none
Grant full access and send as permissions on a group of mailboxes

    Question

  • I need some help accomidating a set of mailbox permissions on a group of mailboxes.

    A little background:

    I've got 2 different groups of mailboxes, Group D and group U. 

    All of the group D mailboxes are in OU example.com - company - department A. 

    All of the group U mailboxes are in OU example.com - company - department B, and each group U mailbox is also a member of a mail-enabled security group . 

    I need every user / mailbox in group U to have full access and send as permission on all of the group D mailboxes. 

    The mailboxes in group D and group U are fairly fluid.  They get created, disabled, and replaced fairly regularly. 

    I don't want to have to have an Exchange Organization Administrator be responsible for granting full and send-as permissions to each group U member on each group D mailbox as these mailboxes come and go.  I'd rather have these permissions inherited from an OU level or possibly a mailbox database level.  If that's not possible, my next best option would be to grant my Exchange Recipient Administrators the rights they need to change send-as and full mailbox permissions on only one OU or mailbox database so that they can manage these permissions.

    So my question is, can I grant full access and send-as permissions to a mail-enabled security group on all mailbox objects in an OU or mailbox database?  Alternatively, could I grant the permissions necessary to set full access and send as permissions to a group of jr. administrators on all mailboxes on a single mailbox database?  If so, what would the commands for doing so look like?

     

    Thursday, June 24, 2010 4:30 PM

All replies

  • Hello Utegrad,

    Unfortunately I can only answer half your question, although you may be able to answer the other half on your own with the below command. This will grant full access to the username you specify:

    Get-MailboxDatabase | Add-ADPermission -user username -AccessRights GenericAll

    As for setting the Send as permissions, I have never tried it but I am guessing it is a modification of the above...

    Hope this helps...

    Thursday, June 24, 2010 6:36 PM
  • Hi,

     

     

    By using exchange shell, we are unable to query the mailboxes from a Distribution Group.  so I recommend you use the following method to do this task:

     

    1. Create a organizational Unit (OU), GroupU, move all the GroupU users to this OU.

    2. Create a OU, name it as GroupD, move all the GroupD users to this OU.

    3. Open Notepad and copy the following scripts. Then save the file as xx.ps1.

     

    --------------------------

    $Allusers=get-user -organizationalunit GroupU           

    Foreach($user in $Allusers){

    Get-mailbox -organizationalunit GroupD|add-mailboxpermission -user $user.Identity –accessright sendas, Fullaccess

    }

    ---------------------------------

     

     

    4. Open exchange shell, run the xx.ps1 file.

     

    • Edited by Gen Lin Friday, July 02, 2010 1:56 AM modify
    • Marked as answer by Gen Lin Friday, July 02, 2010 1:57 AM
    • Unmarked as answer by Utegrad Friday, July 02, 2010 5:28 PM
    Friday, June 25, 2010 8:57 AM
  • Let me see if I can simplify and ask this question better.

    Can I grant a group permissions to manage send as and full access permissions for mailboxes on one mailbox database only and leave that group's view only and recipient administrator permissions as-is on the other mailbox databases on the server? 

    I could be mistaken about this, but I think I could grant them the manage information store rights on an Exchange 2003 mailbox database and it would accomplish this?  I'm not sure how I would do something similar in my Exchange 2007 environment.

     

     

    Friday, July 02, 2010 5:50 PM
  • You can't do that.  The closest would be the Split Permissions model (http://technet.microsoft.com/en-us/library/bb232100%28EXCHG.80%29.aspx) but that only allows you to modify permissions at the OU or Domain Level and not restrict it down to full access or sendas.  For what you want, you'll have to go to Exchange 2010 (and you'll have to wait for SP1 as well) and take advantage of the RBAC Model where you can customize roles and add them to a role group which you assign that group of users to and scope it down.  Exchange 2010 SP1 allows you to scope it down to the database level which isn't available in RTM which is why I stated earlier you'll have to wait till SP1.

    MVP | MCSE:M | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization | http://www.shudnow.net
    Friday, July 02, 2010 9:03 PM