Hi,
I understand that the script can be modified each time it's run with the users that need access, but in the case that a Help Desk person is creating the shared mailbox from the web interface this won't work. There would need to be a way to input which users need Full Access & Send As permissions from the web portal. In this case there will not be any access to the BR to modify the script.
You might think of adding a security group to AD that is managed via Adaxes in addition to the shared mailbox itself. Attach a business rule "after modify group" to that group which runs a script that will sync the group members to the shared mailbox permissions and access rights.
Permissions and access rights of the shared mailbox can then be managed by Help Desk staff via the AD group.
I think the drawback of an additional group in AD is worth the improvment in help desk's all day business. And, you can even put the member change task into the Self Service Portal so that users can register themselves for the shared mailbox (perhaps add approval to the business rule in that case).
Hope, this is of any help. (Maybe the Adaxes scripting guys can provide a detailed HowTo?)
Greetings
Edit:
Here is, what I implemented so far (most parts can be found in this forum - thanks for such a good source of great ideas by the way).
Please be lenient as I am not an experienced PowerShell programmer...
Script CreateSharedMailbox
Will be run by a business rule after creating a user (the shared mailbox) in a certain LDAP-Context.
I mainly wanted to manage the rights for the calendar of that mailbox. You might change the approriate parts of the scripts to change this.
The logical connection between the shared mailbox and the AD group to manage permissions on the shared mailbox is done via the CN of the shared calendar which has to be identical to the CN of the group. Therefore the shared mailbox and the group have to reside in different OUs. If this is a problem, you might use some CustomAttribute to interconnect the both objects.
Import-Module ActiveDirectory
$domainControllerFQDN = "ADserver.your.dom" # TODO: modify me
$exchangeServer = "mailserver.your.dom" # TODO: modify me
$database = "Mailbox Database NAME" # TODO: modify me
#Destination for the AD group that manages the permission holders
$GroupDN="OU=...,OU=...,DC=...,DC=..." # TODO: modify me
$usersIdentity = @("%manager%") # TODO: you may add static calendar managers as additional array items
$MBoxAlias=%cn%
$MBoxFolderName=$MboxAlias + ":\Calendar"
$targetUser = $Context.BindToObject($Context.TargetObject.AdsPath)
$targetUser.AccountDisabled = $True
$targetUser.SetInfo()
$Context.LogMessage("Enable Mailbox: %userPrincipalName%", "Information")
$session = new-pssession -connectionURI "http://$exchangeServer/powershell" -ConfigurationName Microsoft.Exchange
Import-PSSession -session $session
Enable-Mailbox -Identity '%userPrincipalName%' -Shared -Database $database -Alias $MBoxAlias
$sharedMailBox = Get-MailBox -Identity '%userPrincipalName%' -DomainController $domainControllerFQDN | Select-Object DistinguishedName
Set-CASMailbox -Identity $MBoxAlias -ActiveSyncEnabled $false -ImapEnabled $false -PopEnabled $false -OWAEnabled $false # TODO: modify me to your needs
Set-CalendarProcessing -Identity $MBoxAlias -RemoveOldMeetingMessages $false # TODO: modify me to your needs
# Manager of the group and static added members get FullAccessRights to the mailbox and 'Owner' permission on the calendar
foreach($userIdentity in $usersIdentity)
{
Add-MailboxFolderPermission -Identity $MBoxFolderName -User '%adm-ManagerEmail%' -AccessRights Owner
Add-MailboxPermission -Identity $MBoxAlias -User $userIdentity -AccessRights 'FullAccess'
}
Remove-PSSession -Session $session
# Create a group to manage permissions for the shared calendar via Adaxes
New-ADGroup -Server $domainControllerFQDN "$MBoxAlias" -SamAccountName "$MBoxAlias" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$MBoxAlias" -Path "$GroupDN" -Description "Members get access to shared Calendar $MBoxAlias" -ManagedBy "%manager%" -Confirm:$False
Script SyncCalendarRights
Implemented as a custom command.
Will be run by a business rule after adding/removing members to/from the group created by the script above. Can also be run manually on the corresponding AD group that manages the permissions of a shared calendar.
Import-Module Adaxes
[array] $Group
[array] $Box
[array] $Remove
[array] $Add
$domainControllerFQDN = "ADserver.your.dom" # TODO: Modify me
$exchangeServer = "mailserver.your.dom" # TODO: Modify me
$MBoxName='%fullname%'
$MBoxAlias=$MBoxName
$MBoxFolderName=$MboxAlias + ":\Calendar"
$mgrObj=$Context.BindToObjectByDN("%managedBy%")
$Manager=$mgrObj.Get("cn")
$targetGrp = $Context.BindToObject($Context.TargetObject.AdsPath)
# catch error in case of no members in that group
try {
$Members=$targetGrp.GetEx("member")
foreach ($MemberDN in $Members){
$Member = $Context.BindToObjectByDN($MemberDN)
$Group += ,($Member.Get("cn"))
}
}
catch {
# do nothing special because $Group stays empty which should work
}
$session = new-pssession -connectionURI "http://$exchangeServer/powershell" -ConfigurationName Microsoft.Exchange
Import-PSSession -session $session
#Get currently assigend rights of the shared mailbox
$Rights=Get-MailboxFolderPermission -Identity $MBoxFolderName -DomainController $domainControllerFQDN | Select User
foreach ($Right in $Rights){
$Box += ,$Right.User
}
foreach ($Has in $Box){
#Skip the users 'Default' and 'Anonymous' and preserve the manager's permissions in the calendar by never putting manager to $Remove
if (($Has -ne "Default") -and ($Has -ne "Anonymous") -and ($Has -ne $Manager)){
if ($Group -notcontains $Has){
$Remove += ,$Has
}
}
}
foreach ($Should in $Group){
if ($Box -notcontains $Should){
$Add += ,$Should
}
}
# Ensure to have owner permissions for the manager
if ($Box -notcontains $Manager){
$context.LogMessage("Add owner permissions for $Manager", "Information")
Add-MailboxFolderPermission -Identity $MBoxFolderName -User "$Manager" -DomainController $domainControllerFQDN -AccessRights Owner
}
foreach ($A in $Add){
if ($A){
$context.LogMessage("Add rights for $A", "Information")
Add-MailboxFolderPermission -Identity $MBoxFolderName -User "$A" -DomainController $domainControllerFQDN -AccessRights Editor # TODO: Modify me to the wanted rights
}
}
foreach ($Rem in $Remove){
if ($Rem){
$context.LogMessage("Remove rights for $Rem", "Information")
Remove-MailboxFolderPermission -Identity $MBoxFolderName -User "$Rem" -DomainController $domainControllerFQDN -Confirm:$False
}
}
Remove-PSSession -Session $session
Attention: Changes in permissions via outlook wil be dropped by this script because in my usecase the AD group is defined to be the leading object.