Tuesday, February 1, 2011

Using the ECP with a Non-Mailbox Enabled Account

The Exchange Control Panel (ECP) was designed to allow administrators and users the ability to perform common management tasks within Exchange 2010 without installing any Management Tools.  This is a great option that the Exchange team included with Exchange 2010.

With Exchange 2010 RTM, it was not possible to log into the ECP unless the user logging in had a mailbox.  This is ok for most users since one of the design goals of ECP was to provide a way for users to “self-service” their account.  Users can get to the ECP by selecting Options –> See All Options…within OWA.

ECP-NoMail-OWAoptions

ECP-NoMail-OWAoptions-click

Where this breaks down is that best practices state that users which require administrative rights should split accounts so that the user has an everyday account (that is mail enabled) and a privileged account (that is not mail enabled).  With Exchange 2010 RTM, this pushed administrators to enable their administrator accounts for email or just use their everyday account to administer Exchange.

Starting with Exchange 2010 SP1, non-mail enabled accounts can now log into the ECP.  As an example, the following user ExchangeAdmin is a member of Organization Management and does not have an email account.

ECP-NoMail-memberof

Most users access the ECP from the Options menu in OWA.  If ExchangeAdmin tries to log into OWA, they will get the following error:

ECP-NoMail-owaerror

In order for the ExchangeAdmin to be able to log into ECP, they will need to use the URL that takes them directly to the ECP to log in.  In my example, this is https://mail.lab.com/ecp.  The non-mail enabled account can now log in and access the ECP:

ECP-NoMail-ecplogin

Now with Exchange 2010 SP1, non-mailbox enabled accounts can log in to the ECP.

1 comment:

  1. Great post. Unfortunately for us we need to give an external domain NT account access to share mailbox in exchange resource domain.
    We do not want a mailbox for externaldomain\user.
    We want him to use https://webmail/sharedmailbox@address.com. Perms are correctly asigned but uer cannot use webmail - but they can access the mailbox via outlook. annoying and no solution found yet.

    ReplyDelete