I did this once with the ADSI edit tool. I can't remember how now. I did something like: Configuration | Service | Exchange, uncheck send as and receive as explicit deny permission from Exchange Organization Level. I can't find this level this time. Can it be done from the command shell too? I want the Domain Administrators to have at least read rights to all mailboxes. We are constantly looking at users outlook and it is easier to be able to do it from our own outlook profiles. Thank You, Scott

Hi Scott, Can you try the following command: Get-OrganizationConfig | Add-ADPermission -user "Domain\Domain Admins" -ExtendedRights Send-As,Receive-As Kind regards, Bart Timmermans Bart Timmermans | Technical Consultant at KPN Consulting Follow me @ My Blog| Linkedin| Twitter Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

How about a single user? In this case Scott?Thank You, Scott

Hi Scott, To give only Scott rights on all mailboxes use the following command: Get-OrganizationConfig | Add-ADPermission -user "Domain\Scott" -ExtendedRights Send-As,Receive-As To give a user/group access to the mailbox of Scott use the following command: Add-ADPermission -Identity "Scott" -User "Domain\Domain Admins" -ExtendedRights Send-As,Receive-As Kind regards, Bart Bart Timmermans | Technical Consultant at KPN Consulting Follow me @ My Blog| Linkedin| Twitter Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

I also found where to do this using ADSI edit. I assume I can ad my user name there and check send as and receive as since the comand below put this there... Why not select Full Control? [PS] C:\Windows\system32>Get-OrganizationConfig | Add-ADPermission -user "LewisGroup\Scott" -ExtendedRights Send-As,Rece ive-As Identity User Deny Inherited -------- ---- ---- --------- First Organization LEWISGROUP\Scott False False First Organization LEWISGROUP\Scott False False Look correct?Thank You, Scott

Hi Scott, The results looks great. I also use ADSIedit to check if the command did his work or to check AD replication. Fullcontrol or send-/receive-as permissions all depends on your needs and compliance. Some organizations disallow full controll on all mailboxes because you can read all messages from all users. I use send-/receive-as permissions most of the time for service accounts requiring to send mail as an specific user (for example: Blackberry Enterprise Server). Kind regards, Bart Bart Timmermans | Technical Consultant at KPN Consulting Follow me @ My Blog | Linkedin | Twitter Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

I need to actually just access the mailbox. I will never send as. I tried to access a mailbox after applying the command and cannot. Should I apply full permisions? If yes what would the command shell command be for that? I prefer to stay out of the adsi editor. :-) Also I am a member of the Domain Admins Group that has deny selected for send as and receive as if that matters. Thank You, Scott

Hi, For full access you can change the part after -ExtendedRights to -AccessRights FullAccess. So the command would look like: Get-OrganizationConfig | Add-ADPermission -user "LewisGroup\Scott" -AccessRights FullAccess Regards, Bart Bart Timmermans | Technical Consultant at KPN Consulting Follow me @ My Blog | Linkedin | Twitter Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

Did not like that... [PS] C:\Windows\system32>Get-OrganizationConfig | Add-ADPermission -user "LewisGroup\Scott" -AccessRights FullAccess Cannot process argument transformation on parameter 'AccessRights'. Cannot convert value "FullAccess" to type "System.D irectoryServices.ActiveDirectoryRights[]". Error: "Cannot convert value "FullAccess" to type "System.DirectoryServices. ActiveDirectoryRights" due to invalid enumeration values. Specify one of the following enumeration values and try again . The possible enumeration values are "CreateChild, DeleteChild, ListChildren, Self, ReadProperty, WriteProperty, Delet eTree, ListObject, ExtendedRight, Delete, ReadControl, GenericExecute, GenericWrite, GenericRead, WriteDacl, WriteOwner , GenericAll, Synchronize, AccessSystemSecurity"." + CategoryInfo : InvalidData: (:) [Add-ADPermission], ParameterBindin...mationException + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-ADPermissionThank You, Scott

Sorry Scott my fault. Could you try the following: Get-OrganizationConfig | Add-ADPermission -user "LewisGroup\Scott" -AccessRights GenericAll Hope this helps. Otherwise use: Get-MailboxDatabase | Add-ADPermission user "LewisGroup\Scott" AccessRights GenericAll Bart Timmermans | Technical Consultant at KPN Consulting Follow me @ My Blog| Linkedin| Twitter Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

That command worked but I still cannot open another users mailbox from my outlook.Thank You, Scott

It could take some time but in the meantime could you run the following command for the problematic user: Get-ADPermission -Identity "UserMailbox" Bart Timmermans | Technical Consultant at KPN Consulting Follow me @ My Blog| Linkedin| Twitter Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

What does this command do? Does it matter that I am a member of the domain admin group and they send as and receive as are deny?Thank You, Scott

Hi, This command only lists the current permissions on a user. It doesn't matter if you don't have send-as and receive-as as deny. Because GenericAll gives you full control over a users mailbox. Bart Timmermans | Technical Consultant at KPN Consulting Follow me @ My Blog | Linkedin | Twitter Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

Ran Get-ADPermission -Identity "AP" and got nothing back.Thank You, Scott

Hi, Did you run the Get-OrganizationConfig or the Get-MailboxDatabase command I gave?Bart Timmermans | Technical Consultant at KPN Consulting Follow me @ My Blog | Linkedin | Twitter Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

now I'm not sure... What would you like me to run? My mailbox has full control as seen in adsi editor. This is odd...Thank You, Scott

No problem. It really take some time for you can open the users mailbox. The only problem I know about that could arise is a process called AdminSDholder which resets the send-as and receive-as rights on a time schedule. I think we need to check (within ADSIedit) tomorrow. I am going to bed now. I am from the Netherlands and it's almost 0:00 AM. Will contact you tomorrow. Bart Timmermans | Technical Consultant at KPN Consulting Follow me @ My Blog | Linkedin | Twitter Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

Thank You!!! FYI I went into the Exchange managment console and checked the permisions. I am on every mailbox. Then I took a test mailbox right clicked it and selected Manage Full Permision Access. I added another user there. I logged into their pc and opened outlook. I went to tools account settings and added the test mailbox. I hit finished and it showed up in outlook and I was able to access it with out issue. If it works from that level I wonder why it is not working for me with the shell command. I will check in the AM. I am in the Eastern time zone.Thank You, Scott

If you want to configure Full Access in the EMS (as opposed to EMC), you have to use the Add-MailboxPermissions cmdlet. Add-ADPermissions works for Send As (and Receive As). http://technet.microsoft.com/en-us/library/aa996343(v=exchg.80).aspx I realize that's E2K7 but the concept remains the same. Here's for E2K10: http://technet.microsoft.com/en-us/library/aa996343.aspx --- I'm not sure if or how GenericAll would work. I'm also not sure that it would override any Deny permission. At least with permissions on folders, Deny usually takes precedence over Allow. Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Hi Scott, Just tested it on my environment. Full access permissions on a users mailbox from an domain admin account is not possible because of the AdminSDholder process. Fullaccess (GenericAll), send-as, receive-as permissions on a mailbox are resetted by the AdminSDholder process. The AdminSDholder process is a process which protects Active Directory and Exchange funtionality. For more information read http://tsmith.co/2011/what-is-adminsdholder/ Microsoft best practices is to use an admin account for default Exchange management and to create a separate (non-domain admin) account to access mailboxes.Bart Timmermans | Technical Consultant at KPN Consulting Follow me @ My Blog | Linkedin | Twitter Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

To test if it is the AdminSDholder process you could do the following: Create a new user account with a mailbox which is Not a member of the Domain Admins group.Run the earlier specified powershell command to give the new created user full access permissions to all mailboxesTry to open a mailbox from another user from within the new created users Outlook Bart Timmermans | Technical Consultant at KPN Consulting Follow me @ My Blog | Linkedin | Twitter Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

I have a test enviornment. I removed the send as and receive as in Exchange SP1 on Domain Admin group and it worked fine. This is a likely feature of SP2. I would be happy to test this. What command shoud I run for user called "email Admin"? Thanks Thank You, Scott

Hi Scott, When you want to access another mailbox you can use this way to grant the permission: Add-mailboxpermission -identity usermailbox -User Domain Admin -AccessRights FullAccess You can know more detail from this document: Manage Full Access Permissions http://technet.microsoft.com/en-us/library/bb676551.aspx Per my knowledge, the full access permission is a mailbox permssion, add-adpermission is used to add permission on AD object. So you cannot use ad-adpermission to add permission on the mailboxes. When you set send as, receive as permission, you can use add-adpermission, when you want to grant permission on the mailbox, you should use add-mailboxpermission. Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

It did not work... We tried this already.Thank You, Scott

That command did just as you did(grant full access permission) in Exchange Management console. Please run this command to check whether your Domain Admin has been added on usermailbox or not: Get-mailboxPermission -identity usermailbox If you cannot see Domain Admin there, please follow Bart's suggestion to check whether that user is in the protected group. Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contacttngfb@microsoft.comEvan Liu TechNet Community Support

I see my account there. I am a member of the domain admins group. I cannot access mailboxes. If I give a regular user full permisions from the EMC to a mailbox they can open that mailbox. I believe Bart to be correct. This is a feature of SP1 or SP2. When exchange came out I was able to access all mailboxes. This is not a problem for me. I was just wondering why it stopped working. I will make a special user for this and call it EmailAdmin. I have no doubt this will work. I will add it from the ADSI editor in place of my account today. I'm not a huge commandlet guy... :-)Thank You, Scott

If you see your acocunt has been granted full access permission, go to check whether you can open that mailbox in OWA. If you use one new created account (instead of your account) to test, will this issue occur or not? Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contacttngfb@microsoft.com Evan Liu TechNet Community Support

It works for everyone that is not in a protected group I'm guessing because other managers use this feature. I have not created a special user as of yet.Thank You, Scott

If so, this is because your account in the protected group. Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contacttngfb@microsoft.comEvan Liu TechNet Community Support

Hello, Any updates on this issue? Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contacttngfb@microsoft.comEvan Liu TechNet Community Support