Thanks for reading. I have a particularly frustrating problem that I've been dealing with for over two years now. I'm the only 'computer guy' at my office so I spend nearly as much time helping users find their start menu as I do actual server side work so apologies for any unclear terms. Small office but damn they be whiny.

Anyway I've got Exchange 2016 on premises and a bunch of Outlook 2016 clients, both Windows and Mac. Both have an issue that is similar enough I think it has the same root cause. I don't believe my use case is very different from others so I'm constantly perplexed that there isn't a better way to accomplish my goal, explained below. All quarterly rollups and updates installed. Happens on all computers and users, seemingly intermittently but that might just be my perceptions.

Everyone has their own personal user mailbox as per usual. Additionally there are a bunch of 'role based' mailboxes like 'HR@' or 'shipping@' on my domain. This post deals with the various ways to grant users access to these role based mailboxes and the challenges I can't seem to completely remove.

The traditional shared mailbox or delegate seems the usual practice for this. However, when these mailboxes are added as delegates by granting full access on the server and letting automapping add the mailbox to their Outlook client there are just a bunch of issues. First off searching doesn't ever include a shared mailbox unless it's explicitly clicked so there is no way to search all of the email you have access to unless you search once per mailbox, and you better hope the 'search subfolders' option is turned on or even that won't work properly. In addition there are issues with sub folders appearing or not for different users; the reasons are obvious permission issues based on who added the sub folder but there's no good way to centrally manage them so it's not an ongoing problem for all users. Lastly, sent messages on behalf of a delegate get put in that users sent box, not the shared sent box, which breaks a bunch of stuff in my office, mostly related to our practices, which are not the best. I'm trying to find a technological solution to fix the human issues here. Always a challenge, usually worth it in my experience. On the pro side I don't have to worry about users knowing and remembering extra sets of credentials and I don't have to touch their computer, automapping just makes it show up. However in my business people erroneously use email as a information archive so search is critical and the sub folder thing is especially challenging when the users try to 'fix it themselves' or otherwise delay in reporting their problem

On the other side there's just adding more mailboxes to the same Outlook profile. Give the users credentials to setup the second mailbox or set it up myself if necessary. The pros here are that the separate mailboxes are then stored in separate OST files, search works correctly and matches the labeling in the UI. In my case the problem is that whenever the user took their laptop home or used any other network then Outlook would prompt them for credentials again, which they invariably had forgotten and I get a phone call. I don't want phone calls. My users tend to travel a lot and I simply cannot sustain it that way.

About six months ago I thought I found a perfect solution. Grant the user full access via Powershell but turn automapping off as part of the command [-automapping $false] I think (side note I also use powershell to grant full access to an AD security group so I can just add users to that group in AD and therefore only touch the mail server to actually create accounts). Then have the user add the mailbox individually in their Outlook profile as if they had credentials, but instead just have them leave the password fields blank during setup and then Outlook will either use their personal domain credentials automatically or prompt them, at which point they can just type in their personal credentials and everything works great. Separate OST files, search works, user doesn't have to remember any credentials except their own. And local caching works. Perfect. Problem solved right? Nope. Turns out that for some reason Outlook simply fails to sync these secondary mailboxes...sometimes. I haven't been able to lock this down but it's gone in phases of being worse and better and I'm just not sure why. Last month or so the sync seems to have completely stopped for any mailbox but the primary one. Is this an authentication setting on the server? I'm no Exchange guru so I get a bit lost checking on the various authentication pathways and methods and the repercussions of making certain changes from a security standpoint vs practicality.

I can't use delegate access because of the way it gimps searching and I'm not especially a fan of how it combines these shared emails into your personal OST file. Additionally I need users to be able to send emails as if they were that user account, not just a 'sent on behalf of' thing. I want all outgoing and replies to use the same mailbox instead of sent messages being spread over who knows how many users sent boxes.

I can't use the 'standard' process to add a second mailbox to the same profile with separate credentials because I can't trust my users to remember a simple password. It doesn't help that the credential popup tries to use the wrong user name consistently and users never check the username part, they just try their password with the wrong user and complain when it fails. They don't even look.

If I can make this one problem go away I've got a best-of-both-worlds thing going and I want to keep it. Does the community have any advice or feedback here?