Professional Documents
Culture Documents
Table of Contents
Introduction ................................................................................................................................. 2
Terminology................................................................................................................................. 2
Requirements............................................................................................................................... 3
How To Assign Send On Behalf Permissions Using the Outlook Delegation Wizard 6
References................................................................................................................................... 16
Each user has a single mailbox on an Exchange Server and that user is considered the
owner of the mailbox. However, there are several scenarios that require that other users
have access to mailboxes other than their own. This includes resource mailboxes (such
as conference rooms) or assistants who need to manage items (such as the calendar) in
another user’s mailbox. The process of delegation allows for these types of scenarios.
There are several ways to delegate access to a mailbox. Outlook 2003 users can delegate
access directly from their Outlook session. Administrators can also delegate access.
This paper explains the delegation process and limitations for each method. This paper
also only provides configuration examples for Outlook 2003. Older versions of Outlook
will not be addressed. References are provided at the end of the paper for additional
information on using Outlook and Outlook Web Access (OWA) to view another
person’s mailbox items.
Terminology
The Exchange mailbox is the part of the Exchange mail store that holds the data for a
single account (such as a user or a resource) in Active Directory (AD). The mailbox
owner can login-to and has full control of an Exchange mailbox. Mailbox ownership is
established when an administrator mailbox-enables (creates a mailbox for) an account
in AD.
A mailbox owner or an administrator can delegate access to other accounts. The level of
access varies according to the process used for delegation. The mailbox delegate can
then perform the allowed actions within the delegated mailbox.
There are multiple delegation options available. Some of the most commonly used
options include the ability to read or manage another user’s calendar and to send mail
as another user. This document will outline how to configure delegation for these
commonly used options. (See the References section at the end of this document for
additional information about other options.)
There are two access levels for sending mail as another user. The most commonly used
is the Send On Behalf permission. This allows the delegate to send mail on behalf of the
mailbox owner. The message sent by the delegate indicates the sender “on behalf of”
the owner. For example, the message received would be From: User, Joe on behalf of
User, Sam. The Send On Behalf permission can be granted using the Outlook interface
Requirements
• The mailbox owner can only delegate access from within Outlook.
• Delegating access to read or manage a calendar can only be done from within
Outlook or using Entourage 2004 with Service Pack 2.
• An administrator will need permission to access Active Directory user properties
in order to delegate Send On Behalf or Send As permissions. Please see the How
to Delegate Access as an Administrator section of this document.
• The mailbox delegate can access the delegated mailbox using Outlook, Microsoft
Entourage 2004, or Outlook Web Access.
• Outlook Web Access only supports read-only access to a delegated mailbox.
• IMAP, Outlook Mobile Access (OMA) and Exchange ActiveSync clients do not
support delegate access.
• Microsoft recommends the mailbox owner and the delegate use the same client
versions (including hotfixes and service packs) when accessing a delegated
mailbox.
There is more than one way to delegate access to your calendar. Below is one method
you can use to do this. For another method, see the ITCS Documentation # S4327-F
(http://www.itd.umich.edu/itcsdocs/s4327/s4327-f.pdf). The method outlined here
can be used on any folder in your Exchange mailbox, not just your calendar, but for this
illustration, we will delegate read-only access to your calendar.
From the Folder List view, right-click the Calendar icon and select Properties.
From the Calendar Properties dialog box, select the Permissions Tab.
From the Add Users dialog, select the user name from the Global Address List. Only
accounts that are mail-enabled or mailbox-enabled (i.e., appear in the Global Address
List) can be delegated access.
Then assign the necessary permissions to this user by selecting Reviewer in the
Permission Level drop-down box.
Click the OK button to save your changes and exit Calendar Properties.
The Outlook Delegation Wizard is used to delegate the Send On Behalf permission.
While the Delegation Wizard may also be used to delegate other items (such as your
Calendar or your Tasks), it should not be used if Send On Behalf permissions are not
intended. See the next section (Why the Warning About the Delegation Wizard) for
further information about why this is important.
Click the Add button and pick the account to delegate to from the Global Address List.
Only accounts that are mail-enabled or mailbox-enabled (i.e., appear in the Global
Address List) can be delegated access.
In the Delegate Permissions dialog box, select the desired permissions. The default
permissions are shown in the screen-shot above, however, you may wish grant or deny
specific permissions based on your needs. Please note that even if all the items are set
to None, the Send On Behalf permission will still be delegated.
As illustrated in the above example, the delegation wizard appears to allow the user to
grant no access to the Inbox. However, even though you may indicate “None” for
Inbox access, the delegate will still be able to send messages on your behalf! Definitely
undesirable behavior!
Is this a bug? Well, yes and no. If you read the text at the top of the Delegates tab, it
explains the issue. But how many of us read dialog boxes anyway?
To make this problem more confusing, if the mailbox owner checks the permissions set
for their Inbox folder, it indicates that the delegate has no permissions to the Inbox! The
following example illustrates this situation.
After using the delegation wizard to delegate default access, right-click the Inbox icon
and select Properties.
The delegate permission level is listed as “None”. Seems like there would be no Send
on Behalf permissions allowed. But we know that’s not true. So, next you think you
can just remove this account from this permissions list and solve the issue, right?
Wrong again!
Select the delegated account in the Permissions tab, click the Remove button and click
OK. However, you find that the delegated account can still send mail on your behalf!
So, trust us when we say to use the delegation wizard with extreme caution!
In order to perform these steps, an administrator must be an OUAdmin for the Accounts
and/or the Organizations OU. Most OUAdmins and ITCom Customer Service
Representatives (CSR’s) have the necessary permissions.
Using Active Directory Users and Computers, open the Properties of the account that
owns the Mailbox.
In the Send on behalf section, click the Add button and choose the account which will
have this permission.
Click OK.
Send As delegation must be assigned by a central Exchange Administrator for both Full
Serve and Self Serve Exchange units. Follow the steps below to request that this
delegation be set up.
1. Make sure that the user for whom you are requesting a Send As delegate
understands the magnitude of the access being requested. When an e-mail
message is received from a user with Send As delegation privileges on a mailbox,
the delegates name does NOT appear on the e-mail message, so the message
appears to come directly from the delegated mailbox, even though the owner of
that mailbox may not be aware that the message was sent.
3. Notify both the delegate and the owner of the delegated mailbox.
NOTE: Consider using Send On Behalf delegation whenever possible. It’s simpler to
set up and has a mechanism for knowing the true sender of the e-mail.
There are occasions when delegation fails. There are numerous reasons for failure,
however, we’ve found that it generally involves permissions and can be resolved by
changing the Outlook login behavior.
In Windows, open the Control Panel and select the Mail applet.
In the Mail Setup dialog box, click the E-mail Accounts button.
In the E-Mail Accounts wizard, select View or change existing e-mail accounts.
Click Next.
Select the Microsoft Exchange Server and click the Change button.
Check the Always prompt for user name and password checkbox.
Click OK.
General References
Technical References
Microsoft TechNet “Directory Services: Windows Server 2003 – How the Global
Catalog Works”.
Microsoft Office 2003 Resource Kit, “Setting Up Outlook 2003 Cached Exchange
Mode Accounts”.
Microsoft Knowledge Base 327000 – How to grant “Send as” and “Send on
behalf” permissions in Exchange 2000 Server.
Microsoft Knowledge Base 829217 – Considerations when you use the Delegate
Access feature in Microsoft Outlook.
Microsoft Knowledge Base 826968 – You may receive an error message when a
delegate tries to view a message in your Inbox in Outlook 2003 or Outlook 2002.