Outlook Delegate permissions with Exchange 2010 RBAC.

 

Environment:

Exchange 2010
Windows 2008

Outlook 2007 Service pack 2

 

Issue:
A mailbox enabled user have the following permissions on a Room mailbox.

 

- Full Access Permission

- Send As Permission

 

When this user tries to give another user delegate permissions to the room mailbox it fails with the bellow Outlook Dialog box.

 

Error

" The Delegates settings were not saved correctly. Cannot activate send-on-behalf-of-list. You do not have sufficient permission to perform this operation on this object "

 

Resolution:

 

- [ Create a new ManagementRole named "GrantSendOnBehalf" ]
--------------------------------------------------------------------------
New-ManagementRole -Name "GrantSendOnBehalf" -Parent "Mail Recipients"

- [ Remove all cmd lets except " Set-Mailbox " - " Get-Mailbox " ]
------------------------------------------------------------------------
Get-ManagementRoleEntry "GrantSendOnBehalf\*" | where {($_.Name –notlike “Set-Mailbox”) –and ($_.Name –notlike “Get-Mailbox”)} | Remove-ManagementRoleEntry

- [ Reduce the Parameters that Set-Mailbox can execute on role GrantSendOnBehalf ]
-----------------------------------------------------------------------------------------------
Set-ManagementRoleentry "GrantSendOnBehalf\Set-Mailbox" -Parameters GrantSendOnBehalfTo, Identity

- [ Verify that the correct CMD lets are available ]
-------------------------------------------------------
Get-ManagementRoleEntry "GrantSendOnBehalf\*"

- [Greate a USG Group named "Delegate GrantSendOnBehalf Mailboxes" and add Role " ]
---------------------------------------------------------------------------------------------------
New-RoleGroup -Name "Delegate GrantSendOnBehalf Mailboxes" -Roles "GrantSendOnBehalf"

 

 

More information:

 

Role Based Access Control (RBAC) is the new permissions model in Microsoft Exchange Server 2010. With RBAC, you don't need to modify and manage access control lists (ACLs), which was done in Exchange Server 2007.
ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing unintended consequences, maintaining ACL modifications through upgrades, and troubleshooting problems that occurred due to using ACLs in a nonstandard way.

RBAC enables you to control, at both broad and granular levels, what administrators and end-users can do.

 
RBAC also enables you to more closely align the roles you assign users and administrators to the actual roles they hold within your organization.
In Exchange 2007, the server permissions model applied only to the administrators
who managed the Exchange 2007 infrastructure. In Exchange 2010, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups.

RBAC has two primary ways of assigning permissions to users in your organization, depending on whether the user is an administrator or specialist user, or an end-user: management role groups and management role assignment policies.
Each method associates users with the permissions they need to perform their jobs. A third, more advanced method, direct user role assignment, can also be used.

 

Understanding Role Based Access Control
https://technet.microsoft.com/en-us/library/dd298183.aspx

Comments

  • Anonymous
    March 23, 2015
    Awesom! Concise, free from clutter, easy to understand RBAC management. Thanks Peter.

  • Anonymous
    February 02, 2016
    Hi Peter. i think the problem is, that the user can add himself as GrantSendOnBehalfTo to any Mailbox. Not only to mailboxes he had Full Access Permission. set-mailbox userA -GrantSendOnBehalfTo UserB tested on Exchange 2013 CU11 Kind regards Dirk