You have probably, more than once, explained the pros and cons on the different ways to assign permissions to Shared Mailboxes in Exchange and Exchange Online / Office 365?
You have two ways to go:
– The group method
This includes creating a group, assign members to it and assign Full Access and Send As permissions to the Shared Mailbox. This is the simple and probably most correct way to assign permissions for end users to the Shared Mailboxes. However, it has one big drawback, you won’t get any auto mapping in Outlook. Bummer.
– The nasty “assign permissions directly to the Shared Mailbox ACL” method
This means you add the users directly into the ACL of the Shared Mailbox. Well, pretty simple to manage, at least if you just have a few Shared Mailboxes, but what if you have thousands of them? You won’t have a simple way to look at a user account and tell which Shared Mailboxes this particular user have access to. However, you will get the famous auto mapping feature of Outlook!
So, the IT department need to choose between having the flu or to have constant headache and that’s not an easy choice. But there is a solution.
I have create a script that reads the membership from groups and add the members to the respective Shared Mailboxes which means that you get what you want. Both simple management and auto mapping in Outlook.
To use my solution a couple of things needs to be in place. You need to have a correlation between the security group and the Shared Mailboxes. This means that by looking at the security group, you must have a way to, with 100% accuracy, find the corresponding Shared Mailbox.
In my case there is a prefix and suffix on the group names that is stripped to get the samaccountname of the Shared Mailbox. Look in the code and you will understand.
The script connects, find the first group, strip off the prefix and suffix and the finds the Shared Mailbox. At that point the group membership and the Shared Mailbox ACL list is compared to get a list of differences, which in the next step is corrected.
This script can, of course, be used against Office 365 with just small modification.
The script also creates a log file. It will, however, not fill up your hard drive as it only keep two 10 Mb logfiles.
Sounds good? You find the script here: https://gallery.technet.microsoft.com/PowerShell-script-for-fe189ccc
Need help? Contact me at firstname.lastname@example.org
By Magnus Göransson