Why do the owner permissions that I see in Outlook for a shared mailbox not match the owner IMS sees set for that mailbox on the server?

You see one or more owners listed on the permissions tab for a shared mailbox in Outlook, but IMS reports a different owner(s) listed on the server than what you see.  Or, you've requested that IMS add or remove a user as an owner, and after they've reported doing so, you do not see them added or removed as an owner in the permissions tab in Outlook.

This is because there are two sets of permissions for an Outlook/Exchange mailbox: object permissions and folder permissions.  What you see in Outlook are the folder permissions; what IMS sees and sets on the server are the object permissions.  Here’s an analogy to understand the difference:

Imagine the mailbox as a building and each folder in the mailbox is like a room in the building.  The permissions are keys.  IMS is the “landlord” of the building, and anyone who has been granted ownership permissions by IMS is a “superintendent” of that building. A superintendent can give someone a key to one or more rooms, and that’s all they’ll have access to.  You and everyone else can see what keys have been given.  These are the folder permissions.

Object permissions, on the other hand, are like a master key.  It has access to the building and to every room in the building, and only the “landlord” (IMS in this case) knows who has a master key; that’s why you don’t see it on the list in Outlook.

The upshot is that the “owner” permission in Outlook and the “owner” permission on the server (which is technically called “full access” permission) are two separate permissions, and neither one knows about or is affected by the other.  If someone is granted owner permission in both places, and it is subsequently removed in one place, that person will still have owner access by virtue of the remaining permission.

Instead of assigning “owner” permissions in Outlook, we recommend that you instead request to have ownership granted at the server level for simplicity and consistency.  Folder permissions in Outlook do not cascade, so granting someone ownership permissions of an entire mailbox in Outlook requires granting that permission on every folder, which can be time-consuming.  It also means that permission has to be removed on every folder if/when you want to revoke someone's ownership rights. Also, when someone is granted ownership at the server level, the mailbox will usually auto-populate in Outlook (PC), so the user will not have to configure it manually, and they will have access to it in OWA.

Print Article


Article ID: 91917
Fri 10/9/20 10:47 AM
Thu 10/15/20 8:43 AM