Is there a way to add default mailbox delegates in Exchange Admin Center so that whenever a new user account is created the helpdesk is automatically setup as a delegate to mailboxs if end-users need assistance?
Right now there are 3 default groups(Exchange Domain Servers, Exchange Servers, Exchange Trusted Subsystem) within the Mailbox Delegation area.
How do I add an additional default group to that list.
I do not think that giving our delegation rights to the users mailboxes. Think about if a person from the helpdesk should not see some content. But with delegation rights he could. The user mailbox might be also automapped on the outlook client. If you use Exchange Cache Mode and have more then 300 users ... I think you got the point here (Sync & Disk Space issues).
However (to answer your question): You might wish to use the "Microsoft Exchange Scripting Agent" as explained here:
When you enable the Scripting Agent cmdlet extension agent, the agent is called every time a cmdlet is run on a server running Exchange 2010. This includes not only cmdlets run directly by you in the Exchange Management Shell, but also cmdlets run by Exchange services, the Exchange Management Console (EMC), and the Exchange Control Panel (ECP). Every time an Exchange cmdlet is run, the cmdlet calls the Scripting Agent cmdlet extension agent. When this agent is called, the cmdlet checks whether any scripts are configured to be called by the cmdlet. If a script should be run for a cmdlet, the cmdlet tries to call any APIs defined in the script.
Via that way you could build a script which is triggered here and which adds the group.
Have to agree - this is a bad idea on so many levels. To administrate Exchange there is no need to have access to all mailboxes by anyone. You will lose all audit trail capabilities. If helpdesk staff have access to every mailbox what is to stop them from snooping on something they shouldn't do, stalking members of staff and generally causing mischief.
Train your staff to do their job properly. If they need to access a mailbox then grant the permission on demand with the end user's permission, do what is required then remove the permission. If you work on the basis that you don't have permissions and check, rather than trying to access and discovering you don't have permission then you aren't caught in the permissions cache trap.
