Exchange 2010 SP1 permissions - per server, per database, per mailbox - bulk setting options? RRS feed

  • Question

  • Take a scenario where you have a service account that needs to restore individual emails to mailboxes so it therefore needs full access rights to each mailbox within each database.  The way I have been allowing that service account the access required is as follows:

    Get-MailboxDatabase | Add-ADPermission -User “SVC_ACCOUNT” -ExtendedRights Receive-As,Send-As

    The account then shows up under each mailbox with "Full access rights".  The problem is when you create a new mailbox database you have to redo the above command otherwise the permissions are not there.  So moving on I have looked at doing it at a higher level.  In 2003 it was easy, but using Powershell only it is a nightmare to see how permissions are set in 2010 higher up or where they are set!

    Running the following would seem logical:

    Get-ExchangeServer SERVERNAME | Add-AdPermission -user SVC_ACCOUNT -extendedrights Receive-As, Send-As

    But looking at the permission of each mailbox doesnt show the service account and running get-mailbox | get-adpermission doesnt list the service account.

    Is it possible to set permissions higher up which inherit down to NEW databases and also mailboxes WITHIN those databases like we could do with 2003?  Is it easier to just use ADSIEDIT to set these permissions as the Get-ADPermission powershell cmdlet produces a lot of output which isnt clear to read.

    Just wondering how other people cope with global permissions in 2010 given you cant see them in the exchange console anymore - do you use ADSIEdit, the get-adpermission cmdlet and how do you look after top level permissions when you need to set them?

    I have inherited a system that has been upgraded from Exchange 200o to 2003 and then to 2010 and would like to clear up years worth of permissions everywhere hence why it would be great if it could be done with ADSIEdit or similar instead of Powershell.

    • Edited by Douggly Tuesday, May 8, 2012 11:23 PM
    Tuesday, May 8, 2012 11:18 PM

All replies

  • I would personally do it on a DB level each time, tasks like this are normally performed under tight change control procedures, how often do you create DB, more less than a mailbox.

    I dont think this is possible anyway.


    • Edited by Sukh828 Tuesday, May 8, 2012 11:27 PM
    Tuesday, May 8, 2012 11:26 PM
  • I found this article here -

    He shows using ADSIEdit and setting "Full permission" for user account under the ADSIEdit "Databases" entry.  I would have thought this was overkill as this account now has rights to perform way more than just mailbox commands!

    Going to the "Config -> Services -> Microsoft Exchange -> Admin Group -> Databases -> Individual Databases" I can see that Send-As and Receive-As permissions can be set on the individual database objects (same as with powershell) but going to the level up called "Databases" these permissions dont exist so I am beginning to think you cannot set these permissions at a higher level and can only be set at a database level?

    So what does the command Get-ExchangeServer SERVERNAME | Add-AdPermission actually do?  It sets permissions at a higher level but for what purpose if we have to set it on each database anyway?
    • Edited by Douggly Tuesday, May 8, 2012 11:58 PM
    Tuesday, May 8, 2012 11:55 PM