Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Exchange Server

Disable Outlook Auto-Mapping for Users with Full Access Permissions

Outlook Auto-Mapping was added as a feature when Microsoft Exchange Server 2010 SP1 was released. It allows Outlook 2007 SP2 and later to automatically map any mailbox where a user has Full Access permission.

What this meant for users was if they had been given Full Access permissions to another mailbox, Outlook would load that mailbox automatically along with the user’s own mailbox in their Outlook profile.

If a user had Full Access permission to seven different mailboxes, this meant a total of eight mailboxes would be opened and accessible in Outlook. At first glance this seemed like a great idea, but as more of my users starting experiencing auto-mapping I soon found it was becoming a nightmare.  However, the release of SP2 for Exchange 2010 brought relief and allowed administrators to disable Outlook auto-mapping for users with full access permissions.

How Outlook Auto-Mapping Works

 The Outlook auto-mapping was quite convenient because there was no need to visit each user and modify the mailbox setup properties in their Outlook profile to add those additional mailboxes manually. All the work can be done through either the Exchange Management Console or Exchange Management Shell.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Outlook Auto-Mapping works by populating the msExchDelegateListLink attribute in Active Directory with the Distinguished Name (DN) value of the user that that has been given full access. Then the Autodiscover Service takes this information and populates the AlternateMailbox attribute, which Outlook uses to open other mailboxes.

However, in situations where a user had full mailbox access permissions to multiple large mailboxes containing large numbers of items, this could actually slow down Outlook because it has to open up all of the other accounts as well. This situation is especially painful for sites with small bandwidth, as opening Outlook can take forever that results in lost productivity for the user. This is true for users that want access to the mailboxes, but don’t always need to access every mailbox listed in Outlook.

Prior to the release of Microsoft Exchange 2010 SP2, you couldn’t turn off this feature and had to find other workarounds to getting full access without Auto-Mapping. One workaround required you to apply full mailbox access permissions to a security group and then add the user into the group. This approach works but requires creating a security group for each mailbox that users needed to access.

Having the ability to disable Auto-Mapping via the Exchange Management Shell (EMS) — as Exchange 2010 SP2 and later allow — is more convenient. You can do this at the same time as you apply permissions, and you don’t need to create extra groups.

Disable Outlook Auto-mapping using Exchange Management Shell

The ability to disable Auto-Mapping can only be done through PowerShell and is not available through the Exchange Console. When you have a request for Full Access permissions you can disable Auto-Mapping immediately using the following command:

​ Add-MailboxPermission -Identity Mailboxname  -User Username -AccessRight FullAccess  -Automapping $false

The following command adds full access permission to a user’s mailbox and with the Outlook Auto-Mapping feature enabled:

​ Add-MailboxPermission -Identity Mailboxname  -User Username -AccessRight FullAccess

Let’s say you have existing users that want Auto-Mapping disabled in their Outlook profile, you can disable it using either of these two PowerShell Commands.

  1. You can simply re-apply the mailbox permissions but add the Automapping switch. If you run the following command, you will see a warning that no permissions were applied because they were already present, but if you check the properites of the user in Active Directory (AD) and check the Attribute Editor you can verify that the msExchDelegateListLink attribute has been removed.
    ​ Add-MailboxPermission -Identity Mailboxname  -User Username -AccessRight FullAccess  -Automapping $false

Using PowerShell to re-apply mailbox permissionsUsing PowerShell to re-apply mailbox permissions (Image: Phoummala Schmitt)

  1. The following command removes auto-mapping for an existing mailbox by removing the permissions from the mailbox and then re-applying the Full Access permissions with Automapping set to $false. You will be asked to confirm that you want to remove the permissions at which point you answer yes.
    ​ $FixAutoMapping = Get-MailboxPermission -Identity sharedmailbox |where {$_.AccessRights -eq "FullAccess" -and $_.IsInherited -eq $false}$FixAutoMapping | Remove-MailboxPermission$FixAutoMapping | ForEach {Add-MailboxPermission -Identity $_.Identity -User $_.User -AccessRights:FullAccess -AutoMapping $false}

Using PowerShell to remove auto-mapping for an existing mailboxUsing PowerShell to remove auto-mapping for an existing mailbox (Image: Phoummala Schmitt)

As you can see, the ability to disable Outlook Auto-mapping through PowerShell is simple to use when setting up Full Access permissions to another mailbox. The next time a user complains that Outlook is slow, you now have another tool in your troubleshooting toolbox to try. Take a look at Outlook and see if they are opening multiple mailboxes that aren’t listed in their profile. If they do, disabling Auto-Mapping might just do the trick.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (2)

2 responses to “Disable Outlook Auto-Mapping for Users with Full Access Permissions”

  1. <p>Hi,</p><p><br></p><p>Nice one but could you please provide a way of disabling automapping of a shared mailbox for All Users instead of running the command for each user individually? </p><p><br></p><p>I have found the below in Microsoft but it doesn't seem to work as expected. </p><p><br></p><p><code>$FixAutoMapping = Get-MailboxPermission sharedmailbox |where {$_AccessRights -eq “FullAccess” -and $_IsInherited -eq $false}</code></p><p> <code>$FixAutoMapping | Remove-MailboxPermission</code></p><p> <code>$FixAutoMapping | ForEach {Add-MailboxPermission -Identity $_.Identity -User $_.User -AccessRights:FullAccess -AutoMapping $false}</code>&nbsp;&nbsp;&nbsp;</p>

    • <blockquote><a href="#16567"><em>In reply to manolee:</em></a><em> I was trying to do the same thing and finally found this code in another site (sorry can't remember which one)…</em></blockquote><blockquote><em>Remove all permissions:</em></blockquote><blockquote>Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Remove-MailboxPermission -User "Account mailboxes shared with" -AccessRights FullAccess -InheritanceType all</blockquote><blockquote><br></blockquote><blockquote>Add Fixed Permissions (without Automapping):</blockquote><blockquote>Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-MailboxPermission -User "Account mailboxes shared with" -AccessRights FullAccess -AutoMapping:$false -InheritanceType all</blockquote><blockquote><br></blockquote><p>Just change "Account mailboxes shared with" to whatever you use with your environment and you should be good. Hope this helps.</p>

Leave a Reply