Disable Outlook Auto-Mapping for Users with Full Access Permissions

Outlook Auto-Mapping was added as a feature when Microsoft Exchange Server 2010 SP1 was released. It allows Outlook 2007 SP2 and later to automatically map any mailbox where a user has Full Access permission.

What this meant for users was if they had been given Full Access permissions to another mailbox, Outlook would load that mailbox automatically along with the user’s own mailbox in their Outlook profile.

If a user had Full Access permission to seven different mailboxes, this meant a total of eight mailboxes would be opened and accessible in Outlook. At first glance this seemed like a great idea, but as more of my users starting experiencing auto-mapping I soon found it was becoming a nightmare.  However, the release of SP2 for Exchange 2010 brought relief and allowed administrators to disable Outlook auto-mapping for users with full access permissions.

How Outlook Auto-Mapping Works

 The Outlook auto-mapping was quite convenient because there was no need to visit each user and modify the mailbox setup properties in their Outlook profile to add those additional mailboxes manually. All the work can be done through either the Exchange Management Console or Exchange Management Shell.

Outlook Auto-Mapping works by populating the msExchDelegateListLink attribute in Active Directory with the Distinguished Name (DN) value of the user that that has been given full access. Then the Autodiscover Service takes this information and populates the AlternateMailbox attribute, which Outlook uses to open other mailboxes.

However, in situations where a user had full mailbox access permissions to multiple large mailboxes containing large numbers of items, this could actually slow down Outlook because it has to open up all of the other accounts as well. This situation is especially painful for sites with small bandwidth, as opening Outlook can take forever that results in lost productivity for the user. This is true for users that want access to the mailboxes, but don’t always need to access every mailbox listed in Outlook.

Prior to the release of Microsoft Exchange 2010 SP2, you couldn’t turn off this feature and had to find other workarounds to getting full access without Auto-Mapping. One workaround required you to apply full mailbox access permissions to a security group and then add the user into the group. This approach works but requires creating a security group for each mailbox that users needed to access.

Having the ability to disable Auto-Mapping via the Exchange Management Shell (EMS) — as Exchange 2010 SP2 and later allow — is more convenient. You can do this at the same time as you apply permissions, and you don’t need to create extra groups.

Disable Outlook Auto-mapping using Exchange Management Shell

The ability to disable Auto-Mapping can only be done through PowerShell and is not available through the Exchange Console. When you have a request for Full Access permissions you can disable Auto-Mapping immediately using the following command:

​ Add-MailboxPermission -Identity Mailboxname  -User Username -AccessRight FullAccess  -Automapping $false

The following command adds full access permission to a user’s mailbox and with the Outlook Auto-Mapping feature enabled:

​ Add-MailboxPermission -Identity Mailboxname  -User Username -AccessRight FullAccess

Let’s say you have existing users that want Auto-Mapping disabled in their Outlook profile, you can disable it using either of these two PowerShell Commands.

  1. You can simply re-apply the mailbox permissions but add the Automapping switch. If you run the following command, you will see a warning that no permissions were applied because they were already present, but if you check the properites of the user in Active Directory (AD) and check the Attribute Editor you can verify that the msExchDelegateListLink attribute has been removed.
    ​ Add-MailboxPermission -Identity Mailboxname  -User Username -AccessRight FullAccess  -Automapping $false

Using PowerShell to re-apply mailbox permissionsUsing PowerShell to re-apply mailbox permissions (Image: Phoummala Schmitt)

  1. The following command removes auto-mapping for an existing mailbox by removing the permissions from the mailbox and then re-applying the Full Access permissions with Automapping set to $false. You will be asked to confirm that you want to remove the permissions at which point you answer yes.
    ​ $FixAutoMapping = Get-MailboxPermission -Identity sharedmailbox |where {$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}$FixAutoMapping | Remove-MailboxPermission$FixAutoMapping | ForEach {Add-MailboxPermission -Identity $_.Identity -User $_.User -AccessRights:FullAccess -AutoMapping $false}

Using PowerShell to remove auto-mapping for an existing mailboxUsing PowerShell to remove auto-mapping for an existing mailbox (Image: Phoummala Schmitt)

As you can see, the ability to disable Outlook Auto-mapping through PowerShell is simple to use when setting up Full Access permissions to another mailbox. The next time a user complains that Outlook is slow, you now have another tool in your troubleshooting toolbox to try. Take a look at Outlook and see if they are opening multiple mailboxes that aren’t listed in their profile. If they do, disabling Auto-Mapping might just do the trick.