Shared Mailbox - keep a folder private?

%3CLINGO-SUB%20id%3D%22lingo-sub-181234%22%20slang%3D%22en-US%22%3EShared%20Mailbox%20-%20keep%20a%20folder%20private%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181234%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20way%20to%20share%20a%20mailbox%20with%20another%20user%20via%20Add-MailboxPermission%2C%20and%20still%20keep%20a%20specific%20folder%20private%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EExplanation%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EI%20have%20a%20customer%20who%20has%20chosen%20to%20let%20each%20user%20see%20each%20other%20users%20mailbox%20(this%20is%20unusual%2C%20but%20that's%20the%20way%20the%20customer%20wants%20it).%20So%20far%2C%20they%20have%20achieved%20this%20by%20manually%20adding%20each%20user%20to%20the%20local%20Outlook%26nbsp%3Bprofile%20setting%26nbsp%3B%22open%20additional%20mailbox%22.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20nightmare%20on%20the%20IT%20management%20side%20and%20has%20interestingly%20also%20led%20to%20duplicate%20folders%20and%20calendars%20and%20some%20unexplainable%20access%20issues.%20Some%20users%20might%20see%20messages%20and%20folders%2C%20others%20might%20not%2C%20althouh%20they%20have%20teh%20same%20settings...%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%2C%20I%20believe%20that%20sharing%20the%20mailboxes%20on%20Office%20365%20level%20(Add-MailboxPermission)%20is%20the%20better%20solution.%20Automapping%20will%26nbsp%3Bdo%20the%20rest%20and%20IT%20does%20not%20have%20to%20touch%20the%20clients.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThere%20is%20one%20issue%20with%20that%2C%20and%20this%20is%20the%20question.%26nbsp%3B%20(Bob%20is%20sharing%2C%20Peter%20is%20accessing)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIf%20I%20use%20the%20%22open%20additional%20mailbox%22%20approach%2C%20the%20owner%20of%20the%20mailbox%20(Bob)%20can%20easily%20deny%20access%20to%20a%20certain%20folder%20(i.e.%20%5CInbox%5Cprivate-stuff)%20by%20right-click%20and%20setting%20access%20permissions%20to%20%7Bnone%7D.%20At%20the%20end%2C%26nbsp%3BBob%20had%20to%20first%20add%20permissions%20for%20Peter%20to%20access%20his%20mailbox%20by%20basically%20the%20same%20right-click%20method%20(%7BReviewer%7D%20in%20this%20case).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYet%2C%20if%20I%20instead%20share%20Bob's%20mailbox%20to%20Peter%20with%26nbsp%3BAdd-MailboxPermission%2C%20the%20same%20will%20not%20work%20since%20each%20folder%20remains%20with%20the%20permissions%20Standard%20%7Bnone%7D%20and%20Anonymous%20%7Bnone%7D%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%20C%3A%5C%26gt%3B%20Get-MailboxFolderPermission%20Bob%3A%5CInbox%5Cprivate-stuff%3C%2FP%3E%3CP%3EFolderName%20User%20AccessRights%20SharingPermissionFlags%3CBR%20%2F%3E----------%20----%20------------%20----------------------%3CBR%20%2F%3Eprivate-stuff%20Standard%20%7BNone%7D%3CBR%20%2F%3Eprivate-stuff%20Anonym%20%7BNone%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20following%20cmdlet%20will%20fail%20with%20something%20like%20%22%5BSet-MailboxFolderPermission%5D%2C%20UserNotFoundInPermissionEntryException%22%3A%3C%2FP%3E%3CP%3E%3CSPAN%3EPS%20C%3A%5C%26gt%3B%20set-MailboxFolderPermission%20B%3C%2FSPAN%3E%3CSPAN%3Eob%3C%2FSPAN%3E%3CSPAN%3E%3A%5CInbox%3C%2FSPAN%3E%3CSPAN%3E%5C%3C%2FSPAN%3E%3CSPAN%3Eprivate-stuff%20-User%20Peter%20-%20AccessRights%20none%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EYou%20get%20the%20picture..%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESo%2C%20if%20I%20share%20Bob's%20mailbox%20with%20Add-MailboxPermission%2C%20is%20there%20another%20way%20to%20prevent%20Peter%20to%20access%20%22private-stuff%22%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%3CBR%20%2F%3EDaniel%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-181234%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181780%22%20slang%3D%22en-US%22%3ERe%3A%20Shared%20Mailbox%20-%20keep%20a%20folder%20private%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181780%22%20slang%3D%22en-US%22%3E%3CP%3EThen%20I%20see%20only%20the%20method%20of%20%22open%20an%20additional%20mailbox%22%20on%20the%20client.%20That%20way%20I%20can%20specifically%20assign%20permissions%20to%20each%20shared%20folder.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20in%20the%20meantime%20I%20am%20running%20into%20the%20500%20folder%20limit%20of%20Outlook%202016%20anyway.%20I%20guess%20the%20unreliability%20of%20the%20customer's%20setup%20is%20rather%20based%20on%20that%20limit.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDaniel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181744%22%20slang%3D%22en-US%22%3ERe%3A%20Shared%20Mailbox%20-%20keep%20a%20folder%20private%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181744%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20permissions%20are%20more%20important%20here%2C%20not%20the%20way%20you%20open%20the%20mailbox%20in%20Outlook.%20If%20you%20have%20Full%20access%2C%20any%20and%20all%20folders%20will%20be%20exposed%20and%20accessible%20for%20that%20user.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181571%22%20slang%3D%22en-US%22%3ERe%3A%20Shared%20Mailbox%20-%20keep%20a%20folder%20private%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181571%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Vasil%2C%3C%2FP%3E%3CP%3ESo%20when%20wanting%20to%20share%20a%20mailbox%20and%20keep%20a%20certain%20folder%20still%20private%2C%20is%20there%20another%20server%20based%20method%3F%26nbsp%3BOr%20do%20we%20have%20to%20keep%20using%20%22open%20additional%20mailbox%22%20in%20Outlook%3F%3C%2FP%3E%3CP%3EDaniel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181333%22%20slang%3D%22en-US%22%3ERe%3A%20Shared%20Mailbox%20-%20keep%20a%20folder%20private%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181333%22%20slang%3D%22en-US%22%3E%3CP%3ENope.%20Full%20Access%20means%20Full%20access.%20Period.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-181240%22%20slang%3D%22en-US%22%3ERe%3A%20Shared%20Mailbox%20-%20keep%20a%20folder%20private%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181240%22%20slang%3D%22en-US%22%3EI%20forgot%20to%20mention%20that%20I%20can%20use%3CBR%20%2F%3E%3CBR%20%2F%3EAdd-MailboxFolderPermission%20Bob%3A%5CInbox%5Cprivate-stuff%20-User%20Peter%20-%20AccessRights%20none%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20that%20does%20not%20help.%20Peter%20still%20can%20access%20the%20content%20of%20that%20folder..%20Despite%20the%20following%20setting%3A%3CBR%20%2F%3E%3CBR%20%2F%3EPS%20C%3A%5C%26gt%3B%20Get-MailboxFolderPermission%20Bob%3A%5CInbox%5Cprivate-stuff%3CBR%20%2F%3EFolderName%20User%20AccessRights%3CBR%20%2F%3E----------%20----%20------------%20-------%3CBR%20%2F%3Eprivate-stuff%20Standard%20%7BNone%7D%3CBR%20%2F%3Eprivate-stuff%20Anonym%20%7BNone%7D%3CBR%20%2F%3Eprivate-stuff%20Peter%20%7BNone%7D%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

Is there a way to share a mailbox with another user via Add-MailboxPermission, and still keep a specific folder private?

 

Explanation:

I have a customer who has chosen to let each user see each other users mailbox (this is unusual, but that's the way the customer wants it). So far, they have achieved this by manually adding each user to the local Outlook profile setting "open additional mailbox". 

 

This is a nightmare on the IT management side and has interestingly also led to duplicate folders and calendars and some unexplainable access issues. Some users might see messages and folders, others might not, althouh they have teh same settings... 

 

Anyway, I believe that sharing the mailboxes on Office 365 level (Add-MailboxPermission) is the better solution. Automapping will do the rest and IT does not have to touch the clients.

 

There is one issue with that, and this is the question.  (Bob is sharing, Peter is accessing)

If I use the "open additional mailbox" approach, the owner of the mailbox (Bob) can easily deny access to a certain folder (i.e. \Inbox\private-stuff) by right-click and setting access permissions to {none}. At the end, Bob had to first add permissions for Peter to access his mailbox by basically the same right-click method ({Reviewer} in this case). 

 

Yet, if I instead share Bob's mailbox to Peter with Add-MailboxPermission, the same will not work since each folder remains with the permissions Standard {none} and Anonymous {none}:

 

PS C:\> Get-MailboxFolderPermission Bob:\Inbox\private-stuff

FolderName User AccessRights SharingPermissionFlags
---------- ---- ------------ ----------------------
private-stuff Standard {None}
private-stuff Anonym {None}

 

The following cmdlet will fail with something like "[Set-MailboxFolderPermission], UserNotFoundInPermissionEntryException":

PS C:\> set-MailboxFolderPermission Bob:\Inbox\private-stuff -User Peter - AccessRights none

 

You get the picture..

 

So, if I share Bob's mailbox with Add-MailboxPermission, is there another way to prevent Peter to access "private-stuff"?

 

Thanks
Daniel

 

 

5 Replies
Highlighted
I forgot to mention that I can use

Add-MailboxFolderPermission Bob:\Inbox\private-stuff -User Peter - AccessRights none

But that does not help. Peter still can access the content of that folder.. Despite the following setting:

PS C:\> Get-MailboxFolderPermission Bob:\Inbox\private-stuff
FolderName User AccessRights
---------- ---- ------------ -------
private-stuff Standard {None}
private-stuff Anonym {None}
private-stuff Peter {None}

Highlighted

Nope. Full Access means Full access. Period.

Highlighted

Thanks Vasil,

So when wanting to share a mailbox and keep a certain folder still private, is there another server based method? Or do we have to keep using "open additional mailbox" in Outlook?

Daniel

Highlighted

The permissions are more important here, not the way you open the mailbox in Outlook. If you have Full access, any and all folders will be exposed and accessible for that user.

Highlighted

Then I see only the method of "open an additional mailbox" on the client. That way I can specifically assign permissions to each shared folder. 

 

But in the meantime I am running into the 500 folder limit of Outlook 2016 anyway. I guess the unreliability of the customer's setup is rather based on that limit. 

 

Daniel