locked
Full Access permissions automatically to mailbox for a service account RRS feed

  • Question

  • Hi,

    In Exchange 2007 with all the patches installed...

    Is it somehow possible to setup Full Access permission to all mailboxes for a service account? I know it is possible to do this with a PowerShell script and schedule it to be run regularly. But... is it possible that everytime I add new user account Full Access permission for a certain user account would be there immediately?

    There is already similar setup configured in this Exchange environment for another service account to have Send As permissions automatically and immediately. Unfortunately I can't remember how this has been done...

    Best regards,

    Toni


    www.triuvare.fi

    Wednesday, April 11, 2012 7:04 PM

Answers

  • Hi Toni,

    I checked in my lab, cannot make full access permission work on the new created mailboxes.

    For the send as permission, you can follow this way to make it works on new created mailboxes:

    Grant "send as" permission at the domain or ou level:

    Use one account that has Domain Admin permission of the domain, or Enterprise Admin permissions.

    Run this command to grant "send as" permisison at the domain or OU level:

    Add-ADPermission "<DN of Domain or OU>" -User "Domain\New Service Account"  -ExtendedRights "send as" -InheritedObjectType user

    After that service account will have send as permission on the users in that domain or OU.

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contacttngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    • Marked as answer by Toni Rantanen Friday, April 13, 2012 9:53 AM
    Friday, April 13, 2012 9:12 AM
    Moderator

All replies

  • Give Receive as Perms to the entire mailbox database:

    http://technet.microsoft.com/en-us/library/aa996343(v=exchg.80).aspx

    How to Allow Mailbox Access

    Wednesday, April 11, 2012 8:58 PM
  • Hi,

    Thanks for your reply but unfortunately this doesn't seem to work. Here is how I tested:

    1. ran successfully command: Add-ADPermission -Identity "Mailbox Store" -User "Trusted User" -ExtendedRights Receive-As
    2. created new user to the mailbox store where I have given the permissions
    3. checked from the new user's Manage Full Access Permissions view in Exchange Management Console but unfortunately there were only "NT AUTHORITY\SELF" not the "Trusted User"

    Any other suggestions?

    Best regards,

    Toni


    www.triuvare.fi

    Thursday, April 12, 2012 5:28 AM
  • You will not be able to see this permission in Mailbox permission. As you see we have run the command Add-ADpermission. You can check on the user in AD whether the permission has been inherited from Mailbox store or not.

    Did you try to access the mailbox using that service account?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs: http://messagingserversupport.com

    Thursday, April 12, 2012 6:14 AM
  • Hi,

    I tried logged in to OWA with the service account and tried to open another user mailbox from the store where I have given the permission before. I got an error message: "You do not have permission to open this mailbox. For access or for more information, contact technical support for your organization.".

    Is there any way to do this so that the permission (Full Access) would be visible in Exchange Management Console as well?

    Best regards,

    Toni


    www.triuvare.fi

    Thursday, April 12, 2012 6:23 AM
  • lets try this. It worked in my lab enviroment.

    Get-Mailboxdatabase | Add-ADPermission -User serviceaccount -AccessRights ExtendedRight -ExtendedRights ms-exch-store-admin, receive-as

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs: http://messagingserversupport.com


    Thursday, April 12, 2012 6:35 AM
  • Hi Toni,

    Yes, that will only work for those existing mailboxes, for new created mailboxes, you need to run that command again.

    You also can follow Andy's suggestion to have a try, I checked in my lab (Exchange 2007 SP3), this will not work on the new created mailboxes.

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Evan Liu

    TechNet Community Support

    Thursday, April 12, 2012 8:33 AM
    Moderator
  • lets try this. It worked in my lab enviroment.

    Get-Mailboxdatabase | Add-ADPermission -User serviceaccount -AccessRights ExtendedRight -ExtendedRights ms-exch-store-admin, receive-as

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs: http://messagingserversupport.com


    @Hasnain

    Did you test on new created mailbox?

    I follow your way to test in my lab, I cannot open the new created mailbox.

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contacttngfb@microsoft.com 


    Evan Liu

    TechNet Community Support

    Thursday, April 12, 2012 9:30 AM
    Moderator
  • Hi Toni,

    I checked in my lab, cannot make full access permission work on the new created mailboxes.

    For the send as permission, you can follow this way to make it works on new created mailboxes:

    Grant "send as" permission at the domain or ou level:

    Use one account that has Domain Admin permission of the domain, or Enterprise Admin permissions.

    Run this command to grant "send as" permisison at the domain or OU level:

    Add-ADPermission "<DN of Domain or OU>" -User "Domain\New Service Account"  -ExtendedRights "send as" -InheritedObjectType user

    After that service account will have send as permission on the users in that domain or OU.

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contacttngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    • Marked as answer by Toni Rantanen Friday, April 13, 2012 9:53 AM
    Friday, April 13, 2012 9:12 AM
    Moderator
  • Hi Evan,

    Thanks. So answer to my original question is that this is not possible.

    Thanks for clearing me out the difference between Send As and Full Access permissions. Now I understand how the existing service account + Send As works automatically.

    I will create a script and schedule it to be ran regularly.

    Best regards,

    Toni


    www.triuvare.fi

    Friday, April 13, 2012 9:53 AM