Exchange 2007 introduced a new URL format (Constructing OWA 2007 item ids from WebDAV items) which contained an arbitrary item id, which was based on the EntryId of the item. The format was this:
|Length ||Meaning |
|1 ||Length of the structure |
|sizeof(EntryId) ||EntryId |
|1 ||Item type |
This format changed with Exchange Service Pack 1. The layout is now this:
|Length ||Meaning |
|4 ||Length of the user's email address |
|sizeof(EmailAddress) ||Email address specifying the mailbox which contains the item |
|4 ||Size of the EntryId |
|sizeof(EntryId) ||The EntryId of the item |
This layout also applies to folder ids within a mailbox.
2: <BinaryId="ManagedCustomAction"SourceFile="Include\ManagedCustomAction.dll" />
3: <ManagedCustomActionId="test"BinaryKey="ManagedCustomAction"Type="ManagedCustomAction.CustomAction"Execute="immediate"xmlns="http://schemas.infinitec.de/wix/MCAExtension" />
5: <ManagedAction="test"After="CostFinalize"SequenceTable="InstallUISequence" />
To grant an account access to all mailboxes on a mailbox store, the easiest way it to grant the "Receive as" and "Send as" permissions on the mailbox store. To do this, navigate to the mailbox store in the Exchange Systems manager:
The mailbox store in the Exchange Systems Manager
Next, select "Properties" on the context menu of the mailbox store and select the "Security tab".
If you want to grant the access to all mailboxes to a non-administrative account, you can simply add that account to the list and grant the "Send As" and "Receive As" permission.
To grant those permissions to an administrative account, you must perform a few additional steps, since members of the Domain Administrators have a deny on these permission
The security properties of the mailbox store
This denial is placed at the organizational level. This can be examined with ADSIEdit (adsiedit.msc):
ADSI edit displaying the security settings for the Exchange Organization
You can see, that the Domain Administrators have both, an allow as well as a deny permission. This is propagated down to the mailbox store, and prevents administrative accounts from accessing other users mailboxes. Now, you can remove these deny permission, but this is not advisable - they are there for a reason. You would end up with far too many people having these rights.
A better approach is to give only one specific account these rights. If this account is also in the Domain Administrators group and already displayed in the security tab, click "Advanced" and then "Add". Select the account the grant the "Receive As" and "Send as" permissions.
The account will be granted the permissions, because an explicit allow on a lower level overrides an inherited deny.
- 2008-07-23: Corrected intra-site links.
One question that came up lately in the newsgroups is: How can I find messages containing certain keywords in the mailboxes of all users in my organization?
This scenario is not directly supported by Exchange. All one can do is to search each mailbox individually.
You must follow these steps to do the search over all mailboxes:
- Enumerate the users which have a mailbox. Essentially, these are the users appearing on the global address list. See How to get the Global Address List programatically for more information on how to do this.
- Build the mailbox url which can be used to access the mailbox via WebDAV or ExOleDB. See Get the WebDAV url for an Exchange 2000/2003 mailbox on how to do this. If you are using the ExOleDB provider or want to use the administrative virtual root instead, see the remarks section for more information.
- Once you have the url for the mailbox you can start accessing it. If you must support different languages, see Getting Well-Known Mailbox Folder URLs on MSDN to get the url of the default folders.
- If you are using WebDAV and have Form-based-authentication enabled on your server, you must do a manual logon to the mailbox. See Access the Exchange store via WebDAV with Form-Based-Authentication turned on.
Depending on how you want to access the mailboxes, you need different permissions:
- If you are using the normal urls (e.g. http://myserver/exchange/username), you need access permissions to all mailboxes on the MAPI level. See HOWTO: Grant access to all mailboxes on a mailbox store to a special account on how to do this. If you have more than one mailbox store, you should grant the necessary permissions on each mailbox store. To simplify this process, you could also grant the "Send as" and "Receive as" permission on the Administrative Groups container via ADSIEdit.msc instead of each mailbox store.
- You can also use the administrative virtual root. This method is used by the Exchange Systems manager, and it is available via WebDAV and ExOleDB. The normal MAPI permissions are completely ignored when using this method, but an administrative account is required to use this method (See Working with Store Permissions in Microsoft Exchange 2000 and 2003 on Technet for more information on this topic).
- If you are using WebDAV to access the store, you can simply build the mailbox url based on the article Get the WebDAV url for an Exchange 2000/2003 mailbox. To use the administrative root instead, modify the url from http://myserver/exchange/mailboxname to http://myserver/exadmin/admin/<dsndomainname>/mbx/<mailboxname>. You must replace the <dnsdomainname> with the primary smtp domain name of your organization.
- If you are using ExOleDB, you must modify the address from http://myserver/exchange/mailboxname to file://./backofficestorage/<dnsdomainname>/mbx/<mailboxname>. To use the administrative virtual root, change this url to file://./backofficestorage/admin/<dnsdomainname>/mbx/<mailboxname>.
For Exchange 2000 and Exchange 2003 prior Service Pack 1, the building of an URL suitable for WebDAV requests against a users mailbox is a rather complicated thing. A solution for this is descrbied under the section Solution.
From Exchange 2003 SP 1 onwards, you can just use his SMTP address to get access to his mailbox. For example, to access the mailbox of John Doe (email@example.com) you would use the url
To build the webaddress, you must do the following:
- If you only have a domain\username, not the distinguished name of the user, you must first get the latter one. See this aricle how to retrieve the name.
- Get the directory entry with the distinguished name of the user
- From that object, retrieve the property homemdb. This property contains the distinguished name of the mailbox store.
- Retrieve the directory entry of the mailbox store.
- From this object, retrieve the property named msExchOwningServer. This is the distinguished name of the Exchange server that hosts the mailbox.
- Get the root of the http virtual server on the exchange server. The distinguished name is CN=http, CN=Protocols, <distinguished name of the exchange server>.
- Search for all http virtual server (LDAP filter: (objectClass=protocolCfgHttpServer), Scope: OneLevel, retrieve these properties: msExchServerBindings, msExchDefaultDomain).
- From this list, retrieve the default SMTP server. It's the one without the attribute msExchDefaultDomain.
- Get the default SMTP domain of the organization:
- Open the node CN=Default Policy, CN=Recipient Policies, CN=<Name of your organization>, CN=Microsoft Exchange, CN=Services,<Distinguished name of the configuration naming context>.
- Retrieve the property gatewayProxy. This is a multi-valued property that contains the default addresses of the organization.
- Check each of the entries in that list. If it starts with SMTP:, you have found it.
- Get the property proxyAddresses from the directory object of the user. This is a multi-valued properties that contains all addresses that are assigned to the user. Each entry has the following consists of a protocol identifier and an address entry. For example:
If the protocol identifier is all uppercase, it is the default entry for that protocol.
- Iterate through the list of assigned addresses and search for the SMTP address which domain part matches with the default SMTP retrieved above.
- Select the correct HTTP Server:
- If you found an email address corresponding to the default SMTP policy, extract the alias from the found address. For the above example the alias would be john.doe. The correct HTTP server to use is the default HTTP Server
- If there is no smtp address matching the default policy, iterate through the list of proxy addresses again, and do the following, if it is an SMTP address:
Get the property msExchServerBindings from the selected HTTP server node. This entry has the following structure:
Extract the alias and the domain from the address.
Iterate through the list of virtual HTTP server and check the property msExchDefaultDomain of each entry. If it matches the domain of the users address domain, you have found the correct http server.
The first and the last part of the string can be empty, like in this example:
:80:Depending on the content of this field, you can now build the desired url:
- If the servername of the msExchServerBindings property is not empty, build the OWA url like this:
- If the servername is empty, but an ipaddress is present, build the OWA url like this:
- If both, the servername and the ipaddress fields are empty, get the ipaddress for the exchange server:
- From the node of the exchange server, retrieve the property networkaddress.
- Iterate through this property and retrieve the value which starts with ncacn_ip_tcp:.
- Now, build the url with the above scheme, using the just found ip address.