locked
Add mailbox permissions to entire database powershell syntax question RRS feed

  • Question

  • I had this set up at some point where all existing users AND new users to all my databases had "fullaccess" and "Send-as" permissions added to two accounts, one is for BES, another for an archive application. Permissions which were set were kept, but new mailboxes created in say, the last week have not had the permissions manually added and I was just notified of this now.

    I know how to set this to re-add all permissions (get-mailboxdatabase -server servername | add-mailboxpermission -user domain\user -accessrights fullaccess), but I am trying to apply this at the storage group or database level so all NEW accounts automatically get these permissions added.

    Can you please help me out with this syntax, thanks!

    Thursday, February 24, 2011 8:04 PM

Answers

  • You need to set the permission at the database level. Inheritance won't work with add-mailboxpermission. The cmd below will grant the BESadmin fullaccess to all mailboxes on all databases as well as send as rights.

    get-mailboxdatabase | add-adpermission -user <BESAdmin> -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Marked as answer by Serena Li Thursday, March 3, 2011 6:24 AM
    Thursday, February 24, 2011 8:36 PM

All replies

  • You need to set the permission at the database level. Inheritance won't work with add-mailboxpermission. The cmd below will grant the BESadmin fullaccess to all mailboxes on all databases as well as send as rights.

    get-mailboxdatabase | add-adpermission -user <BESAdmin> -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Marked as answer by Serena Li Thursday, March 3, 2011 6:24 AM
    Thursday, February 24, 2011 8:36 PM
  • When I do a get-mailboxdatabase | get-adpermission |ft I get this, which looks right, but the rights seem to not be applying.

    Also, is there a reason you cant do a get-mailboxdatabase | get-mailbox | get-mailboxpermission?

     

    Mailboxpermission is different than ADPermission, you can have send-as rights (adpermission) without having full access of the mailbox if I remember right, also when I do a get-mailboxpermission |fl on a "old" user, they have these permissions as inherited "true"

     

    Identity                    User                                         Deny  Inherited Rights
    --------                    ----                                         ----  --------- ------
    exch1CC\exch1SG01\exch1SG01 internal\MsiRstr-172272171                     False False     ms-Exch-EPI-May-Impersonate
    exch1CC\exch1SG01\exch1SG01 internal\ExchangeMig                           False False     Receive-As
    exch1CC\exch1SG01\exch1SG01 internal\BESAdmin                              False True      Send-As
    exch1CC\exch1SG01\exch1SG01 internal\BESAdmin                              False True      Receive-As
    exch1CC\exch1SG01\exch1SG01 internal\BESAdmin                              False True      ms-Exch-Store-Admin
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      ms-Exch-Store-Constrained-Delegation
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      ms-Exch-Store-Transport-Access
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      ms-Exch-Store-Read-Access
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      ms-Exch-Store-Read-Write-Access
    exch1CC\exch1SG01\exch1SG01 internal\CTYCTR-MB1$                           False True      GenericRead
    exch1CC\exch1SG01\exch1SG01 internal\BESAdmin                              False True      Self, WriteProperty, GenericRead
    exch1CC\exch1SG01\exch1SG01 internal\CTYCTR-MB2$                           False True      GenericAll
    exch1CC\exch1SG01\exch1SG01 internal\CTYCTR-MB3$                           False True      GenericAll
    exch1CC\exch1SG01\exch1SG01 internal\CTYCTR-MB4$                           False True      GenericAll
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      True  True      Receive-As
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Recipient Administrators     False True      ms-Exch-Recipient-Update-Access
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      ms-Exch-Recipient-Update-Access
    exch1CC\exch1SG01\exch1SG01 internal\NPAdmin                               False True      Send-As
    exch1CC\exch1SG01\exch1SG01 internal\MsiRstr-172272171                     False True      Send-As
    exch1CC\exch1SG01\exch1SG01 internal\NPAdmin                               False True      Receive-As
    exch1CC\exch1SG01\exch1SG01 internal\MsiRstr-172272171                     False True      Receive-As
    exch1CC\exch1SG01\exch1SG01 NT AUTHORITY\SYSTEM                          False True      ms-Exch-Recipient-Update-Access
    exch1CC\exch1SG01\exch1SG01 internal\Domain Admins                         True  True      Send-As
    exch1CC\exch1SG01\exch1SG01 internal\Enterprise Admins                     True  True      Send-As
    exch1CC\exch1SG01\exch1SG01 internal\tnolen                                True  True      Send-As
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Organization Administrators  True  True      Send-As
    exch1CC\exch1SG01\exch1SG01 internal\Domain Admins                         True  True      Receive-As
    exch1CC\exch1SG01\exch1SG01 internal\Enterprise Admins                     True  True      Receive-As
    exch1CC\exch1SG01\exch1SG01 internal\troy12n                                True  True      Receive-As
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Organization Administrators  True  True      Receive-As
    exch1CC\exch1SG01\exch1SG01 internal\Domain Admins                         True  True      ms-Exch-EPI-Impersonation
    exch1CC\exch1SG01\exch1SG01 internal\Schema Admins                         True  True      ms-Exch-EPI-Impersonation
    exch1CC\exch1SG01\exch1SG01 internal\Enterprise Admins                     True  True      ms-Exch-EPI-Impersonation
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Organization Administrators  True  True      ms-Exch-EPI-Impersonation
    exch1CC\exch1SG01\exch1SG01 internal\Domain Admins                         True  True      ms-Exch-EPI-Token-Serialization
    exch1CC\exch1SG01\exch1SG01 internal\Schema Admins                         True  True      ms-Exch-EPI-Token-Serialization
    exch1CC\exch1SG01\exch1SG01 internal\Enterprise Admins                     True  True      ms-Exch-EPI-Token-Serialization
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Organization Administrators  True  True      ms-Exch-EPI-Token-Serialization
    exch1CC\exch1SG01\exch1SG01 internal\Domain Admins                         True  True      ms-Exch-Store-Constrained-Delegation
    exch1CC\exch1SG01\exch1SG01 internal\Enterprise Admins                     True  True      ms-Exch-Store-Constrained-Delegation
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      True  True      ms-Exch-Store-Constrained-Delegation
    exch1CC\exch1SG01\exch1SG01 internal\Domain Admins                         True  True      ms-Exch-Store-Transport-Access
    exch1CC\exch1SG01\exch1SG01 internal\Enterprise Admins                     True  True      ms-Exch-Store-Transport-Access
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      True  True      ms-Exch-Store-Transport-Access
    exch1CC\exch1SG01\exch1SG01 internal\Domain Admins                         True  True      ms-Exch-Store-Read-Access
    exch1CC\exch1SG01\exch1SG01 internal\Enterprise Admins                     True  True      ms-Exch-Store-Read-Access
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      True  True      ms-Exch-Store-Read-Access
    exch1CC\exch1SG01\exch1SG01 internal\Domain Admins                         True  True      ms-Exch-Store-Read-Write-Access
    exch1CC\exch1SG01\exch1SG01 internal\Enterprise Admins                     True  True      ms-Exch-Store-Read-Write-Access
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      True  True      ms-Exch-Store-Read-Write-Access
    exch1CC\exch1SG01\exch1SG01 NT AUTHORITY\Authenticated Users             True  True      ReadProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      ms-Exch-Create-Top-Level-Public-Folder
    exch1CC\exch1SG01\exch1SG01 internal\Exchange View-Only Administrators     False True      ms-Exch-Store-Visible
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      ms-Exch-Store-Visible
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      ms-Exch-Store-Admin
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      ms-Exch-Store-Create-Named-Properties
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      ms-Exch-Modify-PF-ACL
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      ms-Exch-Modify-Public-Folder-Quotas
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      ms-Exch-Modify-PF-Admin-ACL
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      ms-Exch-Modify-Public-Folder-Expiry
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      ms-Exch-Modify-Public-Folder-Replica-List
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      ms-Exch-Modify-Public-Folder-Deleted-Item-Retention
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      ms-Exch-Create-Public-Folder
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      WriteProperty
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      GenericRead
    exch1CC\exch1SG01\exch1SG01 Everyone                                     False True      ms-Exch-Store-Create-Named-Properties
    exch1CC\exch1SG01\exch1SG01 NT AUTHORITY\ANONYMOUS LOGON                 False True      ms-Exch-Store-Create-Named-Properties
    exch1CC\exch1SG01\exch1SG01 Everyone                                     False True      ms-Exch-Create-Public-Folder
    exch1CC\exch1SG01\exch1SG01 NT AUTHORITY\ANONYMOUS LOGON                 False True      ms-Exch-Create-Public-Folder
    exch1CC\exch1SG01\exch1SG01 Everyone                                     False True      GenericRead
    exch1CC\exch1SG01\exch1SG01 NT AUTHORITY\ANONYMOUS LOGON                 False True      GenericRead
    exch1CC\exch1SG01\exch1SG01 Everyone                                     False True      GenericRead
    exch1CC\exch1SG01\exch1SG01 NT AUTHORITY\ANONYMOUS LOGON                 False True      GenericRead
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Public Folder Administrators False True      GenericRead
    exch1CC\exch1SG01\exch1SG01 NT AUTHORITY\NETWORK SERVICE                 False True      ReadProperty, GenericExecute
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Servers                      False True      ReadProperty, GenericExecute
    exch1CC\exch1SG01\exch1SG01 internal\Exchange View-Only Administrators     False True      GenericRead
    exch1CC\exch1SG01\exch1SG01 internal\troy12n                              False True      GenericAll
    exch1CC\exch1SG01\exch1SG01 internal\Exchange Organization Administrators  False True      GenericAll
    exch1CC\exch1SG01\exch1SG01 internal\Enterprise Admins                     False True      GenericAll
    exch1CC\exch1SG01\exch1SG01 internal\Domain Admins                         False True      CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteO...

    Thursday, February 24, 2011 9:06 PM
  • What is not applying? You can do a set-mailboxpermission on a DB, therefore you're going to run into the same problem when a new mailbox gets added the permission is not going to apply.

    To grant full access to all mailboxes you grant receive-as rights for the admin account onto the DB using add-adpermission.

    To grant sendas to all mailboxes you grant send-as rights for the admin account onto the DB using add-adpermission. 

    If you're seeing inheritance from the old user, it can be inheriting either at the DB level, server level or higher. You could've configured it at one point.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Thursday, February 24, 2011 9:16 PM
  • No, I definetly hear you on this, but when you go into the EMC I do not see the permissions. It's there in powershell, but not listed when you right click manage full/send-as permissions when new users are added.
    Thursday, February 24, 2011 9:34 PM
  • If you configure send-as rights for admin user at the DB level, it will show on the user in EMC

    If you configure receive-as rights for admin user at the DB level, it will not on the user in EMC. However the admin user will have full rights to the mailbox.

     


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Thursday, February 24, 2011 11:54 PM