Manage full access permissions on mailboxes in Exchange 2010

This is the updated version with a few additions and corrections based on both comments and new features added by Microsoft since my first post.

Grant permissions on a single mailbox

Use the following command to grant access to just one mailbox:

Add-MailboxPermission -Identity "" -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Note: the User parameter can in fact be either users or groups, the parameter name “User” is a bit misleading!

Example:

Add-MailboxPermission -Identity "Test" -User Administrator -AccessRights Fullaccess -InheritanceType all

FullAccess1

Or If I want to add the security Group Group2:

Add-MailboxPermission -Identity "Test" -User Group2 -AccessRights Fullaccess -InheritanceType all

fullaccess01

Grant permissions on all mailboxes

Use the following command to grant access to all mailboxes:

Get-Mailbox | Add-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Get-Mailbox | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

Note: In the screenshot below I received a message saying that Administrator already have access to the mailbox Test (Yellow text message).

FullAccess2

Grant permissions on mailboxes using Where

We might as well add a where to the command while we are at it. With this command we grant access to all mailboxes in a specific OU:

Get-Mailbox | Where { $_.OrganizationalUnit -eq “” } | Add-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Get-Mailbox | Where { $_.OrganizationalUnit -eq “sundis.local/Test/Users” } | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

FullAccess3

 

Remove permissions on a single mailbox

Quite simple, just change Add to Remove:

Remove-MailboxPermission -Identity "" -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Remove-MailboxPermission -Identity "Test" -User Administrator -AccessRights Fullaccess -InheritanceType all

FullAccess4

Remove permissions on all mailboxes

Well you have probably figured this one out already, but I will show it to you anyway:

Get-Mailbox | Remove-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Get-Mailbox | Remove-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

Note: As you can se below, using this command will remove the users full access to its own mailbox. That is not good, this command should be used with care…

FullAccess5

How to configure the rights assignment to apply on new mailboxes automatically

This can be done using one of three methods, you can add permissions using EMS or ADSIEdit.

Using EMS method 1 (recommended)

With this method we grant permissions on the databases container in the configuration Naming context using the following PowerShell command:

Add-AdPermission -Identity “CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,DC=<TopDomain>” -User <UserorGroupIdentity> -InheritedObjectType msExchPrivateMDB -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As -inheritanceType Descendents

If we brake this up a bit we can se that the Identity is in fact the Distinguished Name of the Databases container:

“CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,DC=<TopDomain>”

The InheritedObjectType parameter specifies what kind of object inherits this access control entry, in this case it is only Exchange Mailbox Databases:

-InheritedObjectType msExchPrivateMDB

Then we grant Receive-As permissions. Granting Receive As and  Send As permission to a mailbox database, the user can log on to all mailboxes within that database, and send mail from those mailboxes:

-AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

And finally we set the inheritance type to Descendents:

-inheritanceType Descendents

Example:

Add-AdPermission -Identity “CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=sundis,DC=local” -User test8 -InheritedObjectType msExchPrivateMDB -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As
 -inheritanceType Descendents

fullaccess10

Reference: http://theessentialexchange.com/blogs/michael/archive/2009/09/29/exchange-server-2010-administrative-access-to-all-mailboxes.aspx

Using EMS method 2

With method two we use a pipe to set the permission on each mailbox database with the following command:

Get-Mailboxdatabase | Add-ADPermission -User <UserorGroupIdentity> -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

Example:

Get-Mailboxdatabase | Add-ADPermission -User test3 -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

fullaccess03

Granting Receive As and Send As permission to a mailbox database, the user can log on to all mailboxes within that database, and send mail from those mailboxes.

Using ADSIEdit

There are also the ADSIEdit way of addressing the problem. I will give you a description on what you need to do but I STRONGLY recommend you to have a look at Michaels post instead. That said, here you go…

Open ADSIEdit, Right click ADSIEdit and choose Connect to.

fullaccess02

Select the Configuration Naming Context and click Ok
fullaccess04

Navigate to Configuration/Services/Microsoft Exchange/<OrganisationName>/Administrative Groups/Exchange Administrative Group (FYDIBOHF23SPDLT).

fullaccess05

Right Click the Databases folder and choose Properties.

fullaccess06

Click on the Security tab and click Add.

fullaccess07

Enter the users or groups that you want to add and then click Ok.

fullaccess08

Make sure that the added users or groups is selected, check the Allow box for Full control for each user or group, then click Ok to close the window and now we are finished with ADSIEdit.

fullaccess09

This adds permissions to all databases. If you want to edit the permissions for a specific database you can open the Databases folder and open Properties for the database you want to configure.

A final note: Full Access or Receive As permissions are granted next time the Microsoft Exchange Information Store service caches the permissions and updates the cache. To grant the permissions immediately, stop and then restart the Microsoft Exchange Information Store service.

Thanks for reading, I hope that you found it useful and please let me know if you have any questions!

Advertisements