locked
Exchange 2007: Delegating Rights for a User to Apply Full Access Mailbox Rights RRS feed

  • Question

  • This seems like it should be an easy problem.  We have several regional Admins that have control to administer users under their particular OU under our domain.  I have already applied Exchange Split Permissions for that Administrator on their OU.  He has rights to do just about everything in Exchange under that OU except for this.

    When he tries to Manage Full Mailbox Access Permission on one of his mailboxes from EMC, and adds a user to give this permission to, he receives an Access is Denied error.

    I found this article which seems to explain the exact issue.  http://social.technet.microsoft.com/Forums/en-US/exchangesvradminlegacy/thread/11b87919-2131-41f7-b3c8-61d9a7805db0

    However, I tried to manually apply the properties recommended here and receive a warning that the rights are already present, and he is still unable to change the Full Mailbox Access permission for his users.

    Monday, November 12, 2012 3:31 PM

Answers

  • Hi

    Please have a Try with the command in KB to see if it will work.

    Add-ADPermission –Identity "CN=CompanyOrg ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company ,DC=com" -User "company\HelpDeskStaffs" –AccessRights extendedright –ExtendedRights “Administer information store", "View information store status"

    Add-ADPermission –Identity "CN=CompanyOrg ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company ,DC=com" -User "company\HelpDeskStaffs" –AccessRights GenericRead

    Cheers

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contacttnmff@microsoft.com


    Zi Feng

    TechNet Community Support

    Wednesday, November 14, 2012 7:15 AM
    Moderator

All replies

  • Hi

    Could you please provide the command that you used?

    Also, try the solution on below KB to see if it helps

    http://support.microsoft.com/kb/960147/en-us?wa=wsignin1.0

    To make these commands work, you must also use the Exchange   Management Console (EMC) to make your account or group the Exchange Server   administrator on the server. To do this, follow these steps:  

    1. Start EMC, right-click Organization Configuration, and then click Add Exchange Administrator.
    2. Click Browse to select the account or group that you want to add, and then click OK.
    3. Select the Exchange Server Administrator role option, and then click +Add.
    4. Select the servers on which you want to add permission to the account or group, and then click OK.
    5. Click Add, and then click Finish.

    Note To fully administer the Exchange server, manually add the user or  group to the built-in local administrator’s group on the server.

    Hope that helps

    Cheers

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tnmff@microsoft.com


    Zi Feng

    TechNet Community Support


    Tuesday, November 13, 2012 9:41 AM
    Moderator
  • This is the command that I used, when I run it, it tells me the ACE permissions are already present and the command itself had no effect on this issue.

    Add-ADPermission -Identity "CN=CompanyOrg ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company ,DC=com" -User "company\HelpDeskStaffs" -ExtendedRights ms-Exch-Store-Admin -InheritanceType All

    I'm not sure I want to add those rights for this account. Won't adding the user to Server Administrator Role give them rights over the whole organization plus Organization/Server configuration? He definitely cannot have that many rights over the Organization.



    • Edited by agroda Tuesday, November 13, 2012 2:50 PM
    Tuesday, November 13, 2012 2:49 PM
  • Hi

    Please have a Try with the command in KB to see if it will work.

    Add-ADPermission –Identity "CN=CompanyOrg ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company ,DC=com" -User "company\HelpDeskStaffs" –AccessRights extendedright –ExtendedRights “Administer information store", "View information store status"

    Add-ADPermission –Identity "CN=CompanyOrg ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company ,DC=com" -User "company\HelpDeskStaffs" –AccessRights GenericRead

    Cheers

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contacttnmff@microsoft.com


    Zi Feng

    TechNet Community Support

    Wednesday, November 14, 2012 7:15 AM
    Moderator
  • Hi agroda

    Any update on this thread?

    Cheers

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tnmff@microsoft.com


    Zi Feng

    TechNet Community Support

    Tuesday, November 20, 2012 2:16 AM
    Moderator