This website is supported, hosted and funded by Corelan Consulting - https://www.corelan-consulting.com. Please follow us on Facebook (@corelanconsulting) and Twitter (@corelanconsult). Corelan training schedules: https://www.corelan-training.com/index.php/training-schedules



Please consider donating: https://www.corelan.be/index.php/donate/


18,782 views

Exchange 2007 : Resource Room Mailboxes

Scenario : You have an AD account domain, that holds user accounts used to log on to the network/Outlook, and you have a dedicated Exchange 2007 resource forest, that holds the Exchange infrastructure, (linked) mailboxes, etc.  Accounts in the account domain are synced from the account domain to disabled accounts in the Exchange forest (e.g. using IIFP). You can find more information on how to do this in this blog post

I will refer to the account domain as ACC (or acc.local) and to the Exchange forest as EXCH (or exch.local)

Some basic tasks I want to look at today are

  • creating resource mailboxes
  • granting access to the resource mailbox
  • seting up delegates, autoprocessing of requests, etc
  • managing properties of the resource mailbox

 

Creating Room Mailboxes

First of all, we’ll have to create the Resource Mailbox objects in the Exchange forest, because there is no such thing as a linked Resource Mailbox

image

This means that you may want to create a placeholder (OU) to host the resource mailbox AD objects. When the placeholder is created, this is how you can create the room mailbox, given the facts that

  • the room will be called  ROOM-Meetingroom1-City1
  • the OU where the room needs to be stored at is ou=Resource Mailboxes,ou=Company,ou=exch,ou=local

Using powershell, this is how you can create the mailbox :

new-Mailbox 
   -alias "room-meetingroom1-city1" 
   -database "Mailbox Database" 
   -name "room-meetingroom1-city1" 
   -resourcetype room 
   –userPrincipalName room-meetingroom1-city1@exch.local 
   –OU "Resource Mailboxes/Company"

This will create a disabled account in the Exchange forest.

 

Grant access to the resource mailbox

Access to all mailboxes is based on actual useraccounts, not on entries in the Global Address List. So if you want to grant permissions to users, you cannot use the EMC running in the Exchange forest, because it can only display entries from it’s own domain (the Exchange Forest) and not from the actual account domains that hold the accounts used to access the mailboxes.  Of course, the EMC would work if the user accounts and Exchange objects are in the same domain/forest, but since we have an account domain and an exchange forest, it won’t work.

We have to use powershell for this so we can specify the domain\useraccount the access is granted to.

Suppose you want to allow acc\john.doe  and  acc\jane.doe to have full access to the room resource mailbox, you’ll need to enter the following powershell commands :

Add-MailboxPermission 
   -id "room-meetingroom1-city1" 
   -AccessRights FullAccess 
   -User "acc\john.doe"

Add-MailboxPermission 
   -id "room-meetingroom1-city1" 
   -AccessRights FullAccess 
   -User "acc\jane.doe"

If you want to allow “Send on behalf” permissions to the same two users, you need to use the following command :

Set-Mailbox 
   -id "room-meetingroom1-city1" 
   -GrantSendOnBehalfTo "John Doe","Jane Doe"
In this case, you need to use the Exchange name, not the account domain user account name
 
If you want to set “Send-As” permissions to these 2 users, run :
Add-ADPermission 
   -id "room-meetingroom1-city1" 
   -ExtendedRights Send-As 
   -User "acc\john.doe"

Add-ADPermission 
   -id "room-meetingroom1-city1" 
   -ExtendedRights Send-As 
   -User "acc\jane.doe"
The Send-As permissions are again AD permissions, so you need to use the corresponding domain\account names again.
 

 

Set up autoprocessing and delegates

John and Jane Doe will be our two meetingroom managers. We want people to be able to book the resource, but either John or Jane need to get a notification email and must approve (or reject) the request before the resource gets booked

This is how this is done

First, set the delegates.

Set-MailboxCalendarSettings 
   -id "room-meetingroom1-city1"
   -ResourceDelegates "John Doe","Jane Doe"

As you can see, you must specify all delegates at once, because the field is a multi-value field. So if you need to change the delegates afterwards, you’ll have to specify all of the delegates again.   Furthermore, the users that are mentioned here are Exchange users, so you need to enter the Exchange display name, not the account domain user account.

In order to complete the setup of the autoprocessing and the whole process of getting notified and making sure the workflow is set up, take the following steps :

Logged on as acc\john.doe or acc\jane.doe, open OWA and open the mailbox of the meeting room.

In the upper right corner, click “Options”.  In the left pane, open “Resource Settings”

Enable “Automatically process meeting requests” if you want auto-processing

image

Under Scheduling Permissions, set :

Schedule automatically if resource is available : set to “Select Users and Groups”, and don’t enter anything in the field. (this will make sure all requests need to be approved)

Submit a request for manual approval if the resource is available : set to “Everyone”

Schedule automatically if available and manual if unavailable : set to “Select Users and Groups” and don’t enter anything.

Make sure “Always forward to delegates” is enabled.

Save these changes.  If you now try to book the meeting room, the two delegates should receive an email and they should be able to approve/decline the meeting request.

In addition to these settings, it may be a good idea to change the “maximum allowed minutes” setting under “Resource Scheduling Options”. If you want to allow people to book a meeting room for a meeting that lasts more than one day, you will need to increase the default value of 1440 minutes (1 day) to something else (e.g. 144000)

 

Managing other properties

After making the changes as explained above, the settings of a resource mailbox are :

Get-MailboxCalendarSettings –id “room-meetingroom1-city1” | FL

AutomateProcessing : AutoAccept AllowConflicts : False BookingWindowInDays : 180 MaximumDurationInMinutes : 144000 AllowRecurringMeetings : True EnforceSchedulingHorizon : True ScheduleOnlyDuringWorkHours : False ConflictPercentageAllowed : 0 MaximumConflictInstances : 0 ForwardRequestsToDelegates : True DeleteAttachments : True DeleteComments : True RemovePrivateProperty : True DeleteSubject : True DisableReminders : True AddOrganizerToSubject : True DeleteNonCalendarItems : True TentativePendingApproval : True EnableResponseDetails : True OrganizerInfo : True ResourceDelegates : {John Doe, Jane Doe} RequestOutOfPolicy : AllRequestOutOfPolicy : True BookInPolicy : AllBookInPolicy : True RequestInPolicy : AllRequestInPolicy : True AddAdditionalResponse : False AdditionalResponse : <DIV><FONT face=Tahoma size=2>FONT>DIV> RemoveOldMeetingMessages : True AddNewRequestsTentatively : True ProcessExternalMeetingMessages : False DefaultReminderTime : 15 RemoveForwardedMeetingNotifications : False Identity : exch.local/Company/Resource Mailboxes/room-meetingroom1-city1

Most of these properties are more or less self-explanatory, but one of the most interesting option is “Subject of meeting requests”. By default, when people in your organization start using the meeting room, the delegates/managers of the meeting room won’t see the subject of the meeting. In certain cases, this may be a problem for them in order to be able to properly manage the resource.  You can make the subjects visible by ‘not removing’ the subjects.

Turn off “Subject of meeting requests” in OWA

image

or use powershell to disable the removal of the subject field :

set-mailboxCalendarSettings 
   -id "room-meetingroom1-city1"
   -DeleteSubject $false

© 2009, Corelan Team (corelanc0d3r). All rights reserved.

Related Posts:

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories