CEO Needs Two Exchange Mailboxes

Question

Our CEO has requested a second mailbox for his personal email. His primary mailbox is visible to his assistant but he belongs to an external organization that requires that only he can see email among its members. He also wants the second mailbox to be associated with our corporate domain (i.e. not a gmail account). Naturally he also has a BlackBerry with which he would like to read mail send to both mailboxes.

My solution so far has been to create a second AD account with its own mailbox. I granted Send As permission (not Send on Behalf) to his primary AD account. I also gave his primary account full access to the second mailbox and added the second mailbox to his Outlook profile as an additional mailbox and made the From field visible.

Two problems remain:

His second mailbox has be visible in the Outlook GAL for him to use it in the From field and this will cause confusion for internal users.
Any mail sent from the second mailbox is stored in the Sent folder of the primary account. His assistant can see the Sent mailbox so threads lose their privacy.

I have put a delivery restriction on the second mailbox for all internal users so at least they get a message if they inadvertently send mail to his secondary mailbox, which is similarly named. I don't see a rule that allows me to divert the mail stored in the Sent folder of the primary account.

So it looks grim and I haven't even tackled the BES config. Creating alternate profiles is possible but not sure how to alert user that he has mail in secondary mailbox. OWA is another possibility but again not sure how to alert user to check secondary mailbox with OWA.

If anyone has any helpful suggestions I would be grateful to hear them.

Is there a particular reason that you didn't just restrict the assistant to only have access to specific folders in the main box? — Tim Brigham, Jan 25 '12 at 22:44
Not really but I have a feeling the Send box would be one folder that the assistant would need to retain visibility on anyway. — zen, Jan 25 '12 at 22:52
Sounds like a mess. If you're publicly traded you may have some regulatory concerns, too. — Evan Anderson, Jan 25 '12 at 22:53
No, we're private. I knew it would be a mess as soon as the request came to me but now I know the gruesome details :( — zen, Jan 25 '12 at 23:11

score 4 · Answer 1 · answered Jan 25 '12 at 23:33

4

It sounds, to me, like the best scenario would be to have the CEO start a second instance of Outlook with a MAPI profile that only has his personal account configured. With Outlook 2007, at least, the unsupported ExtraOutlook utility (described in this blog post) will allow you to run two different instances of Outlook with different MAPI profiles simultaneously.

Once you've got the "Personal" MAPI profile configured you can hide the account from the GAL. That should solve your first problem. Because the CEO will be sending personal email from the Outlook instance that's connected to the personal mailbox the items should end up in the proper "Sent Items" folder, which takes care of your second problem.

answered Jan 25 '12 at 23:33

Evan Anderson

141,881
20
196
331

Interesting suggestion - I will have to look into that utility. Sounds risky though and not sure how it would fare with OL2010 under Win 7. I'm also skeptical that CEO would run two instances at once. Might make his brain explode. But I appreciate the idea and will check it out. – zen Jan 26 '12 at 00:39
I'd be interested to hear how to goes for you. – Evan Anderson Jan 26 '12 at 02:28
I'll try and provide an update. – zen Jan 26 '12 at 18:14

score 2 · Answer 2 · answered Mar 28 '12 at 17:44

With Outlook 2010, and 2003 exchange or higher there's an easy solution.

Create 2nd AD account an email, hide from exchange, grant 1st accout full perms. note If your EX server is 2010 be careful granting full mailbox access because the automapping might show it to anyone who has full access to the ceo. I've never tested that part before because I'm stingy on granting rights beyond what's absolutely necessary and haven't used full more than a couple of times.
- Setup the hidden mailbox in outlook 2010 client on his machine with the LegacyExchangeDN for the username instead of the normal username. (hidden user won't resolve to the GAB without the legacy)

Feel free to flick me an email if you need help. BTW, for the right price I'll entertain job offers.

Cheers, Steve @ Strigle. o R G

Here's some Powershell for how I lookup the legacy name...

Add-Type -AssemblyName System.DirectoryServices.AccountManagement $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($ct,"____namehere____") $user.GetUnderlyingObject().legacyExchangeDN

That's, essentially, what I'm talking about in my answer when I say "Once you've got the "Personal" MAPI profile configured you can hide the account from the GAL." You can always use the legacyExchangeDN but I tend to think allowing "Check Name" to work and then hiding the account from the GAL is easier than using the legacyExchangeDN to begin with. (Good luck w/ the "job offers" from Server Fault. I get some solicitations for business via my association with the site but I wouldn't say it has been a big vehicle to drive my business. It's more a part of my "personal brand" for me.) — Evan Anderson, Mar 28 '12 at 18:13

score 0 · Answer 3 · answered Jan 26 '12 at 03:05

It's cumbersome, but I think your best bet is the second idea you described: set him up with alternate profiles, he can look at one or the other mailbox but not both simultaneously.

Then, since you're still on Ex2003, use an Event Sink to notify his "real" account when a message arrives in his "external" mailbox. (Of course, it's easy to throw out the phrase Event Sink, I'd be lost if I had to set one up.)

Or maybe you could convince him to rely on his Blackberry to tell him when he has new mail on the external account?

score 0 · Answer 4 · answered Jan 26 '12 at 03:58

0

If this was exchange 2007 or better, I'd use ad rms and a transport rule to only allow access the the CEO and just add another alias. I know you can use RMS on 2003 but I don't know if you can auto apply it like you can with 2007+.

answered Jan 26 '12 at 03:58

Jim B

24,081
4
36
60

Thanks Jim. Doesn't RMS only work for content in same Exchange server environment? i.e. most of the private email will be to external accounts. – zen Jan 26 '12 at 18:13

CEO Needs Two Exchange Mailboxes

4 Answers4