๐ Customer Scenario
Two forests:
- Contoso.
- Fabrikam.
Both organizations hosts user accounts and Exchange mailboxes.
Goal: user Acc1 from Contoso needs full access to mailbox Migr1 in Fabrikam. Two-way trust is in place, user object will eventually move to Contoso, but mailbox stays in Fabrikam.
โ Two Options for Access
Option 1: Assign Full Access and Send As
In Fabrikam Exchange Management Shell:
Add-MailboxPermission -Identity Migr1 -User “Contoso\Acc1” -AccessRights FullAccess -InheritanceType All
Add-ADPermission -Identity Migr1 -User “Contoso\Acc1” -ExtendedRights “Send As”
โ User signs in with their own credentials.
โ Original account stays enabled (disable manually if needed).
Option 2: Convert to Linked Mailbox
Use Set-User to link mailbox to the Contoso account:
Set-User -Identity migr1@Fabrikam.com `
-LinkedDomainController DC.contoso.com `
-LinkedCredential (Get-Credential contoso\administrator) `
-LinkedMasterAccount acc1@contoso.com
โ Linked mailbox automatically disables its original AD account.
โ Recommended for full feature support (free/busy and other scenarios).
โ Issue Encountered
Running Add-MailboxPermission in real environment returned:
Unable to cast object of type ‘Microsoft.Exchange.Data.Directory.Recipient.ADContact’
to type ‘Microsoft.Exchange.Data.Directory.Recipient.IADSecurityPrincipal’.
Root cause: The Contoso user had a corresponding contact object in Fabrikam (created by MIM). Removing the contact resolved the issue.
๐ Key Takeaways
- For temporary scenarios, Full Access works fine.
- For production and hybrid features, Linked Mailbox is the better long-term approach.
- Beware of conflicting contacts in the target forest โ they can break permission assignment.
โ References
The end.
EWS Free Area 
Leave a comment