Help managing full access permissions exchange 2007
I'm trying to set up roles based access permissions in exchange for our helpdesk.
I'm trying to figure out what permission grants access to manage full mailbox access. Our helpdesk needs to be able to manage full access permissons for user mailboxes. I found in another thread that "Administer
Information Store" (ms-Exch-Store-Admin) was the permission that granted the access. I tried adding that permission to the helpdesk security group I set up but that didnt seem work. They still get a permissions error when trying to manage
full access permissions:
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:01
Error:
Failed to commit the change on object "de04112f-d9bb-41c4-8e01-92ca3b336b26" because access is denied.
MapiExceptionNoAccess: Unable to set mailbox SecurityDescriptor. (hr=0x80070005, ec=-2147024891)
Exchange Management Shell command attempted:
Remove-MailboxPermission -Identity 'CN=example,DC=company,DC=com' -User 'company\user' -InheritanceType 'All' -AccessRights 'FullAccess'
Elapsed Time: 00:00:01
Anyone know what permission I need to add to give them this access? they already have all the other access they need through the exchange recipient administrators group, they are just missing the mange full access.
Thanks in advance!
February 21st, 2012 3:27pm
To grant the full mailbox permisssions ... this can be helpful
http://technet.microsoft.com/en-us/library/aa996343(v=exchg.80).aspx
http://technet.microsoft.com/en-us/library/aa998008(v=exchg.80).aspx
Free Windows Admin Tool Kit Click here and download it now
February 21st, 2012 3:46pm
Granting full access permissions on a mailbox is easy. What I cant figure out is how to give our helpdesk administrative access to be able to grant full access permission to a mailbox without giving them the keys to the kingdom to be able to do it.
Adding our helpdesk to echange recipeint administrator gives them all the access they need except for being able to grant full mailbox access. I'm trying to find out what else I need to add to give them that access as well.
Thanks
February 21st, 2012 3:59pm
after more research I found the solution! It turns out it was the
"Administer Information Store" (ms-Exch-Store-Admin) I was just appliying the permissions wrong.
To grant the permissions to a security group or user just use the following command on the exchange server:
Get-mailboxserver <exchangeSeverName> | add-adpermission user <securityGroup> -extendedrights
ms-Exch-Store-Admin
this should give the proper permissions for the specified security group to be able to assign full access permsions for a mailbox on the specified server.
This permission is not part of Exchange Recipient Administrators group in exchange 2007. From what I found the only group that grants this access is the Exchange Organization Administrator group which grants access to everything which isnt always a
good thing especially in a RBAC scenario. This is the simplelist and more secure solution I found.
Free Windows Admin Tool Kit Click here and download it now
February 21st, 2012 9:15pm