Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Deny mailbox owner permission to delete items

  • Filter
  • Time
  • Show
Clear All
new posts

  • Deny mailbox owner permission to delete items

    Hi All,

    It seems no matter how many options MS give us, there is always one user who wants something way out of the ordinary! My guess is the following is not possible, but I'll bounce it off anyway...

    The client runs Server 2K3 and Exchange 2K3. Out-of-the-box OMA is set up and working. They would now like to give OMA to senior staff members, but not allow them to delete anything from their phones. In other words, they should be able to open, forward, reply and create new email items / contacts / appointments, but not delete anything except from Outlook on their desktop. Don't ask why - a mixture of politics and "what if they loose their phone and some kid who finds it thinks it will be "cool to delete the dudes email"!

    I thought along the lines of creating a user_oma account in AD and assigning that the external email alias of [email protected], then removing the capability of the mailbox owner to delete their own items. I would then give the "user" account full mailbox access to the user_oma mailbox and configure Outlook on the desktop to open the user_oma mailbox by default, thus allowing them to delete items. I could then even go so far as to delete the mailbox for the "user" AD account.

    Only problem is, I cannot seem to be able to prevent the mailbox owner from deleting what in effect is their own items. Does anyone know if this is at all possible?

    In case anyone is thinking about doing it "the other way around", it seems that setting up OMA on a smartphone etc. does not allow you to connect to a mailbox using a different users credentials - i.e. you give it the user name and password and it connects to to that users mailbox, hence we must determine if the mailbox owner can be denied the ability to delete their own items.

    I know Exchange 2010 has a whole bunch of new features that controls what users can and can't do with their own mailboxes, but the paint hasn't dried on that yet so not something we can implement over the next couple of weeks. Nontheless, it would be interesting to learn if Exchange 2010 can deal with this scenario.

    Kevin Davis

  • #2
    Re: Deny mailbox owner permission to delete items

    Can't be done.
    It is not possible for an administrator to stop a user from doing anything with their own mailbox. Delete, move, whatever they like. If they have full access to the mailbox (so either because it is their own or they have Full Mailbox Access) then they can do whatever they like.

    The concern about someone else deleting the email can be dealt with in a number of ways.
    If you are using OMA - which is the browser based system, then ensuring the users are on a secure password will help.
    If are you using ActiveSync to push the email to the device, then the devices can be wiped remotely. The devices should also be secured with a password required to unlock them.

    I am not aware that Exchange 2010 makes any changes. There is a retention hold system, within Exchange 2010, but I haven't explored that far in to see whether it will stop users from deleting the messages, or just ensure they are not dropped from the store.

    Simon Butler
    Exchange MVP

    More Exchange Content:
    Exchange Resources List:
    In the UK? Hire me:

    Sembee is a registered trademark, used here with permission.


    • #3
      Re: Deny mailbox owner permission to delete items

      Thanks Simon. Thought as much, just wanted to confirm. It's now over to the politicians...