailbox. This was easy
enough to do in Exchange 2000/2003 using Active Directory Users and
Computers. With Exchange 2010, you can perform the same task using the
Manage Full Access Permission task in the Actions pane of the Exchange
Management Console. The tasks available for a selected mailbox are
shown in Figure 12; this includes the Manage Send As Permission and the Manage Full Access Permission tasks.
In Exchange 2010, there are two types of mailbox permissions:
Full Access permission lets another user open the mailbox and view any message or folder within it.
Send As permission lets another user send a message that appears to be coming from the user whose mailbox it is.
Giving a user full access to another user's mailbox
will allow the user to open the other user's mailbox and view any
folder or message within the user's mailbox. However, if the user needs
to be able to send a message as another user, full mailbox permission
is not sufficient. Third-party products such as the Research in Motion
BlackBerry Enterprise Server's (BES) service account may require
Receive As permissions to the mailboxes that it manages. And the BES
service account must have Send As permissions on the Active Directory
object. Receive As mailbox permissions can be added through the EMC or
using the Add-MailboxPermission cmdlet. Send As permissions can be added through the EMC or using the Add-ADPermission cmdlet.
If you have been managing Exchange Server
organizations for some time, you may remember a time when giving users
full mailbox rights would allow them to see all the messages and
folders as well as send messages that would originate from that
mailbox's address. However, that changed with an Exchange Server 2003
post–Service Pack 2 hotfix. Now Send As permissions must be assigned
separately.
|
3.2. Assigning Full Access Permission
To assign Full Access permissions, simply select the
mailbox to which you want to add more permissions and click the Manage
Full Access Permission task. This launches the Manage Full Access
Permission wizard shown in Figure 13.
In this example, we are adding users Clayton.Kamiya and Chris.Eanes to
the list of users who have full access for this mailbox.
This could also be done using the EMS cmdlet Add-MailboxPermission. In this example, we are assigning user Clayton.Kamiya permissions to access Betty McBee's mailbox:
Add-MailboxPermission Betty.McBee -User volcanosurfb\Clayton.Kamiya
-AccessRights FullAccess
If you want to assign an administrator permissions
to access all mailboxes (such as to import or export mailbox content),
you can use the Role-Based Access Control (RBAC) management role called
Mailbox Import Export. For example, if we want to assign user
Clayton.Kamiya the role that would allow him to open all mailboxes, we
could use this command:
New-ManagementRoleAssignment -Role "Mailbox Import Export"
-User Clayton.Kamiya
3.3. Assigning Send As Permission
To assign Send As permissions, you need to run the Manage Send As Permission task in the Actions pane. Figure 14
shows the Manage Send As Permission wizard; here we are assigning user
Peter.ODowd the Send As permissions to Betty's user account.
You can perform the same task using the EMS; here is
an example of giving user volcanosurfb\Peter.ODowd Send As permissions
to Betty McBee's user account:
Add-ADPermission 'CN=Betty McBee,OU=VolcanoSurfboards,
DC=volcanosurfboards,DC=com' -User 'VOLCANOSURFB\Peter.ODowd'
-ExtendedRights'Send-as'
You can also remove the permissions you have assigned via the EMS with the following command:
Remove-ADPermission 'CN=Betty McBee,OU=VolcanoSurfboards,
DC=volcanosurfboards,DC=com' -User 'VOLCANOSURFB\PeterODowd'
-InheritanceType 'All' -ExtendedRights 'send-as' -ChildObjectTypes $null
-InheritedObjectType $null -Properties $null