Creating or enabling Shared Mailboxes when AD Split Permissions are in effect
In a new, on-premises Exchange 2016 environment — deliberately chosen to be installed with AD Split Permissions so that Exchange administrators could not accidentally delete AD objects — how is one supposed to create Shared Mailboxes?
The AD admin has created the User object representing the shared mailbox, but the EAC shows no + button under the recipients -> shared
section, and the New-Mailbox
PS cmdlet has no -Type
or -Shared
parameter.
The recipients -> mailboxes
section has an + button, from which the Exchange admin can choose User mailbox
and choose an existing user (they rightly cannot choose New user
), and a user mailbox is created, but there seems to be no way to change it to be a shared mailbox.
Running Set-Mailbox foo -Type Shared
in PS (against the user mailbox created in EAC) fails with Insufficient access rights to perform the operation
.
Running Enable-Mailbox foo -Shared
in PS (against the AD user created by the AD admin) succeeds, but warns The ntSecurityDescriptor of the Active Directory object wasn't updated successfully
with further Access is denied
/INSUFF_ACCESS_RIGHTS
wording.
If the AD admin has to do the legwork here, that's fine (within reason), but what do they actually have to do?
I tested in my lab Exchange 2016 with AD split permission and also got this warning, however, the shared mailbox is created successfully via “Enable-mailbox xxx -shared”.
I did some research, and found this similar case, you may refer to.
With AD split permission, some commands are not available and some commands although still are available, may offer only limited functionality.