Accessing Multiple Mailboxes

Most of the examples provided in our documentation show how to access folders, messages, appointments, etc. belonging to the Service Account. Remember that the Service Account is the user account you used to configure CDO. But what if you want to access the mailbox of other users?

The basic security policy when it comes to accessing mailboxes and folders in the Exchange Server is:

  1. By default, only User A can have access to his own mailbox, let's call this Mailbox A
  2. User B may be allowed access to Mailbox A only if User B has been granted/delegated the rights to do so
  3. Public folders can be accessed by any user

Since CDO has been configured using the Service Account (i.e., CDO runs using the impersonated identity of the Service Account), the Service Account has to be granted the correct permissions so it can access the mailbox of other users. Active Directory/Microsoft Exchange provides 2 ways of doing access delegation:

    1. Individual Delegation

    The idea is to give the Service Account access to individual mailboxes. To do this, refer to this MSDN article.

    2. Give the Service Account access to ALL mailboxes by making it a member of the Exchange Domain Servers Group

    If you need the Service Account to have access to ALL mailboxes, doing it through individual delegation would certainly be tedious. The easier way would be to make the Service Account a member of the Exchange Domain Servers Group as discussed in this Microsoft KB article.

    The MSDN artilce provided two methods to create a Service Account. We suggest you follow the method 1 as it is simpler (i.e., simply make the Service Account a member of the Exchange Domain Servers Group using Active Directory). Make sure that the Service Account belongs ONLY to the Exchange Domain Servers group and not to any other admin group as this may cause a rights conflict. For instance, if the Service Account belongs to 2 groups - the first group has access to all mailboxes and the second group has limited access, the more restrictive access prevails and the Serivce Account will not have access to ALL mailboxes.

Note: Remember to re-start your Exchange Server after making changes to the Service Account to ensure that the changes have been effected.

After you have given the Service Account the correct permissions, you can now use it to access other users' mailboxes. The only thing you need to change in your Java code is the mailbox parameter in the Session.logon() call. The mailbox parameter would now be the name of that other mailbox you wish to access. All the rest of the code remains the same.