Exchange 2016 Recipients Manage permissions for recipients

 

In this tutorial we are going to explore how to allocate permissions for mailboxes and groups in Exchange 2016 such that other users can open the mailbox, send mail from the mailbox, or allowed to send the mail from the group.

 

Over the Exchange Server 2016, you are permitted to use the Exchange admin center (EAC) or the Exchange Management Shell to allocate permissions to a mailbox or group such that other users can access the respective mailbox (the Full Access permission), or send email messages which appear to come from the mailbox or group . The users which are assigned with these permissions on other mailboxes or groups are known as delegates.

 

  • The permissions which you can assign to delegates for mailboxes and groups present in the Exchange are illustrated in the following given table:

 

Permission allotted

Illustration

Currently Available on objects in the EAC

Available on additional objects Present in the Exchange Management Shell

Currently Available delegate types in the EAC

Additional delegate categories available in the Exchange Management Shell

Full Access

Permits the delegate to open the mailbox, and access, add and remove the contents of the mailbox. This doesn’t permit the delegate to send messages from the mailbox.
 
In case you assign this permission to a mailbox which’s hidden from address lists, the delegate will not be able to open the mailbox. By default, automatic arbitration and the discovery mailboxes are properly hidden from address lists.
 
By default, automatically the mailbox auto-mapping
User mailboxes are
Linked mailboxes
Resource mailboxes are
Shared mailboxes
Arbitration mailboxes
Discovery mailboxes
Mailboxes along with user accounts
Mail users with accounts
Mail-enabled security groups.
User accounts which aren’t mail-enabled.
Global, universal, and domain local security groups which aren’t mail-enabled.
feature are used Autodiscover for automatically open the mailbox in the delegate’s Outlook profile (this is in addition to their own mailbox). In case you don’t wish this to happen, you require to take one among the following actions:
 
Use the Add-MailboxPermission cmdlet in the Exchange Management Shell to allot the Full Access permission with the -AutoMapping $false setting.
 
Allot the Full Access permission to a (mail-enabled) security group.The mailbox will not going to get open in the Outlook profile of each members.

Send As

Permits the delegate to transmits messages as if they gets generated directly from the mailbox or group. There’s no sign that the message was sent by the delegate.
 
Doesn’t permit the delegate to read the contents of the mailbox.
User mailboxes
Linked mailboxes
Resource mailboxes
Shared mailboxes
Distribution groups
Dynamic distribution groups
Mail-enabled security groups
n/a Mailboxes along with user accounts
Mail users with accounts
Mail-enabled security groups.
n/a

Sendon Behalf

permits the delegate to transmits messages from the mailbox or group. The From address of these messages clearly depicts that the message was sent by the delegate (” on behalf of “). But, replies to these messages are transmitted to the mailbox or group, not to the delegate.Doesn’t permit the delegate to read the contents of the mailbox. User mailboxes
Linked mailboxes
Resource mailboxes
Distribution groups
Dynamic distribution groups
Mail-enabled security groups
Shared mailboxes Mailboxes along with user accounts
Mail users with accounts
Mail-enabled security groups.
Distribution groups
n/a

 

Though you might use the Exchange Management Shell to allocate some or all of these allocated permissions to other kinds of delegate on other kinds of recipient objects, this topic oriented on the delegate and recipient object categories that produce useful results.

 

What do you require to know before you begin?

  •  Assumed estimated time to finish each procedure: 2 minutes.
  •  

  • To explore on how to open the Exchange Management Shell in on-premises Exchange organization.
  •  

  • Set of procedures in this topic needs specific permissions. See each procedure for its respective permissions information.
  •  

  • For information about keyboard shortcuts which might be applied on to the procedures.What do you wish to perform?To assign permissions to individual mailboxes, use the EAC.
  •  

  • In the EAC, click over the Recipients in the functional feature pane. Based on the type of mailbox which you wish to allocate permissions for, click on one among the following tabs:

 
Mailboxes : User or linked mailboxes.
Resources : Room or equipment mailboxes.
Shared : Shared mailboxes.
 

  • In the given list of mailboxes, choose the mailbox which you want to allocate the permissions for, and then click on Edit .
  •  

  • On the mailbox properties page which gets opens, click over the Mailbox delegation and configure one or more of the following mentioned permissions:

 

Send As:

 

  • The Messages are sent by a delegate appear to come from the mailbox.

 

Send on Behalf :

 

  • The Messages sent by a delegate have ” on behalf of ” in the From address. Kindly Note that this permission isn’t available in the EAC for shared mailboxes.

 

Full Access :

 

  • The delegate might get open the mailbox and perform anything except send messages.To allocate permissions over to the delegates, click on the Add under the appropriate permission. A dialog box displayed that lists the users or groups which can have the permission allotted to them. Choose the user or group from the list, and then click on the Add. Repeat this procedure as many times as required. You can also search for users or groups going on to the search box by entering all or part of the name, and then clicking on the Search . When you have completed selecting delegates, click on button OK.
  •  

  • To remove or truncate a given permission from a delegate, choose the delegate from the list under the appropriate permission, and then click on Remove .
  •  

  • When you have completed the task, click on to Save.Use the EAC to allocate permissions to multiple mailboxes at the same point of time1. In the EAC, traverse to the Recipients > Mailboxes.
  •  

  • Choose the mailboxes which you wish to allocate permissions for. Use click on the + Shift key + click over to select a range of mailboxes, or Ctrl key + click on to the select multiple individual mailboxes. The given title of the details pane changes to Bulk Edit as displayed in the given below diagram.

 

given title of the details pane changes to Bulk Edit

 

  • Please note that the mailboxes which you select need to be the same type.
  •  

  • For instance, if you select both user mailboxes and linked mailboxes, you are going to get a warning in the details pane which says bulk edit won’t work.3. At the bottom of the given details pane, click over the More options.

In the Mailbox Delegation option which appears, select the Add or Remove. Based on your selection, perform one among the following steps:o Add : In the Bulk Add Delegation dialog box which appears, click on the Add under the appropriate permission (Send As, Send on Behalf, or Full Access). When you are completed selecting users or groups to add as delegates, click on Save.
 

Remove :

 

  • In the Bulk Remove Delegation dialog box which appears, click on the Add under the appropriate permission (Send As, Send on Behalf, or Full Access). When you have completed selecting users or groups to truncate from the existing delegates, click on the Save.Use the EAC to allocate permissions to groups1. In the EAC, traverse to Recipients > Groups.
  •  

  • In the list of groups, choose the group which you wish to assign permissions for, and then click over toEdit .
  •  

  • On the group properties page which opens, click on the Group delegation and configure one among the following permissions:

 

Send As :

 

  • Messages sent via a delegate appear to come from the group.

 

Send on Behalf :

 

  • Messages sent via a delegate have ” on behalf of ” in the From address. To allot permissions to delegates, click on the Add under the appropriate permission. A dialog box will be displayed consisting of the lists the users or groups that might have the permission allocated to them. Choose the user or group from the list, and then click over the Add.
  •  

  • Repeat this procedure as many times as necessary. You might also search for users or groups in the search box by entering all or part of the name, and then clicking on the Search . When you have completed selecting delegates, click on OK.To delete or remove a permission from a delegate, choose the delegate present in the list under the appropriate permission, and then click on the Remove .

 

When you are finished the task, click on the Save.

 

  • Use the Exchange Management Shell to allocate the Full Access permission to mailboxesYou can use the Add-MailboxPermission and Remove-MailboxPermission cmdlets to control and manage the Full Access permission for mailboxes.

 

These cmdlets use the same fundamental basic syntax:

 

  • Add-MailboxPermission -Identity -User -AccessRights FullAccess -InheritanceType All [-AutoMapping $false]Remove-MailboxPermission -Identity -User -AccessRights FullAccess -InheritanceType AllThis example allots the delegate Raymond Sam the Full Access permission to the mailbox of Terry Adams.Add-MailboxPermission -Identity “Terry Adams” -User raymonds -AccessRights FullAccess -InheritanceType All
  •  

  • This example allocates Esther Valle the Full Access permission to the companies default discovery search mailbox, and restrains the mailbox from automatically opening in Esther Valle’s Outlook.Add-MailboxPermission -Identity “DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}” -User estherv -AccessRights FullAccess -InheritanceType All -AutoMapping $false
  •  

  • This instance assigns members of the Helpdesk mail-enabled security group the Full Access permission to the presently shared mailbox named Helpdesk Tickets.Add-MailboxPermission -Identity “Helpdesk Tickets” -User Helpdesk -AccessRights FullAccess -InheritanceType All
    This given example removes Full Access permission for Jim Hance from Ayla Kol’s mailbox.Remove-MailboxPermission -Identity ayla -User “Jim Hance” -AccessRights FullAccess -InheritanceType All

 

Please note:

 
In case you’ve already alloted the Full Access permission to a delegate in the EAC or without using the -AutoMapping $false setting onHow do you realize that this worked?To determine that you’ve assigned or deleted the Full Access permission for a delegate present over a mailbox, use either of the following procedures:• In the properties section of the mailbox in the EAC, determine the delegate is or isn’t listed in Mailbox delegation > Full Access.
 

  •  Execute the following command in the Exchange Management Shell to determine the delegate is or isn’t listed. Ensure to replace with the identity of the mailbox.
  •  

  • Get-MailboxPermission | where {$_.AccessRights -like ‘Full*’} | Format-Table -Auto User,Deny,IsInherited,AccessRightsUse the Exchange Management Shell to allocate the Send As permission to mailboxes and groupsFor utilizing the Add-AdPermission and Remove-AdPermission cmdlets to control and manage the Send As permission for mailboxes. These cmdlets uses the similar fundamental basic syntax:-Identity -User [-AccessRights ExtendedRight] -ExtendedRights “Send As”

 

Kindly note:

 

  • The Identity parameter requires you to use the Name or DistinguishedName (DN) value of the mailbox or group.
    Name This value might or might not be the same as the display name. For instance, Felipe Apodaca.
  •  

  • DistinguishedName This value might always includes the Name value and uses Active Directory LDAP syntax. For instance, CN=Felipe Apodaca,CN=Users,DC=contoso,DC=com.
  •  

  • To explore these values for a mailbox or group, you might use the Get-Recipient cmdlet, that accepts many distinguished values for the Identityparameter. For instance:Get-Recipient -Identity [email protected] | Format-List Name,DistinguishedName
  •  

  • The commands work along with or without -AccessRights ExtendedRight, that is why it’s shown as optional in the syntax.
    This example allocates the Send As permission to the Helpdesk mail-enabled security group on the shared mailbox named Helpdesk Support Team.Add-ADPermission -Identity “Helpdesk Support Team” -User Helpdesk -ExtendedRights “Send As”
  •  

  • This given example removes the Send As permission for the user Pilar Pinilla present on the mailbox of James Alvord.Remove-ADPermission -Identity “James Alvord” -User pilarp -ExtendedRights “Send As”

 

How do you know that this worked?

 
To determine that you’ve assigned or deleted the Send As permission for a delegate present on a mailbox or group, use either of the given procedures:
 

  • In the properties section of the mailbox or group present in the EAC, determine the delegate is or isn’t listed in Mailbox delegation > Send As or Group delegation > Send As.
  •  

  • Execute the following command in the Exchange Management Shell to determine the delegate is or isn’t listed. Ensure to replace with the name or different name of the mailbox or group.Get-ADPermission -Identity | where {$_.ExtendedRights -like ‘Send*’} | Format-Table -Auto User,Deny,ExtendedRightsUse the Exchange Management Shell to allocate the Send on Behalf permission to mailboxes and groups.

 

Try using the Set- cmdlets for the several mailbox and group cmdlets to manage and control the Send on Behalf permission for mailboxes and groups:

 

  • Set-Mailbox
  •  

  • Set-DistributionGroup Distribution groups and mail-enabled security groups.
  •  

  • Set-DynamicDistributionGroupThe fundamental syntax for these cmdlets is:-Identity -GrantSendOnBehalfTo
    can be one of among the following values:
  •  

  • To replace any existing delegates along with the values you mentioned, use the syntax ,…. In case the delegate determine the value contains spaces, you require to use quotation marks: “”,””….
  •  

  • To append the new delegates without affecting other existing entries, use the syntax @{Add=””,””…}.
  •  

  • To remove present delegates without impacting other delegates, use the syntax @{Remove=””,””…}.
  •  

  • To remove or erase all existing delegates, use the value $null.This given example allocates the delegate Holly Holt the Send on Behalf permission to the mailbox of Sean Chai.
    Set-Mailbox -Identity [email protected] -GrantSendOnBehalfTo hollyh

 

This example appends the group named Temporary Executives to the list of delegates which have Send on Behalf permission to the Contoso Executives shared mailbox.

 

  • Set-Mailbox “Contoso Executives” -GrantSendOnBehalfTo @{Add=”[email protected]”}
  •  

  • This example allocatess the delegate Sara Davis the Send on Behalf permission to the Printer Support distribution group.
  •  

  • Set-DistributionGroup -Identity [email protected] -GrantSendOnBehalfTo sarad
  •  

  • This example deletes the Send on Behalf permission which was assigned to the administrator on the All Employees dynamic distribution group.
  •  

  • Set-DynamicDistributionGroup “All Employees” -GrantSendOnBehalfTo @{Remove=”Administrator”}

 

How will you know that this worked?

To determine that you’ve allocated or removed the Send on Behalf permission for a delegate present on a mailbox or group, use either of the following given procedures:

 

  • In the properties of the mailbox or group in the EAC, determine the delegate is or isn’t listed in Mailbox delegation > Send As or Group delegation > Send As.
  •  

  •  Execute the one among the following commands present over the Exchange Management Shell to determine the delegate is or isn’t listed.
  •  

  • Ensure to replace or with the identity of the mailbox or group.o For Mailbox:
  •  

  • Get-Mailbox -Identity | Format-List GrantSendOnBehalfTo
  •  

  • For Group:Get-DistributionGroup -Identity | Format-List GrantSendOnBehalfTo
  •  

  • For Dynamic distribution group:Get-DynamicDistributionGroup -Identity | Format-List GrantSendOnBehalfTo

Kristin is a content strategist at Techarex Networks. Kristin follows the B2B technology space closely and loves to write on the latest changes in technology, futuretech and fixes for day to day how to issues. Besides writing Kristin also loves music, moves and skating.

Techarex Networks provides the complete range of Hosted Exchange solutions and services, giving access to reliable, secure, messaging and collaborative enterprise-grade solutions having 99.999% uptime with unmatched SLA. Provide enterprise-level sync with Outlook Web App and mobile devices. Anywhere, anytime access using Instant Message and video calling integration.