Cadzow Knowledgebase

Normal view

Microsoft Exchange: Cannot Access Mailbox Granted Via Group Membership

In Microsoft Exchange Server 2007 and above, 'Full Access' permissions are granted on a mailbox to an Active Directory security group (as opposed to a user). However, the users (or some of the users) in the security group cannot access the mailbox via Outlook.

This may occur if the permissions on the mailbox were previously assigned by user, and those named users were removed from the mailbox when the group was added.

This causes a problem because when a user is removed from having full access to a mailbox using the Manage Full Access Permission wizard in Exchange Management Console, two commands are executed: a 'Remove-MailboxPermission' command which deletes the 'FullAccess' rights, and a 'Add-MailboxPermission' command which adds a 'Deny' right to the mailbox.

Thus when the user is added to the mailbox via the group membership, the 'Deny' entry takes precedence.

To determine if this is the case, open Exchange Management Shell in elevated mode and enter:

Get-MailboxPermission -Identity <Mailbox>

This will show all permissions on the mailbox. Entries where the Deny column is set to True are of interest.

The simplest workaround is to use the Manage Full Access Permission wizard to add the user(s) back to the list, but this creates the problem that they will have access to the mailbox even if removed from the security group. To fix the permissions properly, use the 'Remove-MailboxPermission' cmdlet.
Copyright © 1996-2019 Cadzow TECH Pty. Ltd. All rights reserved.
Information and prices contained in this website may change without notice. Terms of use.

Question/comment about this page? Please email webguru@cadzow.com.au