Manage full access permissions on mailboxes in Exchange 2010

This is the updated version with a few additions and corrections based on both comments and new features added by Microsoft since my first post.

Grant permissions on a single mailbox

Use the following command to grant access to just one mailbox:

Add-MailboxPermission -Identity "" -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Note: the User parameter can in fact be either users or groups, the parameter name “User” is a bit misleading!

Example:

Add-MailboxPermission -Identity "Test" -User Administrator -AccessRights Fullaccess -InheritanceType all

FullAccess1

Or If I want to add the security Group Group2:

Add-MailboxPermission -Identity "Test" -User Group2 -AccessRights Fullaccess -InheritanceType all

fullaccess01

Grant permissions on all mailboxes

Use the following command to grant access to all mailboxes:

Get-Mailbox | Add-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Get-Mailbox | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

Note: In the screenshot below I received a message saying that Administrator already have access to the mailbox Test (Yellow text message).

FullAccess2

Grant permissions on mailboxes using Where

We might as well add a where to the command while we are at it. With this command we grant access to all mailboxes in a specific OU:

Get-Mailbox | Where { $_.OrganizationalUnit -eq “” } | Add-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Get-Mailbox | Where { $_.OrganizationalUnit -eq “sundis.local/Test/Users” } | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

FullAccess3

 

Remove permissions on a single mailbox

Quite simple, just change Add to Remove:

Remove-MailboxPermission -Identity "" -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Remove-MailboxPermission -Identity "Test" -User Administrator -AccessRights Fullaccess -InheritanceType all

FullAccess4

Remove permissions on all mailboxes

Well you have probably figured this one out already, but I will show it to you anyway:

Get-Mailbox | Remove-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Get-Mailbox | Remove-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

Note: As you can se below, using this command will remove the users full access to its own mailbox. That is not good, this command should be used with care…

FullAccess5

How to configure the rights assignment to apply on new mailboxes automatically

This can be done using one of three methods, you can add permissions using EMS or ADSIEdit.

Using EMS method 1 (recommended)

With this method we grant permissions on the databases container in the configuration Naming context using the following PowerShell command:

Add-AdPermission -Identity “CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,DC=<TopDomain>” -User <UserorGroupIdentity> -InheritedObjectType msExchPrivateMDB -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As -inheritanceType Descendents

If we brake this up a bit we can se that the Identity is in fact the Distinguished Name of the Databases container:

“CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,DC=<TopDomain>”

The InheritedObjectType parameter specifies what kind of object inherits this access control entry, in this case it is only Exchange Mailbox Databases:

-InheritedObjectType msExchPrivateMDB

Then we grant Receive-As permissions. Granting Receive As and  Send As permission to a mailbox database, the user can log on to all mailboxes within that database, and send mail from those mailboxes:

-AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

And finally we set the inheritance type to Descendents:

-inheritanceType Descendents

Example:

Add-AdPermission -Identity “CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=sundis,DC=local” -User test8 -InheritedObjectType msExchPrivateMDB -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As
 -inheritanceType Descendents

fullaccess10

Reference: http://theessentialexchange.com/blogs/michael/archive/2009/09/29/exchange-server-2010-administrative-access-to-all-mailboxes.aspx

Using EMS method 2

With method two we use a pipe to set the permission on each mailbox database with the following command:

Get-Mailboxdatabase | Add-ADPermission -User <UserorGroupIdentity> -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

Example:

Get-Mailboxdatabase | Add-ADPermission -User test3 -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

fullaccess03

Granting Receive As and Send As permission to a mailbox database, the user can log on to all mailboxes within that database, and send mail from those mailboxes.

Using ADSIEdit

There are also the ADSIEdit way of addressing the problem. I will give you a description on what you need to do but I STRONGLY recommend you to have a look at Michaels post instead. That said, here you go…

Open ADSIEdit, Right click ADSIEdit and choose Connect to.

fullaccess02

Select the Configuration Naming Context and click Ok
fullaccess04

Navigate to Configuration/Services/Microsoft Exchange/<OrganisationName>/Administrative Groups/Exchange Administrative Group (FYDIBOHF23SPDLT).

fullaccess05

Right Click the Databases folder and choose Properties.

fullaccess06

Click on the Security tab and click Add.

fullaccess07

Enter the users or groups that you want to add and then click Ok.

fullaccess08

Make sure that the added users or groups is selected, check the Allow box for Full control for each user or group, then click Ok to close the window and now we are finished with ADSIEdit.

fullaccess09

This adds permissions to all databases. If you want to edit the permissions for a specific database you can open the Databases folder and open Properties for the database you want to configure.

A final note: Full Access or Receive As permissions are granted next time the Microsoft Exchange Information Store service caches the permissions and updates the cache. To grant the permissions immediately, stop and then restart the Microsoft Exchange Information Store service.

Thanks for reading, I hope that you found it useful and please let me know if you have any questions!

Advertisements

49 Responses to Manage full access permissions on mailboxes in Exchange 2010

  1. rajat says:

    Hi,
    I am looking for a way to have Domain Admins have full access send as and recive as permissions on all teh mailboxes on the First mailbox data store.
    Please assist.

  2. msundis says:

    Hi Rajat,

    You would have to use a command similar to this one:
    Get-Mailbox | Where { $_.Database –eq “” } | Add-MailboxPermission -User “Domain Admins” -AccessRights Fullaccess -InheritanceType all

    And then this one for send as:
    Get-Mailbox | Where { $_.Database –eq “” } | Add-AdPermission -User “Domain Admins” -AccessRights extendedright -ExtendedRights “send as

    If you run this as a scheduled task every night all mailboxes will have the correct permissions the day after they are created.

    Thanks for reading!

  3. Pingback: I have a “WIRELESS NETWORK” I can see COMPUTER B but can not see any files.? | High Speed Routers

  4. Gero says:

    hi,
    i have a problem regarding fullaccess permissions. why is that i need to add ‘everyone’ to fully access the mailbox of a user.
    and then when i remove ‘everyone’ the user is also permitted. NT AUTHORITY\SELF is present

    Any suggestions please

    • msundis says:

      I’m not sure that I completely understand the question. Adding everyone with Full Access to a users mailbox is absolutely something that you should never do. The user must have access to their own mailbox, therefore the self users must be present.

      Info from http://technet.microsoft.com/en-us/library/bb676551.aspx:

      “By default, every mailbox has the security principal NT AUTHORITY\SELF listed. This security principal represents the mailbox owner. If you revoke the Full Access permission from this security principal, the mailbox owner is no longer able to log on to the mailbox.”

  5. Gero says:

    Hi msundis:
    Actually that’s my problem i have to add the “everyone” to full access. i think NT AUTHORITY\SELF is not working for me? any idea with this.
    i had just migrated from exchange 2003 to exchange 2010. i’m thinking, do i need to install sp1 for the exchange for this problem???

    • msundis says:

      Hi Gero,

      Ok, Now I understand what you mean. Make sure that “Include inheritable permissions” is activated on the affected mailboxes. Follow these steps:

      1. Open up “Active Directory Users And Computers”.
      2. Enable “Advanced Features” by clicking “View” and then “Advanced Features”.
      3. Locate the affected user and open “Properties”.
      4. Navigate to the “Security” tab and click on “Advanced”.
      5. Make sure that the “Include inheritable permissions from this object’s parent” is checked.
      6. Click “Ok” twice and close “Active Directory Users And Computers”.

      See if this helps you, good luck!

  6. Rateb Abu Hawieleh says:

    WONDERFUL

  7. Gero says:

    Hi msundis,

    I already did that but it’s the same .I’m just wondering when i create a new mailbox(exchange 2010). the automatic full access default are:

    Everyone
    mydomain\Exchange Domain Servers
    mydomain\Exchange Servers
    mydomain\Exchange Trusted Subsystem
    NT AUTHORITY\SELF

    Any suggestion?

    • msundis says:

      Did you apply SP1 for Exchange Server 2010? If so, did that solve your problem?

  8. DF says:

    Thanks for the post, but I am having a small problem. I used the command structure you laid out not long after implementing my Exchange 2010 environment. Everything was great, I could open a user mailbox either via OWA or Outlook, however recently that ability has become somewhat skewed.

    I can open mailbox some mailboxes in both OWA and Outlook, but it seems new mailboxes I can only open in OWA. I have granted FullAccess permission to a group I created called Exchange-Admins, my account is in this Universal Security group, but when I try to open a mailbox it just keeps prompting me for credentials. It isn’t until I go to the individual mailbox and add permission for my account under Manage Full Access Permission that I am able to enter the mailbox. I believe this is a result of Service Pack 1, but I can’t be certain. Any thoughts?

    Thanks!

    • msundis says:

      Hi DF and thanks for reading,

      You will hae to run the command on a regular basis to make sure all new mailboxes have the correct permissions. When you run the command it will only affect current mailboxes and not new ones. If you want to automate this you can add a script with that command that runs as a scheduled task every night, or more often if you want.

      And sorry for the late answer!

  9. Srdjan says:

    is there any way of giving the full access permissions to a (security) group instead of a single user?

    • msundis says:

      Hi Srdjan,

      The answer to your question is no I’m afraid. The parameter “User” refers to a user mailbox and there is no parameter for groups. Thanks for reading!

      • Randy says:

        That is not true, you can use a group, I have done it.

      • msundis says:

        Absolutely corret Randy, post updated!

      • Andrew Barker says:

        I cannot get a security to be able to open a User or Room mailbox. It shows in the Full Access permissions list but does not actually let me open the mailbox. I don’t know what I did wrong. Can anyone help me? I know this is an older post.

      • Andrew Barker says:

        Sorry I cannot edit my post: I mean I have added a security group to the full access permissions list but no user in that group can open the User or Room mailbox.

  10. Greg says:

    I receive the following error message when I use the command that you suggest from within Powershell:

    The term ‘Get-mailbox’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
    spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:12
    + Get-mailbox <<<< | Add-MailboxPermission -user getheridge -accessright Fullaccess
    + CategoryInfo : ObjectNotFound: (Get-mailbox:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Does this make any sense?

    • msundis says:

      Hi Greg,

      This looks a bit strange, the get-mailbox command is a very basic command and should run ok. Have you tried opening EMS and running a plain get-mailbox without any other parameters?

      Thanks for reading!

  11. Mark L says:

    svcMailboxAccess = an account / mailbox, I use to have access to everyone’s mailbox. Worked for me with Exchange 2003. Trying to get same functions now that all mailboxes are on Exchange 2010.

    The following command seems to work for existin, looking to put something into place for new mailboxes as well.
    Get-Mailbox | Add-MailboxPermission -User -AccessRights Fullaccess

    Is there a way to get the permissions in place so that any new mailboxes created would be able to be be opened with the svcMailboxAccess account ?

    • msundis says:

      Hi Mark and thanks for reading!

      No there is no way to get the permissions in place automatically for all new mailboxes. You have to run the command again I’m afraid. The only tip I can give you is to create a script for the command and then run this as a scheduled task every night, or more othen if you like. Then you would only have to wait one day before the permissions are applied.

      • Drdrn says:

        yes there is , you can give permissions on the stoe through adsi edit and it will affect new mailboxes as well .

      • seanv says:

        Drdrn is correct. If you apply the permissions at a higher level in the configuration partition, they will be inherited onto the mailboxes. Adsiedit is one option, but you can even add the required permissions using the Exchange Management Shell. Micheal wrote a good blog posting on this: http://theessentialexchange.com/blogs/michael/archive/2009/09/29/exchange-server-2010-administrative-access-to-all-mailboxes.aspx

      • msundis says:

        Great information, thanks both Drdrn and Seanv for sharing!!

      • Thomas D says:

        I followed the instructions in the link seanv posted. I did it exactly the way it said to do it and now by default the default accounts don’t have access and the new one I asked to specify doesn’t work either. In addition, all existing users don’t have the user on their accounts.

        Up to this point, there were several accounts including “Exchange Servers” and special accounts like NT AUTHORITY\SYSTEM had full rights. After running the command in the blog post by michael and now when I create a new user only NT AUTHORITY\SELF gets rights and nobody else.

        My whole system is hosed.

  12. Tech Blog says:

    Hi,

    Is there a way that a User is member of Recipient Management Group and I need to restrict that user to get access on others Users mailbox using “Manage Full Access Permission”

    waiting for reply

    Thanks
    Usman Ghani

  13. Craig says:

    Hi Greg

    Did you find a fix for the error below, I’m using Live@edu and the Get-Mailbox error?

    The term ‘Get-mailbox’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
    spelling of the name, or if a path was included, verify that the path is correct and try again.

  14. IT Tech says:

    I’m looking for a command to find Full Access permissions for all room and equipment mailboxes.
    I have a list of all the mailboxes and I can make a CSV out of it to import it.
    I would appreciate of someone can help me in the batch operations.
    I often get stuck when I receive a request for finding all owners for Resource mailboxes or finding all shared mailbox with their owners.
    Please help

  15. Wim says:

    One things I find confusing…
    In the reply section someone asks for the command to grant full access to new mailboxes : You answer that it should be scripted to run every night/week. However…you describe in the above how to set full access for new mailboxes by default….. : Is the scheduling part still nescessary?

    For the rest….good piece!

    • Martin Sundström says:

      Hi and thanks for reading!

      It depends on the moethod you use, if you just use powershell to grant full access permissions on all mailboxes directly it must be ran for each new mailbox. Then you can use a scheduled task to run the command. But if you use any of the methods described under how to set it automatically you do NOT have to schedule it. There is also the Scripting Agent way of doing it for each new mailbox but I haven’t included that in the post. But now I just might add it :)

      I hope this clears things up a bit, let me know if you got any further questions!

  16. David Cook says:

    Hi There,

    Thanks for this info but I have a slightly different question. I have a users mailbox which I was checking for full permissions, and identified that another user had full access to this mailbox. I removed those permissions, but I am wondering if it is possible to report on when/by whom the rights were set in the first place?

    Thanks for any ideas

  17. Cody says:

    For some reason with Exchange 2010, only NT AUTHORITY\SELF shows up under Full Access Permissions regardless of what I do. This includes forcing permissions on the databases using ADSIEdit. I’ve restarted the information store service. This was and still works fine on the Exchange 2007 mailbox server we have running in co-existence. If I move a mailbox to the new databases all of the permissions for full carry over, but new users only have NT AUTHORITY\SELF.

  18. Cody says:

    Okay, it turns out all new mailbox’s created in any database on either the older 2007 MB server or the new 2010 MB servers only show NT AUTHORITY\SELF as having full permission access. This does not match what I am seeing in ADSIEdit at all. There’s a large list of groups and members in ADSIEdit for the databases, some of which have full control checked and aren’t showing up in the GUI of exchange. Furthermore, I’m an enterprise admin and have myself in the exchange org management groups and can’t access newly created mailboxes with my admin account. I hope this gets better, because I’m not impressed with 2010 at all. 2007 was a lot easier to manage.

  19. jack robinson says:

    Exchange 2010 CLI sucks. M$ forcing people to learn pathetic commands so they can sell more pathetic training. There was absolutely nothing wrong with the ACL tab on the properties.

  20. Chris says:

    Has anyone including the author tested “EMS Method 1”. The command completed successfully in my environment but the members of the Universal group that was given access to all mailbox databases are not able to open other users mailboxes.

  21. Pingback: pligg.com

  22. Pingback: Confluence: Raab IT - KnowHow

  23. Andrew Barker says:

    Just wanted to spread the answer. You need to allow the “Read Members” permission for the security group.

    To find the “Read Members” permission

    If you just want this for one security group open that Security group, if you want it to inherit for all objects go to Microsoft Exchange Security Groups and open Exchange Servers.

    Click the Security Tab | Click Advanced | Sort by Name and find Exchange Servers

    The first Exchange Servers in the list only applies to Descendant User objects DO NOT Click this one. Click the next one that says Read Exchange Personal Information and click edit. Scroll down and you will see “Read Members” check Allow and it should work.

    DISCLAIMER: I do not have a test lab, so I only did this for the one group I needed to work. In theory this should work for you, but test it out first. This alone does not make it auto populate in Outlook I still had to open them through the Email settings | Advanced Tab for each user.

  24. Pingback: SBS 2011 to 2012R2 Standard with Essentials Service and 365 | The-IT-Blog

  25. Pingback: Confluence: Operations Centre

  26. Pingback: Confluence: Operations Centre

  27. James Watkins says:

    I have user that has been give access a the CN=Microsoft Exchange level of ADSI. I need to remove the user without messing up he mailbox. Any thoughts ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: