Disable Exchange 2010’s Auto Shared Mailbox Mapping Feature

Update – 8th December 2011

Service Pack 2 and above brings this functionality natively into Exchange Powershell and you no longer need this script if you are on Exchange Server 2010, SP2 allows you to specify that you don’t want auto-mapping enable directly from the native Add-MailboxPermission command, using the -AutoMapping parameter:

Add-MailboxPermission "Shared Mailbox" -User -AccessRights FullAccess -AutoMapping:$false

It’s that simple.. Stay tuned for a future article explaining how to extend this functionality to the Exchange Management Console :-)

Original Article – Applied to Service Pack 1 only:

imageYou may remember from my previous article “Auto-mapping shared mailboxes in Exchange 2010 SP1 with Outlook 2007 & 2010“, since Exchange 2010 SP1 was released, granting a user permissions to another mailbox automatically adds the mailbox to the user’s profile in both Outlook 2010 and fully patched Outlook 2007.

A few of the comments make it clear this isn’t a universally-desired feature, in particular if you’re an Admin and have access to a range of mailboxes (particularly system mailboxes like support addresses etc). Whilst it can be removed with ADSI edit after granting permissions, that’s not a straightforward way to accomplish this.

To get round this and make it easy to add permissions without the auto-mapping I’ve written a straighforward script that can be used as a direct replacement to the normal Add-MailboxPermission command, Add-MailboxPermissionNoAutoMap.ps1.

Savvy Exchange Powershell coders will ask “why don’t you do this using the Scripting Agent, disabling it across the board, even in Exchange Management Console”.. Well that was my first thought. However, it appears that with Add-MailboxPermission the actual entries are added after the OnComplete section runs instead of before. If that get’s fixed I’ll certainly re-visit as it would be ideal to have a solution that allows the feature to be switched on or off on demand.

So, in the meantime, here’s your drop in replacement Powershell script. It’s very simple – it takes the standard parameters to the Add-MailboxPermission cmdlet and after ensuring we know what domain controller the command will act on (to ensure no replication confusion) it adds permissions the normal way, then removes the msExchDelegateListLink AD entry that has just been added.

Here’s an example of it in use..

image

As you can see, it’s very similar to the normal Add-MailboxPermission command – in fact it should accept all the same parameters and pass them through without modification. Hope you find it useful!

The full script is below, along with the file to download underneath:


<#
.SYNOPSIS
Adds Mailbox Permissions without Auto-Mapping in Outlook
.DESCRIPTION
Performs the same functions as Add-MailboxPermission with the added extra that it doesn't automatically add the Mailbox to Outlook 2007 and 2010

For more help use Get-Help Add-MailboxPermission

#>
param(
$Identity,
[Alias(‘db’)]
[Switch]
$Debug,
[Alias(‘wv’)]
$WarningVariable,
[Alias(‘cf’)]
[Switch]
$Confirm,
$Instance,
$AccessRights,
[Alias(‘ea’)]
$ErrorAction,
[Switch]
$IgnoreDefaultScope,
$DomainController,
[Alias(‘wi’)]
[Switch]
$WhatIf,
[Alias(‘ob’)]
$OutBuffer,
[Alias(‘wa’)]
$WarningAction,
$Owner,
$InheritanceType,
$User,
[Alias(‘ov’)]
$OutVariable,
[Alias(‘vb’)]
[Switch]
$Verbose,
[Switch]
$Deny,
[Alias(‘ev’)]
$ErrorVariable,
[Switch]
$AsJob)

if ($DomainController)
{
# Domain Controller was set. Get the Mailbox we are adding permissions for first so we have it’s LDAP DN
$Mailbox = Get-Mailbox $Identity -DomainController $DomainController
if (!$Mailbox)
{
throw “Could not find Mailbox $($Identity)”
}
# Add the permission
$Result = Add-MailboxPermission @PSBoundParameters
} else {
# Domain Controller was set. Get the Mailbox we are adding permissions for first so we have it’s LDAP DN and a domain controller name
$Mailbox = Get-Mailbox $Identity
if (!$Mailbox)
{
throw “Could not find Mailbox $($Identity)”
}
# Set the domain controller
$DomainController = $Mailbox.OriginatingServer
# Add the permission
$Result = Add-MailboxPermission @PSBoundParameters -DomainController $DomainController
}
if ($Result)
{
# If the mailbox permission was successfully added, remove the auto mapping using ADSI
$LDAPUser=[ADSI]”LDAP://$($DomainController)/$($Mailbox.DistinguishedName)”
$LDAPUser.msExchDelegateListLink.Remove(((Get-Mailbox $User).DistinguishedName))
$LDAPUser.SetInfo()
# Output the result of Add-MailboxPermission like the normal command would
$Result
}

Download AddMailboxPermissionNoAutoMap.zip

41 thoughts on “Disable Exchange 2010’s Auto Shared Mailbox Mapping Feature

  1. Hi I need to disable a particular shared mailbox for a specific user in outlook. Eg. “sales ” mailbox has to be disable for a user “tosh”. Please let me know the exact command to remove auto-mapping.

  2. Pingback: Exchange 2010 SP1 auto mapping deaktivieren | MAHN IT-Consulting

  3. Hi I’m very new in Exchange environment. I was trying to run the script downloaded from the link above.
    Question:
    – how to start to run the script?
    – when I use the exchange powershell, it return me with message “the term ‘.Add-MailboxPermissionNoAutoMap.ps1’ is not recognized as the name of a cmdlet…..”

    Thanks,
    wisman

    • It’s working now. My mistake never observe the filename and the command that I key in.
      This script works great.
      Thank you very much.

  4. I am trying to run this screipt but I am getting the error below. What do you think is happening? I am running Exchange 2010 SP2 rollup 5

    Cannot process argument transformation on parameter ‘DomainController’. Cannot convert the
    “System.Collections.ArrayList” value of type “System.Collections.ArrayList” to type “Microsoft.Exchange.Data.Fqdn”.

    + CategoryInfo : InvalidData: (:) [Add-MailboxPermission], ParameterBindin…mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-MailboxPermission
    + PSComputerName : cas-ht

      • Is there an easy way to disable it for all the mailboxes at once. This is creating a lot of issues in my Org. because even after we take away the user’s full rights on a mailbox the mailbox remains mapped on the user’s Outlook and they still are able to access to it.

  5. Your articles have been very helpful, thank you for sharing.

    FYI: The remove full mailbox access permissoin wizard still does not work in Exchange 2010 SP2 Rollup 3. It still completes successfully and leaves the Delegate entry in AD. They could at least fix the wizard to remove the Delegate entry or, at least, have the wizard report the process failed and guide the administrator to manually delete the entry. WTF Microsoft!!!!!

  6. I would like to allow my users to remove one or more of the shared mailboxes from their outlook client. Can they do this clientside or will a need to disable the feature entirely for the effected users.

  7. Pingback: Anonymous

  8. Pingback: Exchange 2010 – Mailbox Auto-Mapping Confusion » It Worked In The Lab...

  9. Pingback: Disabling Auto-mailbox mapping in Exchange 2010 « Rob's Blog

  10. Thank for the great post. Have used on several sites.

    Also interested in disabling that feature on the entire domain. Is it possible?

    You also mentioned: “Stay tuned for a future article explaining how to extend this functionality to the Exchange Management Console” … Any ETA???

    Cheers

    Alexandre

    • No-one asked me yet! You are the first :-)

      There was a problem originally with extending the functionality (using the scripting agent) so any permissions set via the EMC would also take this no-mapping functionality. In SP2 though that should be fixed.

      Basically this is an all or nothing thing – it will be a method of disabling across Exchange. Will this meet your needs?

      Steve

  11. Thanks for the post, very useful.

    I’m looking to disable the auto mapping function for my entire domain (ie every user). Any ideas how I could achieve this?

    Sorry to ask but powershell isnt my strong point.

    Thanks

  12. Pingback: Disabling Auto-mailbox mapping in Exchange 2010 « M.Ufuk TATLIDIL

  13. Pingback: Updated – Disabling Auto-mailbox mapping in Exchange 2010 | Steve Goodman's Exchange Blog

  14. Does this remove all auto-mapping of existing mailboxes a user has full access to, or just remove the auto-mapping of the mailbox you’re adding at the time of running this script?

      • Thanks for the reply.
        I have a script that runs this for every user who has a “Direct Report” and grants the manager access to their Direct Reports’ mailboxes, then goes through each one of those Direct Reports and grants them access to each others (but doesn’t grant them access to their managers).
        This sounds odd but it is what the staff wants.

        Problem is people move around, often.
        Do you know of any solutions or tricks that might help with performing cleanup of old, unnecessary permissions and re-add new ones when organizational changes are made?

        I was thinking maybe once a quarter run a script that removes everyone’s access to any user mailbox, then re-adds based on their current Manager and Direct Reports (active directory), then of course re-adds those general mailboxes some departments use (could be based on checking their security group permissions).

  15. Very useful script that we have with one of our customers. Just tried it on a site with a resource domain and it failed to remove the auto map. Foolishly I didn’t capture the error but basically it looked like it added the permission OK but when the script tried to remove thew automap it failed to find the Account Domain user account on the resource domain Domain Controller.

    Regards,

    Jonathan

    • Hi Jonathan,

      Unfortunately I’ve not tested this out in a multi-domain environment. Theoretically one would expect it to work (maybe not so in a resource forest situation) but it may need to trap the different domain and find an appropriate DC

      Steve

  16. Pingback: Outlook 2010 Automatically maps mailboxes

  17. can you do this for delegating control between domains?
    EG: PAs for the Finance Directors; both accounts on domain 1; but they all have linked mailboxes on domain 2 (where exchange is obviously).

    • Hi Simon,

      It should do IIRC, this is only a wrapper for the normal Add-MailboxPermission and it strips the auto mapping afterward, so it’s bound by the same constraints

      Steve

  18. Pingback: Auto-mapping shared mailboxes in Exchange 2010 SP1 with Outlook 2010 and Outlook 2007 « Steve Goodman's Exchange Blog

  19. If you wrap that into a function and dot-Source it in your Powershell Profile, you even don’t notice that it is a custom script… Nice Work! Thanks! Christian

  20. Pingback: Scripte-Blog » Blog Archive » Exchange 2010 SP1 Auto Mapping Postfach

Leave a Reply

Your email address will not be published. Required fields are marked *