One has a task to share a mailbox in sales department. Most likely, one just created a mailbox enabled user account in active directory and adds other users for providing the mailbox permissions. These users belong to sales department. In this way, security department can take advantage of this enabled mailbox.
Basically, this process is not secure. This article describes how Exchange team solves this issue and makes it more secure in latest version of Exchange Server.
Exchange 2003 Mailbox sharing
Exchange 2003 Mailbox sharing
Firstly, one describe the shared mailbox creation for Exchange 2003 which has the enabled user account in Active directory and Exchange 2007 which has disabled user account in Active directory.
In Exchange 2003, one can create new mailbox user using one of our Post Exchange 2003 mailbox creation.
One can add the mailbox permission by following ways. These are,
- Click on mailbox user property which brings up the properties portion of user. Now click on ‘Exchange Advance’ tab. See Figure 01
Figure 01: This shows the mailbox user property
- Now click on Mailbox Rights button which brings up the mailbox permission window. See Figure 02.
Figure 02: This shows the mailbox permission for user.
- Now, one shares this mailbox for any other mailbox enabled user. Click on Add button for adding mailbox user which is enabled in Active directory. See Figure 03,
Figure 03: This shows sales mailbox is shared with dilip.
- Now one adds ‘Full mailbox access’ for ‘dilip’ user and the mailbox ‘sales’ is shared with ‘dilip’. See Figure 04,
Figure 04: This shows dilip has full mailbox access.
Exchange 2007 Mailbox sharing
In Exchange 2007, one can create new mailbox user using one of our Post Exchange 2007 mailbox creation.Exchange 2007 Mailbox sharing
The mailbox in Exchange 2007 has disabled user which doesn’t has password and in this way one can provide sharing permission for other users. This is more secure than Exchange 2003 since one does not use enabled user which can be traced by security department. In case of Exchange 2003, this is very rare to know about username and password both and what happen when the mailbox user left the organization? This kind of issue does not occur in Exchange 2007.
In Exchange 2007, one can not create the shared mailbox using ‘Exchange Management Console’. One can create using ‘Exchange Management Shell’.
Please use following steps for creating shared mailbox. These are,
One creates a disabled user account in the ‘Users’ organizational unit since the user is disable so one does not require password. The command is,
[PS] C:\Documents and Settings\Administrators>New-Mailbox -Name:'sales' -OrganizationalUnit:'portmail.com/Users' -Database:'Mailbox Database' -UserPrincipalName:'sales@portmail.com' –Shared
This command creates shared mailbox user named ‘sales’.
Now one needs to assign permission for other user.
[PS] C:\Documents and Settings\Administrators>Add-MailboxPermission sales -User:'dilip' -AccessRights:FullAccess
This command provides full access rights for sales mailbox user. One suggests assigning permission on Security Group instead of single user. One can create the Security Group from one’s domain containing the shared mailbox and the users belong to this group has full access of mailbox.
In this way, one can not assign the full access for ‘User / Security Group‘. One must add ‘Send-As’ permission so that user or users belong to the group can send mail to the shared mailbox mail address.
[PS] C:\Documents and Settings\Administrators>Add-ADPermission sales -User:'dilip' -ExtendedRights:Send-As -AccessRights:ReadProperty, WriteProperty -Properties:'Personal Information'
This command provides the full access rights for user or users in group which access shared mailbox.
