Exchangepedia Blog is read by visitors from all 50 US States and 150 countries world-wide
Follow-up to previous post titled "HOW TO: Assign SendAs right using Exchange shell" - the ability to assign SendAs and ReceiveAs permissions is preserved in AD Users & Computers, but the ability to grant Full Mailbox Access permission isn't available. Full Mailbox Access is a mailbox permission (without getting into a debate about what's a permission and what's a right, the term is used interchangeably here). In Exchange Server 2003/2000, mailbox permissions can be controlled from the Exchange Advanced tab | Mailbox Rights, as seen in the following screenshot.
Figure 1: In Exchange Server 2003/2000, mailbox permissions can be managed from ADUC
Since Exchange Server 2007 does not use ADUC for recipient management, this can't be done using ADUC.
The shell is your friend when it comes to assigning Full Mailbox Access and other mailbox permissions. You can use the Add-MailboxPermission command from the shell to assign it.
In the following example, we assign Full Mailbox Access permission on Joe Adams' mailbox to another user (janea):
Viewing permissions using Get-MailboxPermission
To view permissions on a mailbox, use the Get-MailboxPermission command:
Figure 1: In Exchange Server 2003/2000, mailbox permissions can be managed from ADUC
Since Exchange Server 2007 does not use ADUC for recipient management, this can't be done using ADUC.
The shell is your friend when it comes to assigning Full Mailbox Access and other mailbox permissions. You can use the Add-MailboxPermission command from the shell to assign it.
In the following example, we assign Full Mailbox Access permission on Joe Adams' mailbox to another user (janea):
Add-MailboxPermission "Joe Adams" -AccessRights FullAccess -user "janea"
Besides FullAccess, the following mailbox permissions can be granted using Add-MailboxPermission: 1) SendAs 2) ExternalAccount 3) DeleteItem 4) ReadPermission 5) ChangePermission 6) ChangeOwnerViewing permissions using Get-MailboxPermission
To view permissions on a mailbox, use the Get-MailboxPermission command:
Get-MailboxPermission "Joe Adams"
To view explicitly assigned permissions (i.e. permissions that are not inherited):Get-MailboxPermission "Joe Adams" | where {$_.IsInherited -eq $false}
To view all security principals with Full Access permission on a mailbox:Get-MailboxPermission "Joe Adams" | where {$_.AccessRights -like "*FullAccess*"}
Managing Full Mailbox Access using the EMC in Exchange Server 2007 SP1
Exchange Server 2007 SP1 adds management of Full Mailbox Access permission to the EMC.
1. From Recipient Configuration | Mailbox | select mailbox.
2. In the Action pane (or by right-clicking the mailbox), click Manage Full Mailbox Access...
Figure 2: Exchange Server 2007 SP1 allows management of Full Mailbox Access permission from the EMC
Labels: Administration, Exchange Server 2007, Exchange Shell, Mailbox, Security
6 Comments:
How do you assign full mailbox permissions to all mailboxes in a mailstore? I'm wanting to give an Exchange Admin group full access to all mailboxes for administrative purposes but the only way I've found is by doing it on each mailbox individually which is no good with a large number of mailboxes...
Get-MailboxDatabase -identity "SERVERNAME\First Storage Group\Mailbox Database" | Add-ADPermission -user administrator -AccessRights FullAccess
The previous post didn't work for me...
However, the following did (only a small change at the end)
Get-MailboxDatabase -identity "SERVERNAME\First Storage Group\Mailbox Database" | Add-ADPermission -user administrator -AccessRights GenericAll
Neither of these work for me? I'm putting in exactly like both of you do... with my server name and storage group and database name... and I'm getting an error.
When I try full access it tells me to choose another parameter... so I choose generic all and I get this error.
couldn't be performed because object 'SIPXX\Archive Storage Group\Archive Database' could not be found on the domain controller 'sipxx etc.
Any idea's?
I get an error... trying to do that...
The operation could nore be performed because 'sipxx\storage group\storage database' could not be found
I checked to make sure everything is spelled right. I do not know what I'm doing wrong?
Any assistance would be appreciated!
Thanks, worked like a charm FYI to add a group like Domain Admins just enclose it in quotes but still use the -user (i.e. -user "Domain Admins")
Post a Comment
Links to this post:
Create a Link
<< Home