What most administrators do when they want to create a mailbox that can be accessed by several users, is create a “normal” mailbox and hand the password to all of those who require access to it or give them full access permissions to it.
Either way, that also creates an enabled user account on Active Directory (AD) that users could use to login to a workstation, which is not very secured.
With Exchange 2007 and 2010 we have a new kind of mailboxes, a shared mailbox. A shared mailbox has a disabled AD account to which it is connected. Since the account is disabled, you don’t need to set a password and you can’t use it to login to a workstation! So, they act as a security measure. You will no longer be required to have extra username/password combinations for accessing your network. You can easily assign permissions specifically to those users requiring access.
However, you can’t create these accounts by the Exchange Management Console (EMC)... So, let’s fire up the shell!
Creating a Shared Mailbox
The process to create a share mailbox is exactly the same as a regular mailbox, with the exception of the option –Shared on the New-Mailbox command. For example, let’s create a shared mailbox to where all the quarantined e-mails will go to:
New-Mailbox –Name Quarantine –Alias quarantine –OrganizationalUnit “letsexchange.com/Users” –Database “Mailbox Database” –UserPrincipalName quarantine@letsexchange.com -Shared
This way, a disabled AD account will be created in the Organizational Unit Users with an attached mailbox. Since the account is disabled by default, no password is required.
Permissions
Since we don’t want to associate a password with a shared mailbox, we have to grant mailbox permissions for the users who require access to them.
We can assign permissions using security groups or just simply to users. To give me access to the Quarantine mailbox, all I have to do is:
Add-MailboxPermission Quarantine –User n.mota –AccessRights FullAccess
Now I have full access permissions to it. However, I’ll probably also want Send-As rights so that I can send e-mails with the shared mailbox's e-mail address.
Add-ADPermission Quarantine –User n.mota –ExtendedRights Send-As
You may want to add permissions to read/write personal information so that users can setup delegates if needed:
Add-ADPermission Quarantine –User n.mota –AccessRights ReadProperty, WriteProperty –Properties “Personal Information”
Accessing Shared Mailboxes
Since I now have full access permissions to this shared mailbox, one method for accessing it is to add it as an additional mailbox within Outlook. To do that:
• Open Outlook
• Go to Tools and click on Account Settings...
• Make sure your e-mail address is select and click on Change...
• Click on More Settings...
• Go to the Advanced tab and on the Open these additional mailboxes add the shared mailbox
This is the best method if you use the shared mailbox a lot as this allows you to read e-mails from the shared mailbox and sending as that e-mail address when desired. Unfortunately, this method will not save items sent as that mailbox to its Sent Items folder. All items sent or deleted within Outlook will be stored in the primary mailbox's Sent or Deleted Items folder.
This is something that doesn’t make sense to me and I hope to see it changed on the next version of Outlook.
You can also create a separate e-mail profile for Outlook to work with just this mailbox, thus preventing the previous “issue”.
The other option you have is, of course, to use Outlook Web Access (OWA). To open the shared mailbox, and since I already have full access permissions to it, I can open it by simply adding the quarantine@letsexchange.com e-mail address to the end of my normal OWA URL and authenticating using my normal domain credentials, like: https://htcas1/owa/quarantine@letsexchange.com
Either way, that also creates an enabled user account on Active Directory (AD) that users could use to login to a workstation, which is not very secured.
With Exchange 2007 and 2010 we have a new kind of mailboxes, a shared mailbox. A shared mailbox has a disabled AD account to which it is connected. Since the account is disabled, you don’t need to set a password and you can’t use it to login to a workstation! So, they act as a security measure. You will no longer be required to have extra username/password combinations for accessing your network. You can easily assign permissions specifically to those users requiring access.
However, you can’t create these accounts by the Exchange Management Console (EMC)... So, let’s fire up the shell!
Creating a Shared Mailbox
The process to create a share mailbox is exactly the same as a regular mailbox, with the exception of the option –Shared on the New-Mailbox command. For example, let’s create a shared mailbox to where all the quarantined e-mails will go to:
New-Mailbox –Name Quarantine –Alias quarantine –OrganizationalUnit “letsexchange.com/Users” –Database “Mailbox Database” –UserPrincipalName quarantine@letsexchange.com -Shared
This way, a disabled AD account will be created in the Organizational Unit Users with an attached mailbox. Since the account is disabled by default, no password is required.
Permissions
Since we don’t want to associate a password with a shared mailbox, we have to grant mailbox permissions for the users who require access to them.
We can assign permissions using security groups or just simply to users. To give me access to the Quarantine mailbox, all I have to do is:
Add-MailboxPermission Quarantine –User n.mota –AccessRights FullAccess
Now I have full access permissions to it. However, I’ll probably also want Send-As rights so that I can send e-mails with the shared mailbox's e-mail address.
Add-ADPermission Quarantine –User n.mota –ExtendedRights Send-As
You may want to add permissions to read/write personal information so that users can setup delegates if needed:
Add-ADPermission Quarantine –User n.mota –AccessRights ReadProperty, WriteProperty –Properties “Personal Information”
Accessing Shared Mailboxes
Since I now have full access permissions to this shared mailbox, one method for accessing it is to add it as an additional mailbox within Outlook. To do that:
• Open Outlook
• Go to Tools and click on Account Settings...
• Make sure your e-mail address is select and click on Change...
• Click on More Settings...
• Go to the Advanced tab and on the Open these additional mailboxes add the shared mailbox
This is the best method if you use the shared mailbox a lot as this allows you to read e-mails from the shared mailbox and sending as that e-mail address when desired. Unfortunately, this method will not save items sent as that mailbox to its Sent Items folder. All items sent or deleted within Outlook will be stored in the primary mailbox's Sent or Deleted Items folder.
This is something that doesn’t make sense to me and I hope to see it changed on the next version of Outlook.
You can also create a separate e-mail profile for Outlook to work with just this mailbox, thus preventing the previous “issue”.
The other option you have is, of course, to use Outlook Web Access (OWA). To open the shared mailbox, and since I already have full access permissions to it, I can open it by simply adding the quarantine@letsexchange.com e-mail address to the end of my normal OWA URL and authenticating using my normal domain credentials, like: https://htcas1/owa/quarantine@letsexchange.com
Or, by logging in to OWA with my normal account and opening this mailbox using the arrow besides my name on the top right hand corner.
Notes:
• The icon on the Exchange Console for a shared mailbox differs from the one for a regular mailbox;
• When check on the Exchange Console, you can see the difference on the Recipient Type Details column: User Mailbox vs Shared Mailbox;
• It’s possible to convert existing mailboxes into shared mailboxes! To do that, all that you need to do is: Set-Mailbox n.mota –Type Shared;
• To convert it back to a regular mailbox, just use the –Type Regular option.
Hi am having problem, i did exactly above steps but when i try to open owa shared mailbox (quarantine) - it wont let me open the email msg. Error is as below. Pls help. tnx, JM
ReplyDeleteThe item you tried to access no longer exists.
The item wasn't found. You or a delegate might have moved or deleted it using another computer or a mobile phone.
Hi,
ReplyDeleteSo you can access the Quarantine mailbox but you can't open an e-mail in it, correct? Does this happen to every e-mails on that mailbox or just one?
Did someone else mark it as private? This sometimes happens in mailboxes where more than one person have access to...
Regards,
Nuno
Hi,
ReplyDeletedoes Exchange Active Sync work as well with disabled AD-Accounts?
Regards,
Mike
Hi Mike,
ReplyDeleteIt doesn't unfortunately... You can't use POP, IMAP or ActiveSync with Shared mailboxes.
Regards,
Nuno
Hi Nuno,
ReplyDeleteIs there away to see who has accessed the shared mailbox? To have some accountability? see who sent a specific email?
Thanks
Eric
Hi Eric,
DeleteWhat version of Exchange are you running?
If you are running Exchange 2010 SP1 or Exchange 2013, check this post: http://letsexchange.blogspot.co.uk/2012/03/auditing-mailbox-access-in-exchange.html
It's really easy to configure and it allows you to get the information you are looking for!
Let me know how it goes.
Regards,
Nuno
Hi Alex,
ReplyDeleteSince a shared mailbox will be shared between multiple users, is there a way we can have per user read/unread views. Because it may happen that if one person has read it, it may appear as read in the shared mailbox, another user may skip it thinking that he has already read the mail.
Regards,
Rosh
Hi Rosh,
DeleteNo, unfortunately that is not possible, only in Public Folders... I guess that is a good thing in some scenarios, as users will be able to see what see e-mails have already been read or dealt with (think of a ServiceDesk mailbox for example).
Best regards,
Nuno
Hi there, we this address which is a distribution list ( a security permission) and we want to convert it to a shared mail box. is that possible?
ReplyDeleteThank you
Hi,
DeleteNo, you cannot convert a distribution list into a mailbox I'm afraid... The best way to do this is delete the distribution list and create a mailbox with the same SMTP address. However, don't forget to copy the legacyExchangeDN of the distribution list and add it as an X500 address to the new mailbox.
Hope this helps.
Best regards,
Nuno
Do I still need an Active Directory license (the disabled account) for a Shared Mailbox ?
ReplyDeleteBest regards,
Arnold
Hi Arnold,
DeleteWhat do you mean by AD license? All Shared Mailboxes need an AD account. Do you mean an Exchange CAL?
Best regards,
Nuno
An AD account which is disabled also counts for the licensing ?
ReplyDeleteIf you are referring to Exchange CALs, I believe Shared mailboxes do not need a CAL even though the Get-ExchangeServerAccessLicenseUser says they do.
DeleteOk Nuno, thanks.
ReplyDeleteAnd what about the disabled license in Windows in the AD ?
I am not 100% sure to be honest, I'm sorry...
DeleteIs there a way to have the Replies that are sent by the users with FullAccess and SendAs permission be saved into the shared accounts Sent Items instead of the users?
ReplyDeleteTIA,
jjn
Hi JJN,
DeleteThe following link will provide information on how to do this in Exchange 2010 and 2013: http://blogs.technet.com/b/exchange/archive/2015/03/03/want-more-control-over-sent-items-when-using-shared-mailboxes.aspx
Regards,
Nuno
Is there a way to have the Reply sent by a user with FullAccess and SendAs permission saved into the Sent Items of the shared account instead of the users Sent Items folder?
ReplyDeleteThanks,
Jon
Hi Jon,
DeleteApologies for the delay in reply to you...
What version of Exchange are you running?
Regards,
Nuno
Hello Jon,
DeleteIf you are using Exchange 2010 SP3 you can set an attribute on those sent items. The default is the "Sender" which is the user whom sent the message. You can change this to "From" which is the shared-mailbox or both "SenderAndFrom" which will record the sent message in both locations. Hope this helps!
Hi,,
ReplyDeleteIs it possible to use shared mailbox for user outside of the AD, organisationen, Internet user..
I'm afraid not, unless you give them remote access to OWA and a mailbox with full access to the shared mailbox...
DeleteIs the shared mailbox account, disabled by default or do you need to manually disable it. Also is a password needed on the account or can we just leave it blank. or expire the account?
ReplyDeleteHi,
DeleteWhen you create a shared mailbox, the AD account is disabled by default, so it does not need a password. That is why you don't have to specify a password when creating a shared mailbox :)
Regards,
Nuno
If i need a password for shared mailbox, where should i get it set ?
ReplyDeleteFirst you need to convert the mailbox to a "normal" mailbox (Set-Mailbox "mailbox" -Type Regular) and then reset its password in Active Directory.
DeleteCan you create a shared mailbox where a universal sec group can have full access while an other group can only read and send mails but not delete? Thanks
ReplyDeleteHi Farrugiaa,
DeleteI've never tested it, but in theory yes. You can use the Add-MailboxPermission to give a Security Group FullAccess permissions to a mailbox, and the Add-MailboxFolderPermission to give a Mail-Enabled Security Group ReadItems or ReadItems to the shared mailbox's Inbox folder for example.
Regards,
Nuno