Exchangepedia Blog is read by visitors from all 50 US States and 150 countries world-wide
Follow-up to previous post titled "HOW TO: Assign SendAs right using Exchange shell" - the ability to assign SendAs and ReceiveAs permissions is preserved in AD Users & Computers, but the ability to grant Full Mailbox Access permission isn't available. Full Mailbox Access is a mailbox permission (without getting into a debate about what's a permission and what's a right, the term is used interchangeably here). In Exchange Server 2003/2000, mailbox permissions can be controlled from the Exchange Advanced tab | Mailbox Rights, as seen in the following screenshot.
Figure 1: In Exchange Server 2003/2000, mailbox permissions can be managed from ADUC
Since Exchange Server 2007 does not use ADUC for recipient management, this can't be done using ADUC.
The shell is your friend when it comes to assigning Full Mailbox Access and other mailbox permissions. You can use the Add-MailboxPermission command from the shell to assign it.
In the following example, we assign Full Mailbox Access permission on Joe Adams' mailbox to another user (janea):
Viewing permissions using Get-MailboxPermission
To view permissions on a mailbox, use the Get-MailboxPermission command:
Figure 1: In Exchange Server 2003/2000, mailbox permissions can be managed from ADUC
Since Exchange Server 2007 does not use ADUC for recipient management, this can't be done using ADUC.
The shell is your friend when it comes to assigning Full Mailbox Access and other mailbox permissions. You can use the Add-MailboxPermission command from the shell to assign it.
In the following example, we assign Full Mailbox Access permission on Joe Adams' mailbox to another user (janea):
Add-MailboxPermission "Joe Adams" -AccessRights FullAccess -user "janea"
Besides FullAccess, the following mailbox permissions can be granted using Add-MailboxPermission: 1) SendAs 2) ExternalAccount 3) DeleteItem 4) ReadPermission 5) ChangePermission 6) ChangeOwnerViewing permissions using Get-MailboxPermission
To view permissions on a mailbox, use the Get-MailboxPermission command:
Get-MailboxPermission "Joe Adams"
To view explicitly assigned permissions (i.e. permissions that are not inherited):Get-MailboxPermission "Joe Adams" | where {$_.IsInherited -eq $false}
To view all security principals with Full Access permission on a mailbox:Get-MailboxPermission "Joe Adams" | where {$_.AccessRights -like "*FullAccess*"}
Managing Full Mailbox Access using the EMC in Exchange Server 2007 SP1
Exchange Server 2007 SP1 adds management of Full Mailbox Access permission to the EMC.
1. From Recipient Configuration | Mailbox | select mailbox.
2. In the Action pane (or by right-clicking the mailbox), click Manage Full Mailbox Access...
Figure 2: Exchange Server 2007 SP1 allows management of Full Mailbox Access permission from the EMC
Labels: Administration, Exchange Server 2007, Exchange Shell, Mailbox, Security
19 Comments:
How do you assign full mailbox permissions to all mailboxes in a mailstore? I'm wanting to give an Exchange Admin group full access to all mailboxes for administrative purposes but the only way I've found is by doing it on each mailbox individually which is no good with a large number of mailboxes...
Get-MailboxDatabase -identity "SERVERNAME\First Storage Group\Mailbox Database" | Add-ADPermission -user administrator -AccessRights FullAccess
The previous post didn't work for me...
However, the following did (only a small change at the end)
Get-MailboxDatabase -identity "SERVERNAME\First Storage Group\Mailbox Database" | Add-ADPermission -user administrator -AccessRights GenericAll
Neither of these work for me? I'm putting in exactly like both of you do... with my server name and storage group and database name... and I'm getting an error.
When I try full access it tells me to choose another parameter... so I choose generic all and I get this error.
couldn't be performed because object 'SIPXX\Archive Storage Group\Archive Database' could not be found on the domain controller 'sipxx etc.
Any idea's?
I get an error... trying to do that...
The operation could nore be performed because 'sipxx\storage group\storage database' could not be found
I checked to make sure everything is spelled right. I do not know what I'm doing wrong?
Any assistance would be appreciated!
Thanks, worked like a charm FYI to add a group like Domain Admins just enclose it in quotes but still use the -user (i.e. -user "Domain Admins")
Use Get-MailboxDatabase -identity "Mailbox Database" | Add-ADPermission -user administrator -AccessRights FullAccess
that should work
Get-MailboxDatabase -identity "SERVERNAME\First Storage Group\Mailbox Database" | Add-ADPermission -user administrator -AccessRights GenericAll
worked sweet for me logged on as administrator running the command from the mail server. all i changed was SERVERNAME to our servers name.
I am trying to do this task, but I wish to assign a mailbox to be used by a Group with full permission. However, assigning it to a group does not allow it to be opened. Only to individual users... is this common?
I wish an Admin Group who I have set up, containing certain members, to be able to have access to the email of one mailbox. Any ideas? email: airaura@gmail.com or karl.pennington@railtech.co.uk
It's much easier to do the same with security explorer for microsoft exchange .
I've been using this new tool from ScriptLogic and really like it. You don't need to navigate multiple menus - you can do everything from a tree view.
Security explorer also inludes permissions cloning abilities for transfering permissions from one account to another as well as quite powerful backup and reporting features.
Thank you very much for this information. I searched MSDN and help for succinct descriptions of these commands and fell short. Again, thank you!
Get-MailboxDatabase -identity "SERVERNAME\First Storage Group\Mailbox Database" | Add-ADPermission -user "Domain Admins" -AccessRights GenericAll
Worked perfectly for me, one question tho, this will effect all mailboxes that currently exist, what happens when you create new mailboxes? Is there no way of adding a user or group so it is inherited automatically?
I'm trying to grant access for a group in Active Directory full access to a specific OU group mail boxes at once without having to do each, one at a time...anyone know if this can be done?
You can use Get-Mailbox to get mailboxes and pipe them to the Add-MailboxPermission cmdlet.
To get mailboxes in an Organizational Unit or container:
Get-Mailbox -OrganizationlUnit "MyOU" | Add-MailboxPermssion -User "UserOrGroup" -AccessRights FullAccess
You can also filter mailboxes by Database, Server, Anr, RecipientTypeDetails (Rome/Equipment/Linked, etc.), or use the -Filter parameter to specify an OPATH filter.
If using the -Filter parameter, you cannot use the other filtering mechanisms in the cmdlet (Database, OU, etc.). Look at the list of filterable properties you can use in the Filter parameter:
OPATH: Filterable properties that can be used in Recipient Filters.
Thx Guys,
Get-MailboxDatabase -identity "SERVERNAME\First Storage Group\Mailbox Database" | Add-ADPermission -user "Domain Admins" -AccessRights GenericAll
worked a treat, just need to repeat on all databases and i used Exchange Organization Administrators instead of Domain Admins as it was more logical to my environment.
cheers
Adam
Thanks Guys,
I was searching all over the Internet buy could not find what I was looking for even from the msft site, but you guys had the answer, thanks again
Thanks
ROshan
This worked for me; and I didn't have to enter it over every data store. I was able to open & manipulate all aspects of a users mailbox. Any thoughts on why this would be different then the above?
get-mailboxdatabase -server "srvch-exch" | add-adpermission -user "myusername" -extendedrights receive-as
(srvch-exch is our cluster)
The above script applied to all databases on the server because you didn't specify a database identity. You will see this returns all databases if you just run the first part of the script below in the EMS. This is nice if you have multiple databases per server.
Get-MailboxDatabase -Server "ServerName"
Anyone know how to assign full access to all domain users at once?
Post a Comment
Links to this post:
Create a Link
<< Home