Important reading on Service Accounts and Delegation

please refer to this document for insights on service accounts, mailbox ownership, delegation, send-as, send-on-behalf, etc. 


Understanding & Configuring Service (Department) Mailbox Access Delegation
Mailbox Owner: Mailbox ownership is established when an administrator creates a mailbox (mailbox-enables an account) in AD. The owner can login and has full control of the exchange mailbox. A mailbox owner or an administrator can delegate access to other accounts.
Mailbox Delegate: Mailbox designated to act on behalf of a mailbox. Some of the most commonly used options include the ability to read or manager another user’s calendar or to send mail on behalf of another user.
Access levels for sending mail as another user:
Send-on-behalf: This allows the delegate to send mail on behalf of the mailbox owner. The message sent by delegate indicates the sender “on behalf of the owner.
This can be granted using Outlook or by an administrator. Please note that this attribute called “publicdelegate” is written to the AD.
Send-As: This allows delegate to send mail as if they were the mailbox owner. The message sent does not indicate the sender was anyone other than the mailbox owner. This can only be granted by an administrator.
Service Account: A regular mailbox used for departmental use. The name service account is unique.
Service Account manager: Account that has been assigned full Access permission to a service mailbox. This person also has the username and password of the service account mailbox.
Resource Accounts:
Room mailbox: This is mailbox assigned specifically to meeting rooms. Associated users accounts are disabled in AD.
Equipment mailbox: This is a mailbox specific to equipment, for eg TV, Projector etc). Just like rooms, the associated AD accounts are disabled.
Delegating Access to users by service account managers
* As a matter of best practice, service account managers need to login to the service account on AD domain as domain\service account before they can start delegation.
* Create Outlook profile for the service account. Remember to login as domain\service account when prompted for login.
* While in Outlook, delegate access as needed to users. (Service account manager needs to add his/her account as a delegate if desired).
Basic questions for service account managers to consider before assigning or requesting for permissions:
* Do the users want to send on behalf of the service account?
If the answer is yes, the service account manager needs to delegate access to the service account mailbox to the users or the group.
If the answer is no, do not delegate access to users.
* Does the account manager want delegates to access inbox, calendar, contacts, etc of the service account?
If yes, while delegating in Outlook; assign the delegates required permissions to the folders as needed. After this is done, the delegates can access the delegated folders by clicking on file, open, other user’s folder, type the account name and choose the folder you want to open.
If no, while delegating in outlook, assign none permissions to all the folders.
* Does the service account manager want to assign specific permissions to specific folders beneath the inbox?
If yes, assign folder visible permission to the parent folder and the required permission to the child folder.
* Does the service account manager want to open the service account Outlook profile while logged in with his/her AD account?
If yes, administrator will need to assign full access rights to the service account mailbox. By so doing, they can login to the service account using mapi profile and assign outlook folder permissions as desired.
Important Notes/Gotchas:
1. The department account manager needs to add his/her account as a delegate to be able to send on behalf of the service account.
2. Full manage rights enables you to open the mailbox via outlook profile while department manager is logged into AD.
3. Mailbox owner and the administrator are the only ones that can delegate.
4. If rights are delegated properly, delegates can open the folder from
5. Send-on-behalf rights just like send-as is an AD attribute. Only Administrators can give send-as rights. Mailbox owners can give send-on-behalf rights using Outlook.
6. Users not on  domain must log in as domain\mailbox owner to do delegation. In rare cases, you may experience replication issues. Check to make sure global catalog for  domain is within reach and responding in a timely manner.
7. Occasionally delegation may fail. While there are numerous reasons for such failure, it’s usually related to permissions. This can be fixed by doing this: While in Outlook, change outlook login behavior by clicking on tools, account settings, double click on your email account, click on more settings, click on security tab, Check the “Always prompt for logon credentials”, Click OK.
8. Logging into resource accounts is not required and not supported in Exchange 2007.
9. Note that full manage rights on a mailbox does not give the manager send-on-behalf rights for that mailbox.
10. Mailbox delegates can also open the service mailbox in outlook as secondary mailbox. This can be done by going to Tools, Account settings, double click mail account, more settings, advance tab, and under mailbox click on Add and type the mailbox name. Click OK