Manage full access permissions on mailboxes in Exchange 2010
2011-06-21 51 Comments
This is the updated version with a few additions and corrections based on both comments and new features added by Microsoft since my first post.
Grant permissions on a single mailbox
Use the following command to grant access to just one mailbox:
Add-MailboxPermission -Identity "" -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all
Note: the User parameter can in fact be either users or groups, the parameter name “User” is a bit misleading!
Example:
Add-MailboxPermission -Identity "Test" -User Administrator -AccessRights Fullaccess -InheritanceType all
Or If I want to add the security Group Group2:
Add-MailboxPermission -Identity "Test" -User Group2 -AccessRights Fullaccess -InheritanceType all
Grant permissions on all mailboxes
Use the following command to grant access to all mailboxes:
Get-Mailbox | Add-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all
Example:
Get-Mailbox | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all
Note: In the screenshot below I received a message saying that Administrator already have access to the mailbox Test (Yellow text message).
Grant permissions on mailboxes using Where
We might as well add a where to the command while we are at it. With this command we grant access to all mailboxes in a specific OU:
Get-Mailbox | Where { $_.OrganizationalUnit -eq “” } | Add-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all
Example:
Get-Mailbox | Where { $_.OrganizationalUnit -eq “sundis.local/Test/Users” } | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all
Remove permissions on a single mailbox
Quite simple, just change Add to Remove:
Remove-MailboxPermission -Identity "" -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all
Example:
Remove-MailboxPermission -Identity "Test" -User Administrator -AccessRights Fullaccess -InheritanceType all
Remove permissions on all mailboxes
Well you have probably figured this one out already, but I will show it to you anyway:
Get-Mailbox | Remove-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all
Example:
Get-Mailbox | Remove-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all
Note: As you can se below, using this command will remove the users full access to its own mailbox. That is not good, this command should be used with care…
How to configure the rights assignment to apply on new mailboxes automatically
This can be done using one of three methods, you can add permissions using EMS or ADSIEdit.
Using EMS method 1 (recommended)
With this method we grant permissions on the databases container in the configuration Naming context using the following PowerShell command:
Add-AdPermission -Identity “CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,DC=<TopDomain>” -User <UserorGroupIdentity> -InheritedObjectType msExchPrivateMDB -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As -inheritanceType Descendents
If we brake this up a bit we can se that the Identity is in fact the Distinguished Name of the Databases container:
“CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,DC=<TopDomain>”
The InheritedObjectType parameter specifies what kind of object inherits this access control entry, in this case it is only Exchange Mailbox Databases:
-InheritedObjectType msExchPrivateMDB
Then we grant Receive-As permissions. Granting Receive As and Send As permission to a mailbox database, the user can log on to all mailboxes within that database, and send mail from those mailboxes:
-AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As
And finally we set the inheritance type to Descendents:
-inheritanceType Descendents
Example:
Add-AdPermission -Identity “CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=sundis,DC=local” -User test8 -InheritedObjectType msExchPrivateMDB -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As -inheritanceType Descendents
Using EMS method 2
With method two we use a pipe to set the permission on each mailbox database with the following command:
Get-Mailboxdatabase | Add-ADPermission -User <UserorGroupIdentity> -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As
Example:
Get-Mailboxdatabase | Add-ADPermission -User test3 -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As
Granting Receive As and Send As permission to a mailbox database, the user can log on to all mailboxes within that database, and send mail from those mailboxes.
Using ADSIEdit
There are also the ADSIEdit way of addressing the problem. I will give you a description on what you need to do but I STRONGLY recommend you to have a look at Michaels post instead. That said, here you go…
Open ADSIEdit, Right click ADSIEdit and choose Connect to.
Select the Configuration Naming Context and click Ok.
Navigate to Configuration/Services/Microsoft Exchange/<OrganisationName>/Administrative Groups/Exchange Administrative Group (FYDIBOHF23SPDLT).
Right Click the Databases folder and choose Properties.
Click on the Security tab and click Add.
Enter the users or groups that you want to add and then click Ok.
Make sure that the added users or groups is selected, check the Allow box for Full control for each user or group, then click Ok to close the window and now we are finished with ADSIEdit.
This adds permissions to all databases. If you want to edit the permissions for a specific database you can open the Databases folder and open Properties for the database you want to configure.
A final note: Full Access or Receive As permissions are granted next time the Microsoft Exchange Information Store service caches the permissions and updates the cache. To grant the permissions immediately, stop and then restart the Microsoft Exchange Information Store service.
Thanks for reading, I hope that you found it useful and please let me know if you have any questions!
Martin's Wonderful World of Unified Communications 
Hi,
I am looking for a way to have Domain Admins have full access send as and recive as permissions on all teh mailboxes on the First mailbox data store.
Please assist.
Hi Rajat,
You would have to use a command similar to this one:
Get-Mailbox | Where { $_.Database –eq “” } | Add-MailboxPermission -User “Domain Admins” -AccessRights Fullaccess -InheritanceType all
And then this one for send as:
Get-Mailbox | Where { $_.Database –eq “” } | Add-AdPermission -User “Domain Admins” -AccessRights extendedright -ExtendedRights “send as
If you run this as a scheduled task every night all mailboxes will have the correct permissions the day after they are created.
Thanks for reading!
Pingback: I have a “WIRELESS NETWORK” I can see COMPUTER B but can not see any files.? | High Speed Routers
hi,
i have a problem regarding fullaccess permissions. why is that i need to add ‘everyone’ to fully access the mailbox of a user.
and then when i remove ‘everyone’ the user is also permitted. NT AUTHORITY\SELF is present
Any suggestions please
I’m not sure that I completely understand the question. Adding everyone with Full Access to a users mailbox is absolutely something that you should never do. The user must have access to their own mailbox, therefore the self users must be present.
Info from http://technet.microsoft.com/en-us/library/bb676551.aspx:
“By default, every mailbox has the security principal NT AUTHORITY\SELF listed. This security principal represents the mailbox owner. If you revoke the Full Access permission from this security principal, the mailbox owner is no longer able to log on to the mailbox.”
Hi msundis:
Actually that’s my problem i have to add the “everyone” to full access. i think NT AUTHORITY\SELF is not working for me? any idea with this.
i had just migrated from exchange 2003 to exchange 2010. i’m thinking, do i need to install sp1 for the exchange for this problem???
Hi Gero,
Ok, Now I understand what you mean. Make sure that “Include inheritable permissions” is activated on the affected mailboxes. Follow these steps:
1. Open up “Active Directory Users And Computers”.
2. Enable “Advanced Features” by clicking “View” and then “Advanced Features”.
3. Locate the affected user and open “Properties”.
4. Navigate to the “Security” tab and click on “Advanced”.
5. Make sure that the “Include inheritable permissions from this object’s parent” is checked.
6. Click “Ok” twice and close “Active Directory Users And Computers”.
See if this helps you, good luck!
WONDERFUL
Thank you and thanks for reading!
Hi msundis,
I already did that but it’s the same .I’m just wondering when i create a new mailbox(exchange 2010). the automatic full access default are:
Everyone
mydomain\Exchange Domain Servers
mydomain\Exchange Servers
mydomain\Exchange Trusted Subsystem
NT AUTHORITY\SELF
Any suggestion?
Did you apply SP1 for Exchange Server 2010? If so, did that solve your problem?
Thanks for the post, but I am having a small problem. I used the command structure you laid out not long after implementing my Exchange 2010 environment. Everything was great, I could open a user mailbox either via OWA or Outlook, however recently that ability has become somewhat skewed.
I can open mailbox some mailboxes in both OWA and Outlook, but it seems new mailboxes I can only open in OWA. I have granted FullAccess permission to a group I created called Exchange-Admins, my account is in this Universal Security group, but when I try to open a mailbox it just keeps prompting me for credentials. It isn’t until I go to the individual mailbox and add permission for my account under Manage Full Access Permission that I am able to enter the mailbox. I believe this is a result of Service Pack 1, but I can’t be certain. Any thoughts?
Thanks!
Hi DF and thanks for reading,
You will hae to run the command on a regular basis to make sure all new mailboxes have the correct permissions. When you run the command it will only affect current mailboxes and not new ones. If you want to automate this you can add a script with that command that runs as a scheduled task every night, or more often if you want.
And sorry for the late answer!
is there any way of giving the full access permissions to a (security) group instead of a single user?
Hi Srdjan,
The answer to your question is no I’m afraid. The parameter “User” refers to a user mailbox and there is no parameter for groups. Thanks for reading!
That is not true, you can use a group, I have done it.
Absolutely corret Randy, post updated!
I cannot get a security to be able to open a User or Room mailbox. It shows in the Full Access permissions list but does not actually let me open the mailbox. I don’t know what I did wrong. Can anyone help me? I know this is an older post.
Sorry I cannot edit my post: I mean I have added a security group to the full access permissions list but no user in that group can open the User or Room mailbox.
I receive the following error message when I use the command that you suggest from within Powershell:
The term ‘Get-mailbox’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:12
+ Get-mailbox <<<< | Add-MailboxPermission -user getheridge -accessright Fullaccess
+ CategoryInfo : ObjectNotFound: (Get-mailbox:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Does this make any sense?
Hi Greg,
This looks a bit strange, the get-mailbox command is a very basic command and should run ok. Have you tried opening EMS and running a plain get-mailbox without any other parameters?
Thanks for reading!
svcMailboxAccess = an account / mailbox, I use to have access to everyone’s mailbox. Worked for me with Exchange 2003. Trying to get same functions now that all mailboxes are on Exchange 2010.
The following command seems to work for existin, looking to put something into place for new mailboxes as well.
Get-Mailbox | Add-MailboxPermission -User -AccessRights Fullaccess
Is there a way to get the permissions in place so that any new mailboxes created would be able to be be opened with the svcMailboxAccess account ?
Hi Mark and thanks for reading!
No there is no way to get the permissions in place automatically for all new mailboxes. You have to run the command again I’m afraid. The only tip I can give you is to create a script for the command and then run this as a scheduled task every night, or more othen if you like. Then you would only have to wait one day before the permissions are applied.
yes there is , you can give permissions on the stoe through adsi edit and it will affect new mailboxes as well .
Drdrn is correct. If you apply the permissions at a higher level in the configuration partition, they will be inherited onto the mailboxes. Adsiedit is one option, but you can even add the required permissions using the Exchange Management Shell. Micheal wrote a good blog posting on this: http://theessentialexchange.com/blogs/michael/archive/2009/09/29/exchange-server-2010-administrative-access-to-all-mailboxes.aspx
Great information, thanks both Drdrn and Seanv for sharing!!
I followed the instructions in the link seanv posted. I did it exactly the way it said to do it and now by default the default accounts don’t have access and the new one I asked to specify doesn’t work either. In addition, all existing users don’t have the user on their accounts.
Up to this point, there were several accounts including “Exchange Servers” and special accounts like NT AUTHORITY\SYSTEM had full rights. After running the command in the blog post by michael and now when I create a new user only NT AUTHORITY\SELF gets rights and nobody else.
My whole system is hosed.
Hi,
Is there a way that a User is member of Recipient Management Group and I need to restrict that user to get access on others Users mailbox using “Manage Full Access Permission”
waiting for reply
Thanks
Usman Ghani
Hi Usman and thanks for reading!
The answer to your question is that you should set up a new group and using RBAC give that user the Manage Full Access Permission. You can find more information on RBAC here:
http://technet.microsoft.com/en-us/library/dd298183.aspx
Hope that this helps!
Hi Greg
Did you find a fix for the error below, I’m using Live@edu and the Get-Mailbox error?
The term ‘Get-mailbox’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
Same problem here.
How I can fix, please.
Hi,
Have you seen this post:
http://social.technet.microsoft.com/Forums/en/exchange2010/thread/cbbee6ac-4624-450b-ab94-81ce91346ffc
I’m looking for a command to find Full Access permissions for all room and equipment mailboxes.
I have a list of all the mailboxes and I can make a CSV out of it to import it.
I would appreciate of someone can help me in the batch operations.
I often get stuck when I receive a request for finding all owners for Resource mailboxes or finding all shared mailbox with their owners.
Please help
One things I find confusing…
In the reply section someone asks for the command to grant full access to new mailboxes : You answer that it should be scripted to run every night/week. However…you describe in the above how to set full access for new mailboxes by default….. : Is the scheduling part still nescessary?
For the rest….good piece!
Hi and thanks for reading!
It depends on the moethod you use, if you just use powershell to grant full access permissions on all mailboxes directly it must be ran for each new mailbox. Then you can use a scheduled task to run the command. But if you use any of the methods described under how to set it automatically you do NOT have to schedule it. There is also the Scripting Agent way of doing it for each new mailbox but I haven’t included that in the post. But now I just might add it :)
I hope this clears things up a bit, let me know if you got any further questions!
Hi There,
Thanks for this info but I have a slightly different question. I have a users mailbox which I was checking for full permissions, and identified that another user had full access to this mailbox. I removed those permissions, but I am wondering if it is possible to report on when/by whom the rights were set in the first place?
Thanks for any ideas
For some reason with Exchange 2010, only NT AUTHORITY\SELF shows up under Full Access Permissions regardless of what I do. This includes forcing permissions on the databases using ADSIEdit. I’ve restarted the information store service. This was and still works fine on the Exchange 2007 mailbox server we have running in co-existence. If I move a mailbox to the new databases all of the permissions for full carry over, but new users only have NT AUTHORITY\SELF.
Okay, it turns out all new mailbox’s created in any database on either the older 2007 MB server or the new 2010 MB servers only show NT AUTHORITY\SELF as having full permission access. This does not match what I am seeing in ADSIEdit at all. There’s a large list of groups and members in ADSIEdit for the databases, some of which have full control checked and aren’t showing up in the GUI of exchange. Furthermore, I’m an enterprise admin and have myself in the exchange org management groups and can’t access newly created mailboxes with my admin account. I hope this gets better, because I’m not impressed with 2010 at all. 2007 was a lot easier to manage.
Exchange 2010 CLI sucks. M$ forcing people to learn pathetic commands so they can sell more pathetic training. There was absolutely nothing wrong with the ACL tab on the properties.
Has anyone including the author tested “EMS Method 1”. The command completed successfully in my environment but the members of the Universal group that was given access to all mailbox databases are not able to open other users mailboxes.
I like to share understanding that will I have accumulated with the calendar year to assist improve group overall
performance.
Pingback: pligg.com
Pingback: Confluence: Raab IT - KnowHow
Just wanted to spread the answer. You need to allow the “Read Members” permission for the security group.
To find the “Read Members” permission
If you just want this for one security group open that Security group, if you want it to inherit for all objects go to Microsoft Exchange Security Groups and open Exchange Servers.
Click the Security Tab | Click Advanced | Sort by Name and find Exchange Servers
The first Exchange Servers in the list only applies to Descendant User objects DO NOT Click this one. Click the next one that says Read Exchange Personal Information and click edit. Scroll down and you will see “Read Members” check Allow and it should work.
DISCLAIMER: I do not have a test lab, so I only did this for the one group I needed to work. In theory this should work for you, but test it out first. This alone does not make it auto populate in Outlook I still had to open them through the Email settings | Advanced Tab for each user.
Auto Mapping doesn’t work on groups because the group does not change the msExchDelegateListLink for the users. One guy found that he could change where the AutoOpen looks but use this at your own risk I couldn’t even guess what all the really changes.
function Set-SharedMailboxAutoOpen
{
$SharedMailboxes=Get-Mailbox -RecipientTypeDetails SharedMailbox
foreach ($SharedMailbox in $SharedMailboxes)
{
$PermissionGroupMemberDNs=(Get-ADGroupMember -Identity $($SharedMailbox.CustomAttribute5) | %{$_.distinguishedname})
Set-ADObject $SharedMailbox.distinguishedname -Replace @{msExchDelegateListLink=$PermissionGroupMemberDNs}
}
}
Set-SharedMailboxAutoOpen
Source: http://social.technet.microsoft.com/Forums/exchange/en-US/9840fd13-daf8-45aa-ab35-4a827f1ba1e0/exchange-2010-unable-to-assign-full-access-permissions-using-a-security-group?forum=exchangesvrgenerallegacy&prof=required
I can’t link the actual post but it is about 2/3 of the way down, just above the giant script post.
Pingback: SBS 2011 to 2012R2 Standard with Essentials Service and 365 | The-IT-Blog
Pingback: Confluence: Operations Centre
Pingback: Confluence: Operations Centre
I have user that has been give access a the CN=Microsoft Exchange level of ADSI. I need to remove the user without messing up he mailbox. Any thoughts ?
Pingback: Confluence: IT Operations RO
Pingback: Confluence: IT Operations RO