Hi, I'm trying to implement a split permissions model based for my organization, and I've made progress, thanks very much to the posters in this forum. however, I am still unable to enable two critical functions for my OU admins. they are able to modify most features when they open the mailbox properties in exchange management console, but they are still getting an "insufficient access rights" error when they attempt to use the "manage send as permission" and "manage full access permission" buttons in Exchange Management Console. Here are the "generic" versions of the powersehll commands I have run so far. Can someone give me an idea of what other permissions I need to enable to activate these features. Users in question are exchange view-only admins - gives read and write access to required attributes stated above Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties proxyaddresses,msexchpoliciesincluded,msexchpoliciesexcluded,mail,textencodedORaddress -InheritedObjectType User -InheritanceType Descendents - gives access to the address lists container Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags -gives access to the to the recipient policies container Add-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags -gives access to the Recipient Update Service Extended right Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType Descendents thanks again in advance Christiaan

Hi Christiaan, Regarding Send As, I would like to explain that it is actually a permission for user/group object. Therefore, the admin need to have Modify Permissions permission in order to use the "manage send as permission" button. Regarding Full Access, I would like to explain that the admin group need to have Administer information store permission to the mailbox database object. ~~~~~~~~~~~~~~~~ Mike Shen TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com ~~~~~~~~~~~~~~~~

Mike, Thanks for the reply. can you give me an example of the powershell command I would use to grant the "administer information store" permission to the database in question? Christiaan

Hi Christiaan, You can run following command: add-adpermission "CN=Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=MB,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=lab,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lab,DC=com" -user lab\xiu accessrights extendedright -extendedright ms-exch-store-admin For more information: Permissions Available in Exchange http://technet.microsoft.com/en-us/library/bb123776(EXCHG.65).aspx ~~~~~~~~~~~~~~~~ Mike Shen TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com ~~~~~~~~~~~~~~~~