Remove From My Forums

Exchange 2007: Delegating Rights for a User to Apply Full Access Mailbox Rights

Question
0

Sign in to vote

This seems like it should be an easy problem. We have several regional Admins that have control to administer users under their particular OU under our domain. I have already applied Exchange Split Permissions for that Administrator on their OU. He has rights to do just about everything in Exchange under that OU except for this.

When he tries to Manage Full Mailbox Access Permission on one of his mailboxes from EMC, and adds a user to give this permission to, he receives an Access is Denied error.

I found this article which seems to explain the exact issue. http://social.technet.microsoft.com/Forums/en-US/exchangesvradminlegacy/thread/11b87919-2131-41f7-b3c8-61d9a7805db0

However, I tried to manually apply the properties recommended here and receive a warning that the rights are already present, and he is still unable to change the Full Mailbox Access permission for his users.

Monday, November 12, 2012 3:31 PM

Answers

0

Sign in to vote
Hi

Please have a Try with the command in KB to see if it will work.

Add-ADPermission –Identity "CN=CompanyOrg ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company ,DC=com" -User "company\HelpDeskStaffs" –AccessRights extendedright –ExtendedRights “Administer information store", "View information store status"

Add-ADPermission –Identity "CN=CompanyOrg ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company ,DC=com" -User "company\HelpDeskStaffs" –AccessRights GenericRead

Cheers

TechNet Subscriber Support in forum

If you have any feedback on our support, please contacttnmff@microsoft.com
Zi Feng

TechNet Community Support
- Marked as answer by Zi FengModerator Monday, November 26, 2012 2:12 AM
Wednesday, November 14, 2012 7:15 AM

Moderator

All replies

0

Sign in to vote
Hi

Could you please provide the command that you used?

Also, try the solution on below KB to see if it helps

http://support.microsoft.com/kb/960147/en-us?wa=wsignin1.0

To make these commands work, you must also use the Exchange Management Console (EMC) to make your account or group the Exchange Server administrator on the server. To do this, follow these steps:

Start EMC, right-click Organization Configuration, and then click Add Exchange Administrator.
Click Browse to select the account or group that you want to add, and then click OK.
Select the Exchange Server Administrator role option, and then click +Add.
Select the servers on which you want to add permission to the account or group, and then click OK.
Click Add, and then click Finish.

Note To fully administer the Exchange server, manually add the user or group to the built-in local administrator’s group on the server.

Hope that helps

Cheers

TechNet Subscriber Support in forum

If you have any feedback on our support, please contact tnmff@microsoft.com

Zi Feng

TechNet Community Support
- Edited by Zi FengModerator Tuesday, November 13, 2012 9:41 AM
Tuesday, November 13, 2012 9:41 AM

Moderator
0

Sign in to vote
This is the command that I used, when I run it, it tells me the ACE permissions are already present and the command itself had no effect on this issue.

Add-ADPermission -Identity "CN=CompanyOrg ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company ,DC=com" -User "company\HelpDeskStaffs" -ExtendedRights ms-Exch-Store-Admin -InheritanceType All

I'm not sure I want to add those rights for this account. Won't adding the user to Server Administrator Role give them rights over the whole organization plus Organization/Server configuration? He definitely cannot have that many rights over the Organization.
- Edited by agroda Tuesday, November 13, 2012 2:50 PM
Tuesday, November 13, 2012 2:49 PM
0

Sign in to vote
Hi

Please have a Try with the command in KB to see if it will work.

Add-ADPermission –Identity "CN=CompanyOrg ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company ,DC=com" -User "company\HelpDeskStaffs" –AccessRights extendedright –ExtendedRights “Administer information store", "View information store status"

Add-ADPermission –Identity "CN=CompanyOrg ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company ,DC=com" -User "company\HelpDeskStaffs" –AccessRights GenericRead

Cheers

TechNet Subscriber Support in forum

If you have any feedback on our support, please contacttnmff@microsoft.com
Zi Feng

TechNet Community Support
- Marked as answer by Zi FengModerator Monday, November 26, 2012 2:12 AM
Wednesday, November 14, 2012 7:15 AM

Moderator
0

Sign in to vote

Hi agroda

Any update on this thread?

Cheers

TechNet Subscriber Support in forum

If you have any feedback on our support, please contact tnmff@microsoft.com
Zi Feng

TechNet Community Support

Tuesday, November 20, 2012 2:16 AM

Moderator

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Exchange 2007: Delegating Rights for a User to Apply Full Access Mailbox Rights

Question

Answers

All replies