Exchange Admin access to all Mailboxes
I am working on setting up access for our mail administrators to all mailboxes in our mail database. I created a group and added full access (I did try send as/receive as first) on the mailbox database object in ADSIEdit. When I look at the effective permissions the users do have full access including receive as/send as. What am I missing? Not sure if it matters but we use owa to access other user's mailboxes.
May 14th, 2009 4:23am

Andrew, Which version of Exchange are you on? I know in 2003 by default domain admins and enterprise admins have Read As and Send As Deny. Right click the Exchange Server and go to the Security tab. You should see the Domain Admins with a Deny. You shouldn't have to mess with ADSIEdit with this, I would actually undo what you've already done. Mark Morowczynski|MCSE 2003:Messaging, Security|MCITP:ES, SA|MCTS:Windows Mobile Admin|Security+|http://almostdailytech.com
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2009 8:11am

This is Exchange 2007 SP1. Sorry I should have specified. Also one of the users is not in the domain admins group. I created a new group called mail admins and am trying to give that group access to all mailboxes.
May 14th, 2009 4:24pm

You might be missing to restart Information Store service, verify all steps outlined in below article... FAQ: Access on All the Mailboxes of a Server Exchange 2007 http://exchangeshare.wordpress.com/2008/09/05/faq-access-on-all-the-mailboxes-of-a-server-exchange-2007/Amit Tank | MVP - Exchange Server | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2009 4:30pm

I did restart the store, plus this was set last night so it should have taken effect. Your blog was the first thing I tried before I delved into ADSIEdit. Am I right that if effective permissions on the database object shows a user having recieve as/send as rights that they should be able to access the any mailbox on that database?
May 14th, 2009 4:59pm

I think effective permission doesn't emulate inherited permissions. Try by creating a new user just a member of domain user group and follow the procedure, it is quite straight if user doesn't have any inherited deny permission it will start allowing to give access of all mailboxes. I hope you are trying to access mailbox through Outlook because receive as permission doesn't work with OWA and for that you need to give full mailbox accessexplicitlyon mailbox with add-mailboxpermission.Amit Tank | MVP - Exchange Server | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2009 6:11pm

I do want the group to have owa access to all user mailboxes. This did work in 2003. Is it not possible in 2007, without added explicit permissions to each mailbox? When you say create a user do you mean for the mail admin group, or a new maillbox?
May 14th, 2009 7:30pm

Yes, in Exchange 2007 you need to give permission on all mailboxes to access with OWA and receive-as doesn't work. If I remember correctly... You can run below cmdlet to give full access permission on all existing mailboxes of a server but for new mailboxes you may need to run this periodically. Get-Mailbox -Server ESS-Exch702 | Add-MailboxPermission -User AdminUserName -AccessRights FullAccess How to Enable Explicit Logons in Outlook Web Access http://technet.microsoft.com/en-us/library/aa998830.aspxAmit Tank | MVP - Exchange Server | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2009 7:29am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics