Exchange Interview

Understanding & Configuring
Mailbox Access Delegation

in the UMROOT Forest
Table of Contents
Introduction ................................................................................................................................. 2
Terminology................................................................................................................................. 2
Requirements............................................................................................................................... 3
How to Delegate Access to Your Calendar or a Folder ........................................................ 4
How To Assign Send On Behalf Permissions Using the Outlook Delegation Wizard 6
Why the Warning About the Delegation Wizard?.............................................................. 8
How to Delegate Access as an Administrator ..................................................................... 10
Administrator: How To Assign the Send On Behalf Permission ...................................... 10

Administrator: How To Assign the Send As Permission.................................................... 12
Troubleshooting Outlook Configurations........................................................................... 13
References................................................................................................................................... 16
Page 1 of 17 Delegation.doc Revised 6/19/06

Exchange Technical Library
http://www.umich.edu/~lannos/exchange/etl.html
Introduction
Each user has a single mailbox on an Exchange Server and that user is considered the
owner of the mailbox. However, there are several scenarios that require that other users
have access to mailboxes other than their own. This includes resource mailboxes (such
as conference rooms) or assistants who need to manage items (such as the calendar) in
another user’s mailbox. The process of delegation allows for these types of scenarios.
There are several ways to delegate access to a mailbox. Outlook 2003 users can delegate
access directly from their Outlook session. Administrators can also delegate access.
This paper explains the delegation process and limitations for each method. This paper
also only provides configuration examples for Outlook 2003. Older versions of Outlook
will not be addressed. References are provided at the end of the paper for additional
information on using Outlook and Outlook Web Access (OWA) to view another
person’s mailbox items.
Terminology
The Exchange mailbox is the part of the Exchange mail store that holds the data for a
single account (such as a user or a resource) in Active Directory (AD). The mailbox
owner can login-to and has full control of an Exchange mailbox. Mailbox ownership is
established when an administrator mailbox-enables (creates a mailbox for) an account
in AD.
A mailbox owner or an administrator can delegate access to other accounts. The level of
access varies according to the process used for delegation. The mailbox delegate can
then perform the allowed actions within the delegated mailbox.
There are multiple delegation options available. Some of the most commonly used
options include the ability to read or manage another user’s calendar and to send mail
as another user. This document will outline how to configure delegation for these
commonly used options. (See the References section at the end of this document for
additional information about other options.)
There are two access levels for sending mail as another user. The most commonly used
is the Send On Behalf permission. This allows the delegate to send mail on behalf of the
mailbox owner. The message sent by the delegate indicates the sender “on behalf of”
the owner. For example, the message received would be From: User, Joe on behalf of
User, Sam. The Send On Behalf permission can be granted using the Outlook interface

or by an administrator. The second access level is the Send As permission. This allows
the delegate to send mail as if they were the mailbox owner. The message sent does not
indicate the sender was anyone other than the mailbox owner. This permission can
only be granted by an administrator.
Requirements
• The mailbox owner can only delegate access from within Outlook.
• Delegating access to read or manage a calendar can only be done from within
Outlook or using Entourage 2004 with Service Pack 2.
• An administrator will need permission to access Active Directory user properties
in order to delegate Send On Behalf or Send As permissions. Please see the How
to Delegate Access as an Administrator section of this document.
• The mailbox delegate can access the delegated mailbox using Outlook, Microsoft
Entourage 2004, or Outlook Web Access.
• Outlook Web Access only supports read-only access to a delegated mailbox.
• IMAP, Outlook Mobile Access (OMA) and Exchange ActiveSync clients do not
support delegate access.
• Microsoft recommends the mailbox owner and the delegate use the same client
versions (including hotfixes and service packs) when accessing a delegated
mailbox.

How to Delegate Access to Your Calendar or a Folder
There is more than one way to delegate access to your calendar. Below is one method
you can use to do this. For another method, see the ITCS Documentation # S4327-F
(http://www.itd.umich.edu/itcsdocs/s4327/s4327-f.pdf). The method outlined here
can be used on any folder in your Exchange mailbox, not just your calendar, but for this
illustration, we will delegate read-only access to your calendar.
From the Folder List view, right-click the Calendar icon and select Properties.
From the Calendar Properties dialog box, select the Permissions Tab.

Click the Add button to add the user to be delegated access.
From the Add Users dialog, select the user name from the Global Address List. Only
accounts that are mail-enabled or mailbox-enabled (i.e., appear in the Global Address
List) can be delegated access.
Click the Add button and then the OK button.
Then assign the necessary permissions to this user by selecting Reviewer in the
Permission Level drop-down box.
Click the OK button to save your changes and exit Calendar Properties.

How To Assign Send On Behalf Permissions Using the Outlook Delegation Wizard
The Outlook Delegation Wizard is used to delegate the Send On Behalf permission.
While the Delegation Wizard may also be used to delegate other items (such as your
Calendar or your Tasks), it should not be used if Send On Behalf permissions are not
intended. See the next section (Why the Warning About the Delegation Wizard) for
further information about why this is important.
Select Tools > Options from the Outlook Menu Bar
Select the Delegates Tab
Click the Add button and pick the account to delegate to from the Global Address List.
Only accounts that are mail-enabled or mailbox-enabled (i.e., appear in the Global
Address List) can be delegated access.

In the Delegate Permissions dialog box, select the desired permissions. The default
permissions are shown in the screen-shot above, however, you may wish grant or deny
specific permissions based on your needs. Please note that even if all the items are set
to None, the Send On Behalf permission will still be delegated.
There are several permission levels available in the drop-down boxes:

• Editor (can read, create, and modify items)
• Author (can read and create items)
• Reviewer (can read items)
• None
The Automatically send a message to delegate summarizing these permissions

checkbox is helpful to inform the delegate that you have granted them access.

Why the Warning About Using the Delegation Wizard?
As illustrated in the above example, the delegation wizard appears to allow the user to
grant no access to the Inbox. However, even though you may indicate “None” for
Inbox access, the delegate will still be able to send messages on your behalf! Definitely
undesirable behavior!
Is this a bug? Well, yes and no. If you read the text at the top of the Delegates tab, it
explains the issue. But how many of us read dialog boxes anyway?
To make this problem more confusing, if the mailbox owner checks the permissions set
for their Inbox folder, it indicates that the delegate has no permissions to the Inbox! The
following example illustrates this situation.
After using the delegation wizard to delegate default access, right-click the Inbox icon
and select Properties.

Click the Permissions tab.
The delegate permission level is listed as “None”. Seems like there would be no Send
on Behalf permissions allowed. But we know that’s not true. So, next you think you
can just remove this account from this permissions list and solve the issue, right?
Wrong again!
Select the delegated account in the Permissions tab, click the Remove button and click
OK. However, you find that the delegated account can still send mail on your behalf!
If an administrator checked the properties of the owner’s account in Active Directory,

they will find the following:
So, trust us when we say to use the delegation wizard with extreme caution!

How to Delegate Access to a Mailbox as an Administrator
Note: These tasks require certain levels of administrative permissions in Active

Directory and the use of an Exchange-aware Active Directory Users and Computers
snap-in.
Administrator: How To Assign the Send On Behalf Permission to Another User
In order to perform these steps, an administrator must be an OUAdmin for the Accounts
and/or the Organizations OU. Most OUAdmins and ITCom Customer Service
Representatives (CSR’s) have the necessary permissions.
Using Active Directory Users and Computers, open the Properties of the account that
owns the Mailbox.
Select the Exchange General tab.
Click the Delivery Options button.

In the Send on behalf section, click the Add button and choose the account which will
have this permission.
Click OK.

Administrator: How To Assign the Send As Permission to Another User
Send As delegation must be assigned by a central Exchange Administrator for both Full
Serve and Self Serve Exchange units. Follow the steps below to request that this
delegation be set up.
1. Make sure that the user for whom you are requesting a Send As delegate
understands the magnitude of the access being requested. When an e-mail
message is received from a user with Send As delegation privileges on a mailbox,
the delegates name does NOT appear on the e-mail message, so the message
appears to come directly from the delegated mailbox, even though the owner of
that mailbox may not be aware that the message was sent.
2. Use the Exchange Request form at

https://www.itd.umich.edu/exchange/exchange-request.html to make your
request.
3. Notify both the delegate and the owner of the delegated mailbox.
NOTE: Consider using Send On Behalf delegation whenever possible. It’s simpler to
set up and has a mechanism for knowing the true sender of the e-mail.

Troubleshooting Outlook Configurations
There are occasions when delegation fails. There are numerous reasons for failure,
however, we’ve found that it generally involves permissions and can be resolved by
changing the Outlook login behavior.
How to Configure Outlook to Always Prompt for Username and Password
In Windows, open the Control Panel and select the Mail applet.
In the Mail Setup dialog box, click the E-mail Accounts button.
In the E-Mail Accounts wizard, select View or change existing e-mail accounts.
Click Next.

Select the Microsoft Exchange Server and click the Change button.
Click the More Settings button.

Select the Security tab.
Check the Always prompt for user name and password checkbox.
Click OK.

References
General References
Microsoft Office Outlook 2003 Help (search on “delegate”).
Microsoft’s Outlook website: http://www.microsoft.com/office/outlook.
Running Microsoft Outlook 2003, from Microsoft Press.
Technical References
Microsoft TechNet website: http://www.microsoft.com/technet.
Microsoft TechNet “Exchange Server Chapter 9 – Understanding Mailbox Access

Delegation”.
Microsoft TechNet “Directory Services: Windows Server 2003 – How the Global
Catalog Works”.
Microsoft Premier Support Case SRX050112600269 (U-M Premier Support

Members Only).
Microsoft Office 2003 Resource Kit, “Setting Up Outlook 2003 Cached Exchange
Mode Accounts”.
Microsoft Knowledge Base 327000 – How to grant “Send as” and “Send on
behalf” permissions in Exchange 2000 Server.
Microsoft Knowledge Base 329622 – ‘Send As’ permission is not assigned to a

user after you delegate access in Outlook.
Microsoft Knowledge Base 319206 – How to configure Outlook to a specific

global catalog server or to the closest global catalog server.
Microsoft Knowledge Base 811646 – Cannot grant delegate writable access to a

mailbox for an OWA client.

Microsoft Knowledge Base 290824 – How to open another user’s calendar or
another folder in Outlook 2002.
Microsoft Knowledge Base 821900 – How to open another user’s calendar by

using Exchange Server 2003 Outlook Web Access.
Microsoft Knowledge Base 829217 – Considerations when you use the Delegate
Access feature in Microsoft Outlook.
Microsoft Knowledge Base 826968 – You may receive an error message when a
delegate tries to view a message in your Inbox in Outlook 2003 or Outlook 2002.
Microsoft Knowledge Base 309185 – Meetings that are placed in an owner’s

calendar by a delegate do not display free/busy information for additional
meeting attendees in Outlook.
WindowsITPro (http://www.windowsitpro.com), “Knowing Which Clients

Work with Delegate Access” by Paul Robichaux. (InstantDoc # 44740).


Exchange Interview

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exchange Interview

Uploaded by

Copyright:

Available Formats

Understanding & Configuring

Mailbox Access Delegation

How to Delegate Access to Your Calendar or a Folder ........................................................ 4

Why the Warning About the Delegation Wizard?.............................................................. 8

How to Delegate Access as an Administrator ..................................................................... 10

Administrator: How To Assign the Send On Behalf Permission ...................................... 10

Troubleshooting Outlook Configurations........................................................................... 13

Page 1 of 17 Delegation.doc Revised 6/19/06

Page 2 of 17 Delegation.doc Revised 6/19/06

Page 3 of 17 Delegation.doc Revised 6/19/06

Page 4 of 17 Delegation.doc Revised 6/19/06

Click the Add button and then the OK button.

Page 5 of 17 Delegation.doc Revised 6/19/06

Select Tools > Options from the Outlook Menu Bar

Select the Delegates Tab

Page 6 of 17 Delegation.doc Revised 6/19/06

There are several permission levels available in the drop-down boxes:

The Automatically send a message to delegate summarizing these permissions

Page 7 of 17 Delegation.doc Revised 6/19/06

Page 8 of 17 Delegation.doc Revised 6/19/06

If an administrator checked the properties of the owner’s account in Active Directory,

Page 9 of 17 Delegation.doc Revised 6/19/06

Note: These tasks require certain levels of administrative permissions in Active

Administrator: How To Assign the Send On Behalf Permission to Another User

Select the Exchange General tab.

Click the Delivery Options button.

Page 10 of 17 Delegation.doc Revised 6/19/06

Page 11 of 17 Delegation.doc Revised 6/19/06

2. Use the Exchange Request form at

Page 12 of 17 Delegation.doc Revised 6/19/06

How to Configure Outlook to Always Prompt for Username and Password

Page 13 of 17 Delegation.doc Revised 6/19/06

Click the More Settings button.

Page 14 of 17 Delegation.doc Revised 6/19/06

Select the Security tab.

Page 15 of 17 Delegation.doc Revised 6/19/06

Microsoft Office Outlook 2003 Help (search on “delegate”).

Microsoft’s Outlook website: http://www.microsoft.com/office/outlook.

Running Microsoft Outlook 2003, from Microsoft Press.

Microsoft TechNet website: http://www.microsoft.com/technet.

Microsoft TechNet “Exchange Server Chapter 9 – Understanding Mailbox Access

Microsoft Premier Support Case SRX050112600269 (U-M Premier Support

Microsoft Knowledge Base 329622 – ‘Send As’ permission is not assigned to a

Microsoft Knowledge Base 319206 – How to configure Outlook to a specific

Microsoft Knowledge Base 811646 – Cannot grant delegate writable access to a

Page 16 of 17 Delegation.doc Revised 6/19/06

Microsoft Knowledge Base 821900 – How to open another user’s calendar by

Microsoft Knowledge Base 309185 – Meetings that are placed in an owner’s

WindowsITPro (http://www.windowsitpro.com), “Knowing Which Clients

Page 17 of 17 Delegation.doc Revised 6/19/06

You might also like