If you’ve read the Exchange Team Blog’s announcement for SP1 you may have noticed one of the new features mentioned that isn’t so widely publicised:
“On the client side features like auto mapping of shared mailboxes to user’s Outlook 2010 profiles will remove a support headache.”
As it’s one of my favourite new features and there’s not much documentation yet, I wanted to write a little more about the feature and demonstrate how it works in practice…
How it works
When you add full mailbox permissions on Exchange 2010 SP1 and SP2 to a new or existing shared mailbox that’s also on SP1, Exchange now updates an Active Directory attribute on the shared mailbox itself, named msExchDelegateListLink. This is a multi-value attribute containing a list of DNs (Distinguished Names) of the other mailboxes that have full access to the mailbox and should auto-map that mailbox:
![image[19]](https://i2.wp.com/www.stevieg.org/wp-content/uploads/image191.png "image[19]")
The next time Outlook 2010 or Outlook 2007 launches they searches for mailboxes that have the user’s mailbox DN listed and displays them below the user’s primary mailbox.
In previous versions this was accomplished by going to the user’s Exchange accounts settings, going to “More Settings”, choosing “Advanced” and entering the shared mailbox manually under “Open these additional mailboxes” as shown below.
For any organisation making use of a large number of shared mailboxes this is a bit of a pain as IT needs to both write documentation so users can do this themselves and in many cases do it for the user. The new feature simply removes this step.
The catch (!) is that just moving a shared mailbox to SP1 or upgrading isn’t enough to enable the feature. As it’s an extra attribute added at the same time as the permissions, you need to remove and re-add the permissions via the normal way (EMC or Powershell’s Remove-MailboxPermission/Add-MailboxPermission) to make this take effect, or do it yourself via ADSI scripting/AD Powershell (probably not very supported!).
Demonstration
Just to give you a quick demo of how simple this is, all you need to do is add permissions on the Shared Mailbox in the normal way:
Then on the client, close and open Outlook. The Shared Mailbox should show after a few seconds:
Yes, it’s really that simple. Simple enough that you might use it without even noticing and wonder how that shared mailbox got mapped in the first place.. But I think it’s definitely going to be a feature any IT department that routinely adds/removes permissions for mailboxes this way will appreciate.
Disabling the feature selectively
I’ve had a lot of comments from people who don’t want this to happen all the time. If this is you, the check out my other article Disable Exchange 2010 SP1′s Auto Shared Mailbox Mapping Feature.
We’re using Exchange Online w/Office 365. We’re using the AutoMapping feature to distribute links to our employee’s departmental calendars (don’t care about the use of the mailbox).
However, when a user goes into the shared calendar and creates a new meeting from within that context, EVERYONE who is AutoMapped to the shared mailbox sees EVERYONE’s meeting accepts/declines as if they themselves were the meeting organizer!
I know we can select the meeting response option to not request responses, but that isn’t desirable because we loose the tracking status information for the meeting.
Additionally, I know we can create the meeting from within the context of my “OWN” calendar and then “invite” the departmental calendar so that an entry is displayed there. This is not desirable since if the original meeting organizer is unavailable, its difficult for another user to step in and edit the meeting.
Is there any way to prevent this messaging behavior?
Thanks for any insight! 🙂
Pingback: Anonymous
I like the valuable information you provide in your articles.
I’ll bookmark your weblog and check again here regularly. I am quite sure I’ll learn many new stuff right here! Best of luck for the next!
Pingback: Exchange 2010 – Использование Shared Mailbox в Outlook 2010 « ИТ Блог Алексея Максимова
Pingback: Cool Little Feature – Auto-mapping shared mailboxes in Exchange 2010 SP1… : Matt Ellis
Exchange Shared e-mails work great once setup with the shell, and they are automatically seen in outlook 2010. They don’t count as an exchange licence and are wonderful to share a ‘shared’ ‘sales’ mailbox. the problem is when I try to access it from the Iphone. Because it does not have a password correlated to it, I have not been able to figure out how to set it up on the Iphone. Has anyone had any luck with this?
Hiya Alberto,
The only simple way is to set a password on the Shared Mailbox and add it as a secondary Exchange account to the iPhone.
Steve
Pingback: Juergen Hasslauer » Blog Archive » Auto-mapping of Shared Mailboxes in a Resource Forest Topology
What a stupid feature. I have full control of many mailboxes and don’t want to see them in my outlook – especially when I use cahced exchnage mode and really don’t want my entire list of shared mailboxes cached on my laptop! What was so hard in adding the ones you wanted manually!!!
Hi Patrick,
It depends on the use case. Typically when an end-user has access to a mailbox they will want it mapped to their Outlook. This feature removes the service desk support involved in helping the user get the mailbox attached, not all are that tech savvy as I am sure you are aware.
However that doesn’t mean it’s suitable for everyone. The good news is Service Pack 2 introduces features to grant permissions without auto mapping:
http://www.stevieg.org/2011/12/updated-disabling-auto-mailbox-mapping-in-exchange-2010/
I’ll also be writing an article on how to disable this functionality entirely across Exchange 2010 in a future article.
Hope this helps.
Steve
I see that this great feature only works for full mailbox access, not for read-only (reviewer) access. I’m thinking of writing a script to populate/update the msExchDelegateListLink atribute with the DNs of all other mailboxes that have access to the mailbox, whether FULL ou NOT FULL. Do you think there would be any side effects later on if I go that route?
I’ve also tried using a different approach, using GPOs, but I can’t find a way to configure additionnal mailboxes in an Outlook profile with GPOs. Is such a thing possible?
Thank you.
Steve,
Can you please advise on the following.
After delegating Full Access permissions besides all shared mailboxes in their outlooks users can also see other calendars and contacts. Is there anyway this can be adjusted? In our case, the owner want to see everyone’s mailboxes (emails only) but doesn’t like the fact he also sees their calendar and contacts. Any suggestion how to remove them?
Thanks in advance!
Viktor
Hi Vicktor,
Using Full Access there isn’t a way to do this, the user will always have full visibility into the mailbox they have been assigned right to. Another option is using Outlook’s delegation features to grant folder-level permissions, but I don’t think this is what you’d like.
Steve
producing sequence is amazing, I usually look for good quality content material, many thanks for sharing”
Is this supposed to work in OWA as well?
Hi Arjan,
At the moment no. Would it be useful to you if it did?
Steve
Does anyone know if this method of mapping the mailboxes in Outlook 2010 or 2007 is affected by this issue: http://www.msoutlook.info/question/278
If a mailbox is mapped in this way, do messages sent or deleted from it still end up in the user’s primary mailbox?
Hi George,
Yes it is affected by this issue.
Steve
Great article. My test system is finally starting to add and release the shared mailboxes on demand, which is nice. My problem is that I cannot get the system to grant access to a shared mailbox if the user is a member of an AD group; only if I grant explicit rights in the EMC to the user directly. Any thoughts? Or will this be a problem in AD? (Wouldn’t surprise me… I’m no AD wiz!).
Thanks for any help any of you can give a neophyte. Bill
This is a known issue (though not a bug, it’s by design). I don’t know yet if this will be solved in Service pack 2 or a rollup but if it is the article will be updated.
Steve
If it is I’ll b raising a code change to have it globally switched off. Imagine this scenario, exchange 2010 hub spoke design, all spoke sites have are coming in over very poor links in poor countries around the world. Cached mode is King and gives a perfectly working solution for Users. Shared mailboxes (for business reasons) are accessed via OWA. With this solution Users are now accessing them through Outlook, with massive latency repercussions due to the shared mailbox not being in cached mode and now giving a very poor Outlook experience. We need to be able to switch it off. A good solution overall but poorly thought out. There must be an off switch!
Hi Billy,
I’ve got another script on the site for adding permissions without the auto-mapping if you are interested. I know Microsoft have had it raised with them but I can’t say whether or not this will be changed in a future version. But you are not the only customer that is asking for it.
Steve
Hi, is it a good idea to list the current users that have FullAccess on a mailbox using Get-Mailboxpermission, then piping that information into the add-mailboxpermission to reapply the Fullaccess right so the attribute is written on the mailboxes? How would one piece this together ? Any help would be appreciated.
Hiya,
It should work, something like this should do the trick on a per-mailbox level for ones with FullAccess:
Get-MailboxPermission mailbox | where {$_.AccessRights -eq “FullAccess” -and $_.Deny -eq $False -and $_.IsInherited -eq $False} | Add-MailboxPermission
Steve
Thank you for a very swift reply! I am a real newbie, and i thought i would have to use a loop to make it run through several items.
It works like a charm, though i see that it does not do the trick if i say have a group that has fullaccess to the mailbox. Reapplying the fullaccess right to the group does not set the DelegateListLink property on the mailbox for the group. I might have skipped a few lines before regarding this information, but i take it that this then only applies to individual users? I guess its possible to extract the users from the group and run through the individuals with an add-mailboxpermission in some way?
Hiya
Nope, it’s only designed to work with users directly assigned permissions at present.
Steve
Hey Steve,
Great Article – Since that this feature is designed on a user-only basis, does this mean if we want this feature, the only way it will work in an existing environment is if we add each member of an already existing security group to the mailbox?
If so.. is there any way to get the user objects inside of a security group, and then pipe that into the add-mailbox permissions command? rather than having to manually add each user?
Hiya,
Yes, you should be able to do this, using a foreach statement. Let me know if you need an example.
Steve
Could you please post an example of the foreach statement that gets the user objects inside of a security group and then pipe that into the Add-MailboxPermissions cmdlet with us Steve?
Hi Rodrigo,
Something like this should do the trick:
2
foreach ($Member in $Group) { if (Get-Mailbox $Member -ErrorAction SilentlyContinue) { Add-MailboxPermission "Shared Mailbox" -User $Member -AccessRights FullAccess } }
Steve
I was not aware of this feature, too!
Thank you Steve!
This is a Feature? Microsoft didn’t think this one through very well. I understand that there is a new attribute now. However this “Feature” completely breaks Outlook in that there is now no GUI to control the linked mailboxes from the Outlook Client itself. When you try to remove them from Outlook, they just give you an error message that sends you on a wild goose chase.
Also, I now have users who have 15 additional mailboxes being opened automatically because of this “feature” and crashing their Outlook. Genius!
Hi Bryan,
I’ve written a wrapper script here if you want to add permissions without the auto mapping, hope this helps:
http://www.stevieg.org/2011/02/disable-exchange-2010-sp1s-auto-shared-mailbox-mapping/
Steve
I agree. We have two exchange boxes – one in Cape Town and one in Denver. The Administrator has full access on all mailboxes but now I can’t use Outlook as it just hangs because it is loading all the mailboxes from the Denver mailbox store but I only ever want to see the Cape Town mailboxes. Definitely need a way to turn off this feature in Outlook.
Try using the script in this post instead; it won’t do the Auto Mapping this way:
http://www.stevieg.org/2011/02/disable-exchange-2010-sp1s-auto-shared-mailbox-mapping/
However I should add – granting permission in that way is not the best way of performing discovery. Do your users know you can see their mailboxes this way?
Steve
Is there a way to do this without giving the user Full Access?
IE. I want to auto-map a shared calendar that users can view defined content of (like a resource mailbox), but not be able to edit. Auto-map & view-only.
Cheers,
DT
through the streets of the city, only their pudenda covered, as they had gone beyond any sense of shame. Each carried a leather lash in his hand and hit himself on the shoulders till blood came; and they were shedding abundant tears as if they saw with their own eyes the Passion of the Savior;
Can this feature be used for setting shared mailboxes in Outlook 2003, or is there some way of fudging the output to be used with Outlook 2003?
Hi Philip,
Unfortunately there isn’t any way to do it natively in Outlook 2003. It’s feasible a COM add-in could be created which queried the attribute in AD but I don’t know of anyone that’s done it.
Steve
Wow that was a fast reply! Thank you! We are starting a migration from Sun Communication Express and I am looking for a way to import the shared mailbox and shared calendars into exchange 2010 / Outlook 2003.
Tools from Quest may be a good start but much of this may need to be done via IMAP migration tools. If you can get Calendars out as text, it’s possible to import them into Exchange using it’s web services interface. I’ve done this for 12,000 users myself in the past.
Thank you again. We intend to pull most the data out of .pst imports. What we would like to happen though is for shared mailboxes and calendars to be instantly available to staff, once Exchange is in place, without the need for the users adding shared calendars to Outlook manually. If that makes any sense? I wll go have a look at Quest though.
I confirm this also works with Outlook 2007 SP2 with Exchange 2010 SP1.
Pingback: Disable Exchange 2010 SP1′s Auto Shared Mailbox Mapping « Steve Goodman's Tech Blog
Can photos be imported into the Exchange GAL for Email Distribution Groups?
Pingback: Creating Shared Calendars on Exchange 2010
. And Adelman that day http://www.vibramshoes.us.com quoted another lofty
Steve – yes, this worked fine once the machine was joined to the domain and the user was logged-on using a domain account. Thanks again for your time. 🙂
Hmmm. I have tested the scenario myself – and it worked fine. I can connect and see my auto-mapped mailboxes in Outlook 2010 without any issues, just straight in. Only difference I can think of is that it was connecting over Outlook Anywhere.
Steve
Steve – much as i have tried, I cannot get this to work. I have used your New-SharedMailbox script to create a shared mailbox, checked the “full access” permissions are correct but the Outlook 2010 client never auto-maps to the new mailbox. The OS is not joined to the domain, the user logs on locally – could this be the issue? Or should Oulook be able to query the msExchDelegateListLink value regardless? Any help you could offer would be great. Thanks, Jon.
Hi Jon,
What version of Outlook 2010 is it? I know only the Pro Plus (a volume licenced) version supports archiving, so auto mapping may be another feature. If it’s not that, then I can find out. It should be able to query the relevant attributes via AD.
Steve
It *IS* Office Professional Plus 2010 (the version shows in ARP as 14.0.4763.1000). I have checked and the msExchDelegateListLink value is set… but now joy. 🙁
(now=no)
Do you have any way to test from a domain-joined client, to rule that issue out?
Steve
Sure – I’ll give it a try tomorrow and let you know how I get on. Thanks very much for your time and help. J
It is really annoying if you rely on the new feature of using multiple Exchange Accounts, which is the really great feature in my opinion. Send items go in the send items folder of the shared mailboxes, etc.
Now in SP1 the mailbox gets added automatically through the msExchDelegateListLink and you don’t even see it in the Outlook settings!!!!! And if you have instructed administrators to add shared emailboxes as a new exchange account, e-mails don’t get send at all.
Maybe someone has a quick script to empty the msExchdelegatelistlink?
I hear you. I’m working on a few different methods to disable this globally or for groups of users (i.e. so an Admin never gets this feature). So far I’ve come across some issues with the ways I’ve tried so far but will persist in automatic solutions. Failing that I’m going to put some Powershell scripts together for managing the automatic mappings.. like Remove-MailboxAutoMapping.ps -Identity mailbox -User userwithpermissions
Emptying the msExchDelegateListLink via a script is actually not to difficult. E.g.
$u=Get-User sharedmailbox;
$u=[adsi]”LDAP://$($u.originatingserver)/$($u.distinguishedname)”;
$u.msExchDelegateListLink.Clear();
$u.SetInfo();
Steve
Wow, this is a terrible feature. Why is it assumed that if someone is granted full access to a mailbox, they want an unremovable link to that mailbox in their outlook profile – forever. This would have been a cool feature if 1) it was a choice to turn it on in the first place 2) there was a way to remove the mailbox link with out editing AD attributes. Anyone in the TAP program should be ashamed that they didn’t provide appropriate feedback and allowed this cheesy function to be enabled in an enterprise mail system.
I agree it would be better if there was a choice to turn it on/off. It’s a version 1.0 feature though and hopefully it will be improved with time. If you use groups for access to shared mailboxes this feature won’t be enabled anyway.
Don’t agree with your comments about it a) being cheesy (it’s a feature most users appreciate), b) not belonging in an enterprise mail system (features to automate operations is exactly what belongs in such products) and c) blaming MS TAP customers or partners (who don’t decide what features MS put and don’t put into products).
Steve
Pingback: Ranjna Aggarwal's Technology Blog
Hi Steve,
I have tested this functionality in our test environment and it works as described when adding a User(s) to the “Manage Full Access Permission…”. However, and I expect that this may not the recommended way to control access to shared mailboxes, but we use “Mail Universal Security Groups” to control permissions to shared mailboxes and under this senerio found that although members of this group are manually able to add the shared mailbox (as we do in our live environment) it does not automatically get added to a profile. Will this be possible in the future?
The reason why we use “Mail Universal Security Groups” to control access to shared mailboxes is because adding users to Distribution groups can be done by a standard “Exchange Recipient Administrator” and doesn’t need any other elevated rights.
Hi Neil,
I think it may be possible in the future as it has been requested by Exchange TAP members myself included. I don’t know at what point it will be possible. There were discussions about using a script to sync group members to the msExchDelegateListLink attribute but that is obviously a workaround.
Steve
Pingback: Outlook 2007 and Exchange 2010 Personal Archive support « EighTwOne (821)
Hi there,
i have done this and it did not work, i followed exactly every step, but the users never saw that folder in their outlook, i am not sure if my exchange is SP1 or not, please help me out:
1) is SP1 is a must to make this work.
2) may i use public folders to achieve the same results? to make many users access a certain mailbox?
3) i need 3 users in my organization to access and see all emails in a mailbox, and send emails out on behalf this mail box.
please use my email address to reply
Thanks,
Abdel
Hi Abdel,
To answer your questions..
1) Yep, you need Exchange Server 2010 SP1.
2) No public folders are different, but I see how in a way you could accomplish something similar.
3) Use the EMC to add the mailbox permissions and send-as rights to the mailbox in question by right clicking on that mailbox in the recipients list.
Steve
Unfortunately there does not appear to be a way to make this work using groups is there? We have tons of locations where teams of people access a common shared mailbox and we grant them access to that MB using a group. There is a lot of personnel turn over so it would be a realy pain to grant access on a user by user basis.
There isn’t a way to do this with groups, no. I know that it has been requested though, so maybe it will be in SP2.
I am considering writing some workaround script though that will do this (and maintain the mapping over time) along with options to change whether it does indeed add it to Outlook in the first place. Just thinking if it is practical or possible to tie it into EMC also.
100% agree, why is it assumed that just because full mailbox permissions were added to a mailbox, then that mailbox needs to be available all the time via Outlook. We have clients where the business owner, whether rightly or wrongly, likes to have full mailbox access to all staff email. The staff know, so there’s no secret spying, but the owner wouldn’t want all mailboxes available (and synced to his OST as well I suspect???) all the time in his Outlook profile, on his laptop. Luckily, this particular client is still on Exchange/Outlook 2007.
Maybe if you grant full access permissions to a mailbox, and then remove the msExchDelegateListLink attribute via AD, without removing the full mailbox permissions, then the mailbox won’t appear automatically in Outlook? Probably worth a try……
Cheers
Hi Brendan,
That will work. Also the attribute values aren’t added to mailboxes as they move from 2007 to 2010 so just moving them doesn’t change that config.
Steve
Well, I do understand how cool this feature is, but is there any way to NOT USE it? I mean, being ad administrator and having full access to lots of mailboxes doesn’t mean I want to see them all in my Outlook the whole time. And with this bug (it is a bug, anyway) that the mailboxes stay in Outlook after the FullAccess had been removed, it is more than unpleasant to have it.
So is it possible to switch it off?
Just wondering: once this is set up, will mail sent out from the secondary mailbox appear with ‘… on behalf of …’ in the message header or will it appear directly from the secondary mailbox (hiding the name of the actual sender)? Also, will this give the user access to ALL folders in the secondary mailbox?
When you use Ad–MailboxPermission it gives full access to the mailbox. It doesn’t grant Send on Behalf of or Send-As permissions. You set Send-As (which will hide the name of the actual sender) by right clicking the shared mailbox and choosing “Manage Send As Permission”
Pingback: Platani Blog Site » Weer een goede reden om Outlook te upgraden naar 2010
This feature would be very nice to use if we didn’t have to manually remove the msExchDelegateListLink attribute each time.
Steve, we’re using a 2 box server setup, 1 cas+hub and 1 mbx server inside a single domain site. AD functional level was set to 2008 R2 before Exchange 2010 install.
Would LOVE a fix for this!
how to remove msExchDelegateListLink values from multiple users properties
In case you are looking for a quick way to remove that additional mailbox from a Outlook profile after removing Full Access permissions, go into AD Users and Computers, pull down the View menu and select Advanced Features. Next, go to the user account of the additional mailbox and select the Attribute Editor. Scroll down to msExchDelegateListLink and remove the user that previously had Full Access. The next time you open that Outlook profile, the additional mailbox will be gone.
Thanks Steve,
I’ve been looking how to do this for a month, I think all of these people who are give the Tools, Account Settings do not really know what went on or waht happened to get the mailboxes that way.
Thank You!
Steve, we’re in a simple single exchange server / single domain site.
We’ve added full access permission for a couple system administrators to other mailboxes, and upon removing their full access permissions, the admins can still see and more importantly access the other user’s mailbox. Also it’s impossible to delete the mailbox from outlook as it is linked on the server side, not the local outlook account.
Matt, maybe you have found the issue by now, but i wanted to suggest you check AD replication.
I too can confirm that the accounts are still present after removing the Full Access permissions from the user’s mailbox.
Anyone know if a fix is coming for this?
Hi Matt,
What’s your environment like? I’m not seeing this myself and don’t know if it’s been reported as a bug.. So would like to repro and report if possible.
Steve
Really interesting!! didn’t notice this new feature and spent hours trying to remove a shared mailbox from a users’s outlook. I think that there should be a feature to prevent this or at least let the user remove the mailbox somehow.
Great artiche Steve!!
Regards,
Julián
Thanks Julian,
I agree, it would be nice to have some options/parameter to control when this is set, as you don’t always want the mailbox auto-mapped!
Steve
I’ve upgraded to SP1 and CAN verify that the msExchDelegateListLink is not removed when full mailbox permissions were removed 🙁
Hi David,
Was this via EMC or EMS?
Steve
EMC on Win7 Pro x64. Haven’t tried directly on the server…would prefer not to either.
Perfect! Was wondering how it worked. Just removed and readded myself and, voila.
Not sure if it was fixed in the final SP1 but in the beta I did not see the msExchDelegateListLink cleared when full mailbox permissions were removed.
It appears fine in the SP1 RTM build as far as I’ve seen?
hmmm… not sure of it… my Outlook remains full of “Cannot open mailbox” pins… I need to manually remove the BL property for every single user.
Perfect Nice one
Cheers 🙂
Pingback: Tweets that mention Auto-mapping shared mailboxes in Exchange 2010 SP1 with Outlook 2010 « Steve Goodman's Tech Blog – The weblog of an IT pro specialising in Exchange, Exchange, VMware, Servers and Storage -- Topsy.com
I was not aware of this feature – cool!!
I know! I am surprised MSFT haven’t made more of it..
Simple feature that as soon as you use, you wonder why it’s not been there all along!