Updated – Disabling Auto-mailbox mapping in Exchange 2010
In February this year I wrote about how to disable the automatic mapping of shared mailboxes in Exchange 2010 SP1, using a custom PowerShell script that "wraps" the Add-MailboxPermission command and after execution, removes the attribute in Active Directory that is used to automatically mount the mailbox in Outlook.
With Exchange 2010 SP2, there's great news - this workaround is no longer required, as in SP2 a new parameter has been added to the native cmdlet.
Check out the updated article here, and stay tuned for a future article explaining how to extend this functionality to the Exchange Management Console 
Disable Exchange 2010′s Auto Shared Mailbox Mapping Feature
Update - 8th December 2011
Service Pack 2 bring this functionality natively into Exchange Powershell and you no longer need this script if you are on Exchange Server 2010, SP2 allows you to specify that you don't want auto-mapping enable directly from the native Add-MailboxPermission command, using the -AutoMapping parameter:
It's that simple.. Stay tuned for a future article explaining how to extend this functionality to the Exchange Management Console
Original Article - Applied to Service Pack 1 only:
You may remember from my previous article "Auto-mapping shared mailboxes in Exchange 2010 SP1 with Outlook 2007 & 2010", since Exchange 2010 SP1 was released, granting a user permissions to another mailbox automatically adds the mailbox to the user's profile in both Outlook 2010 and fully patched Outlook 2007.
A few of the comments make it clear this isn't a universally-desired feature, in particular if you're an Admin and have access to a range of mailboxes (particularly system mailboxes like support addresses etc). Whilst it can be removed with ADSI edit after granting permissions, that's not a straightforward way to accomplish this.
To get round this and make it easy to add permissions without the auto-mapping I've written a straighforward script that can be used as a direct replacement to the normal Add-MailboxPermission command, Add-MailboxPermissionNoAutoMap.ps1.
Savvy Exchange Powershell coders will ask "why don't you do this using the Scripting Agent, disabling it across the board, even in Exchange Management Console".. Well that was my first thought. However, it appears that with Add-MailboxPermission the actual entries are added after the OnComplete section runs instead of before. If that get's fixed I'll certainly re-visit as it would be ideal to have a solution that allows the feature to be switched on or off on demand.
So, in the meantime, here's your drop in replacement Powershell script. It's very simple - it takes the standard parameters to the Add-MailboxPermission cmdlet and after ensuring we know what domain controller the command will act on (to ensure no replication confusion) it adds permissions the normal way, then removes the msExchDelegateListLink AD entry that has just been added.
Here's an example of it in use..
As you can see, it's very similar to the normal Add-MailboxPermission command - in fact it should accept all the same parameters and pass them through without modification. Hope you find it useful!
The full script is below, along with the file to download underneath:
.SYNOPSIS
Adds Mailbox Permissions without Auto-Mapping in Outlook
.DESCRIPTION
Performs the same functions as Add-MailboxPermission with the added extra that it doesn't automatically add the Mailbox to Outlook 2007 and 2010
For more help use Get-Help Add-MailboxPermission
#>
param(
$Identity,
[Alias('db')]
[Switch]
$Debug,
[Alias('wv')]
$WarningVariable,
[Alias('cf')]
[Switch]
$Confirm,
$Instance,
$AccessRights,
[Alias('ea')]
$ErrorAction,
[Switch]
$IgnoreDefaultScope,
$DomainController,
[Alias('wi')]
[Switch]
$WhatIf,
[Alias('ob')]
$OutBuffer,
[Alias('wa')]
$WarningAction,
$Owner,
$InheritanceType,
$User,
[Alias('ov')]
$OutVariable,
[Alias('vb')]
[Switch]
$Verbose,
[Switch]
$Deny,
[Alias('ev')]
$ErrorVariable,
[Switch]
$AsJob)
if ($DomainController)
{
# Domain Controller was set. Get the Mailbox we are adding permissions for first so we have it's LDAP DN
$Mailbox = Get-Mailbox $Identity -DomainController $DomainController
if (!$Mailbox)
{
throw "Could not find Mailbox $($Identity)"
}
# Add the permission
$Result = Add-MailboxPermission @PSBoundParameters
} else {
# Domain Controller was set. Get the Mailbox we are adding permissions for first so we have it's LDAP DN and a domain controller name
$Mailbox = Get-Mailbox $Identity
if (!$Mailbox)
{
throw "Could not find Mailbox $($Identity)"
}
# Set the domain controller
$DomainController = $Mailbox.OriginatingServer
# Add the permission
$Result = Add-MailboxPermission @PSBoundParameters -DomainController $DomainController
}
if ($Result)
{
# If the mailbox permission was successfully added, remove the auto mapping using ADSI
$LDAPUser=[ADSI]"LDAP://$($DomainController)/$($Mailbox.DistinguishedName)"
$LDAPUser.msExchDelegateListLink.Remove(((Get-Mailbox $User).DistinguishedName))
$LDAPUser.SetInfo()
# Output the result of Add-MailboxPermission like the normal command would
$Result
}
Download AddMailboxPermissionNoAutoMap.zip
Outlook 2007 update for personal archive and automatic mailbox mapping released
Update: You'll see Ben Schorr (MVP) has commented that this update is causing problems for some users. A description of the problem is here.
Update 2: Having rolled this update to a large number of users and seen no issues in a corporate environment, it seems issues with this update are limited to Outlook when it's using non-Exchange connectors. This is confirmed on the MSDN Outlook blog.
Update 3: The Exchange Team have officially annouch the support via this patch over on the Exchange Team Blog.
Just having downloaded the update myself, I was preparing to do a short write-up about the new features that have landed in Outlook 2007 overnight – namely support for personal archives and auto-mapping of shared folders.
However, Michel de Rooij has just posted an article on EighTwoOne giving a quick overview of what the new features do and don’t provide…
Outlook 2007 hotfix for Exchange 2010 Personal Archive support
It’s worth adding that the Outlook 2007 update is available via both Microsoft Update and Windows Server Update Services as KB2412171 so be prepared for it to land on your users’ desktops…
Auto-mapping shared mailboxes in Exchange 2010 SP1 with Outlook 2010 and Outlook 2007
If you've read the Exchange Team Blog's announcement for SP1 you may have noticed one of the new features mentioned that isn't so widely publicised:
"On the client side features like auto mapping of shared mailboxes to user’s Outlook 2010 profiles will remove a support headache."
As it's one of my favourite new features and there's not much documentation yet, I wanted to write a little more about the feature and demonstrate how it works in practice…
How it works
When you add full mailbox permissions on Exchange 2010 SP1 to a new or existing shared mailbox that's also on SP1, Exchange now updates an Active Directory attribute on the shared mailbox itself, named msExchDelegateListLink. This is a multi-value attribute containing a list of DNs (Distinguished Names) of the other mailboxes that have full access to the mailbox and should auto-map that mailbox:
![image[19]](http://www.stevieg.org/wp-content/uploads/image191.png "image[19]")
The next time Outlook 2010 or Outlook 2007 launches they searches for mailboxes that have the user's mailbox DN listed and displays them below the user's primary mailbox.
In previous versions this was accomplished by going to the user's Exchange accounts settings, going to "More Settings", choosing "Advanced" and entering the shared mailbox manually under "Open these additional mailboxes" as shown below.
For any organisation making use of a large number of shared mailboxes this is a bit of a pain as IT needs to both write documentation so users can do this themselves and in many cases do it for the user. The new feature simply removes this step.
The catch (!) is that just moving a shared mailbox to SP1 or upgrading isn't enough to enable the feature. As it's an extra attribute added at the same time as the permissions, you need to remove and re-add the permissions via the normal way (EMC or Powershell's Remove-MailboxPermission/Add-MailboxPermission) to make this take effect, or do it yourself via ADSI scripting/AD Powershell (probably not very supported!).
Demonstration
Just to give you a quick demo of how simple this is, all you need to do is add permissions on the Shared Mailbox in the normal way:
Then on the client, close and open Outlook. The Shared Mailbox should show after a few seconds:
Yes, it's really that simple. Simple enough that you might use it without even noticing and wonder how that shared mailbox got mapped in the first place.. But I think it's definitely going to be a feature any IT department that routinely adds/removes permissions for mailboxes this way will appreciate.
Disabling the feature selectively
I’ve had a lot of comments from people who don’t want this to happen all the time. If this is you, the check out my other article Disable Exchange 2010 SP1′s Auto Shared Mailbox Mapping Feature.
More from StevieG.org
- About Me
- Car PC
- Exchange 2010 Virtual Load Balancer
- Exchange Environment Report
- Recommended Exchange Reference Material
Find Me On…
Important Notice
Categories
Recent Posts
- A quick look at the free Exchange Server 2010 Boot camp from ExchangeServerPro.com
- Importing Global Address List entries into a user’s Contacts folder
- Thoughts on Mailbox Database Distribution in Exchange 2010..
- Testing edge blocking in Forefront Online Protection for Exchange using Powershell
- iPhone with Exchange 2010 – Business Integration and Deployment available for pre-order now
- A look back at 2011, and a look forward to 2012
Top posts
- Updated - Disabling Auto-mailbox mapping in Exchange 2010
- Using the Exchange 2010 SP1 Mailbox Export features for Mass Exports to PST files
- Generate Exchange Environment Reports using Powershell
- Auto-mapping shared mailboxes in Exchange 2010 SP1 with Outlook 2010 and Outlook 2007
- Managing iCal Calendar Sharing with Exchange 2010 SP1 [Updated]
Blogroll
- Aaron Tiensivu's Blog
- Clint Boessen's Blog
- Devin on Earth
- Dougs Blog…
- Elan Shudnow's Blog
- Exchange Server Pro
- Exchange Team Blog
- Exchange2010.com
- Exchangepedia Blog
- Henrik Walther Blog
- Microsoft Messaging and Mobility User Group UK
- Mike Crowley's Whiteboard
- Mike Pfeiffer's Blog
- Nuttin but Exchange
- VMlover by Daniel Eason