Settings permission for an Exchange database / Granting access to all mailboxes (Exchange 2007)
In Microsoft Exchange 2007 it is often a requirement to grant access at the database level - granting access to all mailboxes and all subsequent mailboxes that are created. Unlike Exchange 2003, there is no ability to use the GUI to achieve this.
There are numerous pages online giving details on how to achieve this - but none of which worked for me so I thought I should write my own. Start with method 1 and continue if it does not work.
Method 1: Use cmdlets in the Exchange Management Shell
The EMS has a command to set AD permissions:
Get-MailboxDatabase|Set-ADPermission -user "domain\user" -ExtendedRights right1 right2 etc.
To ascertain what permissions to add it is possible to get the permissions of the domain admin user:
Get-MailboxDatabase|Get-ADPermission -user "domain\administrator" Identity User Deny Inherited Rights -------- ---- ---- --------- ------ EX11\First Storag... domain\Admi... True True Send-As EX11\First Storag... domain\Admi... True True Receive-As EX11\First Storag... domain\Admi... True True CreateChild, Delet... EX11\First Storag... domain\Admi... False True GenericAll
This indicates that Get-MailboxDatabase|Set-ADPermission -user "domain\user" -ExtendedRights GenericAll should work but for an unkmown reason this did not work in my environment.
Note: If there is >1 mailbox database on the server the -identity parameter can be used: -identity "server\storage group\mailbox database"
Set permission to read/write all mailboxes and send/receive as anyone
Get-MailboxDatabase|Set-ADPermission -user "domain\user" -ExtendedRights GenericAll Send-As Receive-As
Method 2: Use ADSI Editor or AD Explorer
- Navigate to Configuration\Services\Microsoft Exchange\organization-name\Administrative Groups\Exchange Administrative Group\SERVERNAME.
- Go to the properties of this 'folder' and choose the security tab. Add the user you wish to have access to all databases on this server, giving them full control rights. Ensure there are no deny attributes being inherited at the administrative group or organization level. By default Exchange administrators have deny rights applied.
It is not possible to give permissions to just a single database using this method as if security is applied at a child level the option to apply to child objects is disabled as ADSIEdit does not see the child mailboxes.