Attempting to test delegated permissions using Exchange MAPI

Jun 6, 2012 at 5:45 PM

We're running Exchange 2010 SP2 RU2 in a lab. I have a user called "CEO" that had granted another user "ADMIN" rights to that mailbox. The delegation of rights was performed using the Outlook 2010 Delegate Access controls (File/Account Settings/Delegate Access).  ADMIN was granted “Editor” rights to all items (Calendar, Tasks, Inbox, etc.).  In addition to granting the delegate permissions above, ADMIN was granted “Folder visible” rights to CEO's entire mailbox. This is done by right-clicking the root of CEO's mailbox (as viewed from CEO’s Outlook profile) and selecting Folder Permissions.  On the Permissions tab, ADMIN was added with the “None” permission level, but the Folder visible checkbox under “Other” was selected.


This delegation works great in Outlook 2010.  The user ADMIN can add the CEO mailbox to the Outlook profile or even open CEO's inbox and calendar directly.  Using MFCMAPI ( on top of the Outlook MAPI subsystem, I can logon with the profile that has both mailboxes included or I can create a new profile with both mailboxes when I logon to a new session.


However, when I'm working on a machine (Win 7 32 bit) that does not have Outlook 2010 installed, I'm having a hard time. I have installed MAPI and CDO 1.2.1 (6.5.8244.0).  When I try to create a new profile when logging on to a session in MAPIMFC, and select manually configure Exchange services, I get a DLL error.  If I use the wizard to create the profile, I'm not allowed to add the CEO as an additional mailbox to open.


I've tried creating profiles with PROFMAN2. This works fine for just opening a single mailbox. But when I go to the advanced tab to add additional mailboxes, and click "Apply", I get "the action could not be completed".  I've tried exporting an Outlook profile registry key with both mailboxes from another system and importing it on the one without Outlook, but MFCMAPI gave "Not Configured" errors.


So is there anyway I can test MAPI access to a delegated mailbox using MFCMAPI? Granted full control to the mailbox would allow me to test with a separate profile, but the full control scenario doesn't match our use cases. Is there a way to perhaps manually edit the profile within MFCMAPI to add an additional mailbox?

Jun 6, 2012 at 6:48 PM

Something else attempted. Took a system that had Outlook 2010 installed. Created a profile with both ADMIN and delegated CEO mailboxes. Uninstalled Outlook. Installed MAPI and CDO 1.21. Ran MFCMAPI and opened profile.  The "Display Name" column is blank and the Provider column has Err 0x8004010F=MAPI_E_NOT_FOUND. So clearly the profile is trying to tap into an explicit MAPI provider, which changes between Outlook 2010 MAPI and the version of Exchange MAPI that ships in MAPI and CDO 1.2.1 (6.5.8244.0).

Jun 14, 2012 at 7:49 PM

As you saw, you can't migrate a profile from one implementation to the other, for the reasons you surmised.

Adding multiple mailboxes to a profile in MAPICDO isn't going to work. What you want to do here is create a single profile for the user you have the most access to (IE - yourself), then open the other mailbox using CreateStoreEntryID. In MFCMAPI, this second part is accomplished through MDB/Open Other Mailboxes and using one of the various options there.