Set mailbox permissions in Exchange 2010
Out of the box Exchange 2010 doesn’t give admins mailbox access. Many places that I have worked do want their administrators and helpdesk teams to be able to open any mailbox so they can help diagnose problems. This blog demonstrates a few of the possible ways you can change mailbox permissions.
Assigning mailbox permissions to a single user
Using Powershell it’s quick to modify the permissions on a single mailbox using commands such as:
Give Adminuser full access to Fred’s mailbox:
Add-MailboxPermission Fred -Accessrights "FullAccess" -User AdminUser
Remove Adminuser’s access to Fred’s mailbox:
Remove-MailboxPermission Fred-Accessrights "FullAccess" -User Adminuser
View the permissions on Fred’s mailbox:
Get-MailboxPermission 'fred' | ft User, AccessRights -auto
Assigning mailbox permissions to a group
Rather than specifying a single admin user you can specifiy a group using the full distinguished name ( check this post for an easy way to identify the distinguished name)
Add-MailboxPermission Fred -Accessrights "FullAccess" -User "CN=mail admins,OU=Admin groups,DC=abc,DC=local"
This is all very neat adn handy in an environment where you generally don’t want your admins to have access to all mailboxes. But what if you do want access to all mailboxes? There is a different way we can tackle that situation – give a user or group access to all mailboxes that are stored within a mailbox database.
Assigning mailbox permissions at a mailbox database level
* These permissions will be applied to all mailboxes in the database as well as any future maiboxes created or moved in to the database.
The command to do this for a single admin user is:
get-mailboxdatabase "MailboxesDB1" | Add-ADPermission -user "Adminuser" -accessrights GenericAll
Similarly to give an AD group access we can use the following:
get-mailboxdatabase "MailboxesDB1" | Add-ADPermission -user "CN=mail admins,OU=Admin groups,DC=abc,DC=local" -accessrights GenericAll
Lastly, to check the permissions on a mailbox database you can use the following command:
get-adpermission "MailboxDB1" | ft -auto
Send-As permission
Full Access doesn’t grant you the Send-As permission which is set in AD. To give AdminUser the abilty to send e-mails from Dwayne Dibley’s mailbox try the following command. Note that the mailbox owner name is specified using their display name, whilst the account that needs the permissions is specified as domain\login :
Add-ADPermission "Dibley,Dwayne" -User "domain\AdminUser" -Extendedrights "Send As"
Summary
Mailbox permissions can be easily manipulated using Powershell whether it’s an individual mailbox or an entire database. There are other ways of changing the permissions – EMC (Exchange Management Console), ADUC, ADSIEDIT etc., but I find Powershell the easiest, quickest and most powerful.
In: Exchange 2010 · Tagged with: Exchange, Exchange 2010, get-adpermission, mailbox permissions, remove-adpermission, set-adpermission