I have extensively googled and searched ServerFault for guidance, and I can't find any design scenario examples or best practices, or in fact any documentation at all from Microsoft for how to approach this problem.
We have a number of mailboxes that represent a department or team (rather than an individual) which will be monitored and worked on by multiple users. By this, I mean depending on who has been rostered on, who has been designated the responsibility of responding to/actioning emails for that team that day etc., different people will read the messages in the mailbox, and then categorize them/mark them as read/unread, move them to sub-folders etc. To avoid duplication of work, this then needs to be visible by whomever views this mailbox next.
Here is our current scenario:
- We create the mailbox, e.g. [email protected]
- We create a domain local security group, e.g. Team1 Mailbox Full Access, and grant it full access permissions to the mailbox
- We add users or groups to this group
By and large, this works fine. It's difficult in that users' group membership is updated at logon so they need to log off and back on in order to gain access. But here are the problems:
- The amount of time taken between when these permissions are set and when they seem to be applied is unpredictable and inconsistent. For example, if I follow the steps above (or even just add someone to a group which already has the permissions), even if they logoff/on, sometimes it can take hours before they will be able to access the mailbox.
- Sometimes this doesn't even work at all. Users can only access a mailbox if they are directly applied permission to do so (e.g. their user acocunt is granted the permissions on the mailbox, not via group membership).
I've considered using public folders, but obviously there is much confusion as to whether these are deprecated, but more specifically about what their best usage is (I don't htink they would apply to my current problem). I've also considered changing them from user mailboxes to shared mailboxes, however this technet article says:
We recommend that you use resource mailboxes or Microsoft SharePoint Portal Server portals for collaboration instead of shared mailboxes.
There's also a lot of buzz about integration between Exchange and SahrePoint, or how SharePoint is going to replace a lot of the collaboration scenarios previously addressed by Exchange. But I can't seem to find any clear documentation on what the recommended design is.
So my question is, can anyone point me in the direction of any documentation on what the correct approach to this scenario is? This is a common requirement among organisations and I can't believe it hasn't been addressed somewhere.
Exchange and Sharepoint provides tools; you customize them for your needs. You might think that these needs are universal and indeed they are but you'd be surprised how much they vary between organizations so your config is likely different than others. What you are really doing is mapping business processes to the technology and that can really only be done by you. You need to figure out what your users need and build a solution that works for them. This probably explains why you aren't finding docs for exactly what you want.
Public folders are viable for Exchange 2010 and for who knows how long. Microsoft initially tried to kill them off but there was a lot of backlash so they've backed off on that a bit. If you're not already using them, you'd be wise to skip them and find a solution that uses mailboxes or Sharepoint instead.
Really your 2 options are as you've mentioned: use a mailbox and give everyone access or use a Sharepoint site. Either can work. You don't mention if you already have Sharepoint or not. If you don't, it isn't an insignificant thing to build so I'd recommend sticking with your mailbox approach which is a common solution. Obviously you need to address your issues with the permissions problems but if that's your only issue, I'd simply focus on that specific technical problem and find a solution.
I wouldn't obsess over that comment in the Microsoft doc about using resource mailboxes or Sharepoint for collaboration. A resource mailbox wouldn't be appropriate for your specific use though Sharepoint might be.
Here's what I've learned about these issues.
The waiting period between setting these up and when they work is related to the directory cache on the Exchange. I've found an article here which describes this. Our solution to this is to set appropriate expectations; we wait 24hours between creating the shared mailbox and advising the users it's ready.
With regards to functionality, I've still found no guidance on what the best practice for this is. I have however discovered the following two facts:
Apparently the second issue has been fixed in the latest service pack, although I have not tested this yet. Also, the groups we are now creating are security enabled distribution groups. I have created a script to automate the whole process, and this is working very well. We are currently in the process of migrating our existing shared mailboxes to new mailboxes created with this script.
I've inclluded the script below for anyone who is interested. Any suggestions or improvements would be most welcome.