The best solution seems to be to create a new mailbox, then assign permissions to that mailbox's calendar. Unfortunately you can't assign a distribution list access to a shared calendar and this is the step where those new to Exchange 2010 stumble, the answer is Universal Security groups.
Alternatively you can pipe all the distribution list members into a PowerShell script then assign then permissions to the shared calendar.
Get-distributiongroupmember –id Groupname | Add-MailboxFolderPermission -Identity “UserMailbox” -AccessRights Owner
You would need to repeat this process when you add new users to the distribution list, not a desirable configuration.
Before we get started...
To create our new shared mailbox/calendar is made easier by using a script by Steve Goodman called New-SharedCalendar.ps1, you can grab it from Steve's blog. http://www.stevieg.org/tag/shared-mailbox/
Creating a shared Calendar in Exchange 2010
1. Create a new Universal Security group in active directory, in my case I called the group STAFFUV and then you nest the existing global or domain local security groups within this universal group. You can always just create universal groups and assign users directly to them (or use existing universal groups) but this could mean more administration on your behalf not to mention being against best pratice.
If you want to give different user groups different permissions in the calendar it might be best to create a number of universal groups, e.g. STAFFUV_reviewers STAFFUV_owners and then nest the appropriate groups within them.
2. Next we fire up an Exchange PowerShell console and create our spanking new mailbox using steve's New-SharedCalendar.sp1. This script has the ability to assign users with owner, editor or reviewer permissions.
Lets just assign an "owner" at this stage, then assign the universal groups that we want to use in step 3.
New-SharedCalendar.ps1 -Name "Test Calendar" -Owners "username"
3. We have successfully created our "Test Calendar" mailbox. Steve's script is kind enough to set that mailbox not to be automatically mapped, this is extremely important or Outlook 2007 and above will automatically map that shared mailbox when the user opens their Outlook client.
Next we need to assign permissions using our previously created universal security groups.
Add-MailboxFolderPermission -Identity "Test Calendar:Calendar" -User "STAFFUV" -AccessRights "Reviewer"
You may need to repeat the above command a number of times depending on how many universal groups you want to assign permissions to. The beauty of this process is now when add a user to STAFFUV or one of its nested groups they automatically get the access rights assigned to the universal group, no manual adding.
Breaking down the above command, firstly we have the -Identity variable where we are specifically targeting the "Test Calendar" user's calendar with the ":Calendar" syntax. Secondly we are specifying our previously created universal group "STAFFUV" as the user, and lastly we are giving the STAFFUV group the permission of "Reviewer" which is a read only permission.
Alternatively you can assign:
Owner CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
PublishingEditor CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
Editor CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
PublishingAuthor CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
Author CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
NonEditingAuthor CreateItems, ReadItems, FolderVisible
Reviewer ReadItems, FolderVisible
Contributor CreateItems, FolderVisible
4. You have now completed the process, give these changes some time to propagate and when you see the "Test Calendar" user appear in your global address book you can map the "Test Calendar" and proceed with your newly created shared calendar.
This certainly isn't as easy as the old point and click GUI in Exchange 2003 but the PowerShell applets give much more flexibility with automating Exchange functions during the adduser process.
No comments:
Post a Comment