Set mailbox permissions in Exchange 2010

lockedOut of the box Exchange 2010 doesn’t give admins mailbox access.  Many places that I have worked do want their administrators and helpdesk teams to be able to open any mailbox so they can help diagnose problems.  This blog demonstrates a few of the possible ways you can change mailbox permissions.

Assigning mailbox permissions to a single user

Using Powershell it’s quick to modify the permissions on a single mailbox using commands such as:

Give Adminuser full access to Fred’s mailbox:

Add-MailboxPermission Fred -Accessrights "FullAccess" -User AdminUser

Remove Adminuser’s access to Fred’s mailbox:

Remove-MailboxPermission Fred-Accessrights "FullAccess" -User Adminuser

View the permissions on Fred’s mailbox:

Get-MailboxPermission 'fred' | ft User, AccessRights -auto

Assigning mailbox permissions to a group

Rather than specifying a single admin user you can specifiy a group using the full distinguished name ( check this post for an easy way to identify the distinguished name)

Add-MailboxPermission Fred -Accessrights "FullAccess" -User "CN=mail admins,OU=Admin groups,DC=abc,DC=local"

This is all very neat adn handy in an environment where you generally don’t want your admins to have access to all mailboxes.  But what if you do want access to all mailboxes?  There is a different way we can tackle that situation – give a user or group access to all mailboxes that are stored within a mailbox database.

Assigning mailbox permissions at a mailbox database level

* These permissions will be applied to all mailboxes in the database as well as any future maiboxes created or moved in to the database.

The command to do this for a single admin user is:

get-mailboxdatabase "MailboxesDB1" | Add-ADPermission -user "Adminuser" -accessrights GenericAll

Similarly to give an AD group access we can use the following:

get-mailboxdatabase "MailboxesDB1" | Add-ADPermission -user "CN=mail admins,OU=Admin groups,DC=abc,DC=local" -accessrights GenericAll

Lastly, to check the permissions on a mailbox database you can use the following command:

get-adpermission "MailboxDB1" | ft -auto

Send-As permission

Full Access doesn’t grant you the Send-As permission which is set in AD.  To give AdminUser the abilty to send e-mails from Dwayne Dibley’s mailbox try the following command.  Note that the mailbox owner name is specified using their display name, whilst the account that needs the permissions is specified as domain\login :

Add-ADPermission "Dibley,Dwayne" -User "domain\AdminUser" -Extendedrights "Send As" 


mailbox permissionsMailbox permissions can be easily manipulated using Powershell whether it’s an individual mailbox or an entire database.  There are other ways of changing the permissions – EMC (Exchange Management Console), ADUC, ADSIEDIT etc., but I find Powershell the easiest, quickest and most powerful.

Posted on July 15, 2012 at 13:00 by simon · Permalink
In: Exchange 2010 · Tagged with: , , , , ,

Leave a Reply