Full Access permissions automatically to mailbox for a service account
Hi,
In Exchange 2007 with all the patches installed...
Is it somehow possible to setup Full Access permission to all mailboxes for a service account? I know it is possible to do this with a PowerShell script and schedule it to be run regularly. But... is it possible that everytime I add new user account Full
Access permission for a certain user account would be there immediately?
There is already similar setup configured in this Exchange environment for another service account to have Send As permissions automatically and immediately. Unfortunately I can't remember how this has been done...
Best regards,
Toniwww.triuvare.fi
April 11th, 2012 3:04pm
Give Receive as Perms to the entire mailbox database:
http://technet.microsoft.com/en-us/library/aa996343(v=exchg.80).aspx
How to Allow Mailbox Access
Free Windows Admin Tool Kit Click here and download it now
April 11th, 2012 4:58pm
Hi,
Thanks for your reply but unfortunately this doesn't seem to work. Here is how I tested:
ran successfully command: Add-ADPermission -Identity "Mailbox Store" -User "Trusted User" -ExtendedRights Receive-Ascreated new user to the mailbox store where I have given the permissionschecked from the new user's Manage Full Access Permissions view in Exchange Management Console but unfortunately there were only "NT AUTHORITY\SELF" not the "Trusted User"
Any other suggestions?
Best regards,
Toniwww.triuvare.fi
April 12th, 2012 1:28am
You will not be able to see this permission in Mailbox permission. As you see we have run the command Add-ADpermission. You can check on the user in AD whether the permission has been inherited from Mailbox store or not.
Did you try to access the mailbox using that service account?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs:
http://messagingserversupport.com
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2012 2:14am
Hi,
I tried logged in to OWA with the service account and tried to open another user mailbox from the store where I have given the permission before. I got an error message: "You do not have permission to open this mailbox. For access or for more information,
contact technical support for your organization.".
Is there any way to do this so that the permission (Full Access) would be visible in Exchange Management Console as well?
Best regards,
Toniwww.triuvare.fi
April 12th, 2012 2:23am
lets try this. It worked in my lab enviroment.
Get-Mailboxdatabase | Add-ADPermission -User serviceaccount -AccessRights ExtendedRight -ExtendedRights ms-exch-store-admin, receive-as
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs:
http://messagingserversupport.com
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2012 2:35am
Hi Toni,
Yes, that will only work for those existing mailboxes, for new created mailboxes, you need to run that command again.
You also can follow Andy's suggestion to have a try, I checked in my lab (Exchange 2007 SP3), this will not work on the new created mailboxes.
Thanks,
Evan Liu
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Evan Liu
TechNet Community Support
April 12th, 2012 4:33am
lets try this. It worked in my lab enviroment.
Get-Mailboxdatabase | Add-ADPermission -User serviceaccount -AccessRights ExtendedRight -ExtendedRights ms-exch-store-admin, receive-as
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs:
http://messagingserversupport.com
@Hasnain
Did you test on new created mailbox?
I follow your way to test in my lab, I cannot open the new created mailbox.
Thanks,
Evan Liu
TechNet Subscriber Support in forum
If you have any feedback on our support, please contacttngfb@microsoft.com
Evan Liu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2012 5:30am
Hi Toni,
I checked in my lab, cannot make full access permission work on the new created mailboxes.
For the send as permission, you can follow this way to make it works on new created mailboxes:
Grant "send as" permission at the domain or ou level:
Use one account that has Domain Admin permission of the domain, or Enterprise Admin permissions.
Run this command to grant "send as" permisison at the domain or OU level:
Add-ADPermission "<DN of Domain or OU>" -User "Domain\New Service Account" -ExtendedRights "send as" -InheritedObjectType user
After that service account will have send as permission on the users in that domain or OU.
Thanks,
Evan Liu
TechNet Subscriber Support in forum
If you have any feedback on our support, please contacttngfb@microsoft.com
Evan Liu
TechNet Community Support
April 13th, 2012 5:12am
Hi Evan,
Thanks. So answer to my original question is that this is not possible.
Thanks for clearing me out the difference between Send As and Full Access permissions. Now I understand how the existing service account + Send As works automatically.
I will create a script and schedule it to be ran regularly.
Best regards,
Toniwww.triuvare.fi
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2012 5:53am