Open another user’s mailbox in Outlook Live
May 21, 2009 10 Comments
I seem to be on a roll today with the whole mailbox permission setting thing in PowerShell… anyway this is my last post on this for the time being… I would be interested in hearing some thoughts from others here on the potential applications.
A lot of IT Managers in the schools and institutions I talk to want to know how they can see the contents of a user’s mailbox. The reasons for this vary, but mainly it boils down to doing investigations and protecting kids from cyber-bullying or harmful content in email. By default, a user mailbox is private and no one else can open it to view the contents unless the individual user grants these permissions. An administrator however is all-powerful, and can grant themselves the necessary permissions, and then simply use OWA or Outlook 2007 to look at whatever they like in someone else’s account.
To grant permissions, first of all, connect to the Outlook Live service using PowerShell, then run the following command:
add-MailboxPermission -Identity JennyA -User admin -AccessRights fullaccess
… in this case, JennyA is the mailbox that the permissions are being modified on, and Admin is the account that is getting the permissions.
An admin can then look at this mail box using OWA for example. To open another mailbox in OWA, click the drop-down arrow to the right of the Logged On user at the top right of the screen, and enter the alias of the mailbox you want to look at:
Once you are done with the investigation, you can remove the permissions again.
remove-MailboxPermission -Identity jennya -User admin -AccessRights fullaccess
Jonny
Education Cloud Power 
Jonny,Can this method be used to set up shared accounts? Or is there a better way to do it? For example, we have a student newspaper with a generic address that has many users checking it. I haven\’t seen any real documentation on setting up/using shared accounts really and this is the closest I\’ve seen.
This would be the way to do it through PowerShell. Some extra bits to do/consider though…You\’ll likely want to create a security enabled distribution group that you can add the relevant users to instead of adding them all individually. To do this:New-DistributionGroup "Student News Group" -type securityThis will create a standard group that you can then manage in an easy way through the Control Panel we provide (ECP).You will also want to delegate control over the mailbox to the group then, not the user:add-MailboxPermission -Identity StudentNews -User studentnewsgroup -AccessRights fullaccess…. you still use the \’-user\’ parameter, even though this is a groups you are assigning permissions to.Let me know how you get on here…!
Seems to work fine for us! Thanks so much!
Hey Jonny,This is really useful! One question, though:I want to give our Admin group the ability to look into student mailboxes automatically, to simplify and speed up investigations when they come up. All our admins are in one security enabled distribution group, and all our students are interspered between four Dynamic Groups, depending on what grade set and campus they are enrolled in (e.g. "_StudentsXCHS","_StudentsXCelm","_StudentsDCHS","_StudentsDCMS").Given that these are dynamic groups, is this possible? Would it be easier to create a group in which all students being investigated are placed, and then delegate mailbox access rights based on that? Is it even possible to do this group-to-group?
This will not work… you have to set the ACLs on the end resource itself (the mailboxes), not an object that merely references the resources.You could speed this up a little by running a script on all new mailboxes to grant the admin with permissions…
Hi Longwood,would not it be better to create a group for the student newspaper where everyone is allowed to write to and only the members are allowed to read?The group would have its own email and every member of the group would directly receive a copy of a message sent to the group email.The only \’drawback\’ would be that whenever a group member replies to a message, it goes from the members email address, not the groups. But that could be a good thing in many circumstances.Anna
Two questions – 1) Is there an audit trail? 2) Is there a way to share folders in Outlook Live?
@No NameThere is no audit trail that we expose at this point.By Folders, what do you mean specifically? An Inbox folder? If so, we do not offer permission setting at that level of granularity.
Anna,That drawback you listed, is exactly why it\’s setup the way it is. People just don\’t like responses from messages coming from their personal account. It\’s certainly a good thing to have it come from a personal account from the admin side of things, but the users don\’t see it that way.One question: Is there a way for the shared account to open in a new window when using the Open Other Mailbox option when you click on your name in the upper right side of OWA?
This helps me verify that a user has replied to a phishing email and given their password because I either see the reply to the phishing email or all of the spam that\’s been sent out and all of the non delivery reports and replies to the spam. However, I want to do something about the phishing emails ahead of time. I need the ability to do Message Tracking so I can see who has replied to a known phishing reply-to address. I also need to have the ability to block new outgoing messages to that same phishing reply-to address. It would also be good to delete the phishing email itself from all mailboxes. I do all of this in our fac/staff exchange environment, but it does not appear this is open to us in Outlook Live for our students. This is a real problem. I\’m aware of 5 compromised accounts in just the past few weeks. I only find out when someone emails administrator or abuse or postmaster about this. I will probably open a support ticket about this, but thought this would also be a good one for you, Jonny!