Solved

In Exchange 2007, What is the best way to add mail box permission (Full mailbox access)?

Posted on 2007-12-06
13
1,169 Views
Last Modified: 2010-04-21
Hi,
     This may be a very simple question, but, I did some googling and did not find a satisfying answer. So far, we have been working with Exchange 2000 and Exchange 2003 and I have been using MS Visual Basic 6.0 to grant full mailbox rights to another account and the program resides on the Exchange server. Now clients are moving to Exchange 2007 and the program does not work any more on the Exchange 2007. After doing some googling, I found out that we need to write the code in Exchange management shell scripting to grant mailbox access by using "Add-MailboxPermission "Mailbox" -User "Trusted User" -AccessRights FullAccess" method. This ofcourse is an option and I assume whenever we want to grant mailbox rights to multiple people at once, we have to create a shell batch file  from VB or any other programming language and store it somewhere and then execute the batch file from the Exchange Management Shell command line. The batch file being somewhat appearing like this.
----------------------------------------------------------------------------------------------------------------------------
Add-MailboxPermission -Identity "Ellen Adams" -User TedBrem -Accessright Fullaccess -InheritanceType all

Add-MailboxPermission -Identity "John Smith" -User TedBrem -Accessright Fullaccess -InheritanceType all

Add-MailboxPermission -Identity "Terry Johnson" -User TedBrem -Accessright Fullaccess -InheritanceType all

..... and goes on like this.

----------------------------------------------------------------------------------------------------------------------------

and then execute this script file from Exchange Management Shell.

My question is even though it is a possible solution, is there a better way of doing this? If so, please let me know.
0
Comment
Question by:Bagur
  • 5
  • 4
  • 4
13 Comments
 
LVL 6

Expert Comment

by:spyordie007
ID: 20422353
You've got it right, the permissions are stored in AD and the only native way they are exposed are through the Exchange Management Shell.
0
 

Author Comment

by:Bagur
ID: 20422809
Hi spyordie007,
              Thanks for your quick response. I will wait for 1-2 days and if don't get any alternative
workable solution, I will definitely award the points to you.

Thanks for your patience.
0
 
LVL 6

Expert Comment

by:spyordie007
ID: 20422854
For what it's worth I just did a quick search for 3rd party tools and I'm not seeing any (not to say for sure that there aren't any out there).

Good luck,
Erik
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:Bagur
ID: 20422900
I increased the points to 500.
0
 
LVL 22

Expert Comment

by:ATIG
ID: 20423342
http://exchange-genie.blogspot.com/2007/08/add-adpermission.html
http://exchange-genie.blogspot.com/2007/07/add-mailbox-permission-vs-add.html

certain permissions have been change and must be explicitly applied, you can write a script and run it as a schedule task....

depending on what your doing you and use the add-adpersmission and grant Send-As and recieve-as which is simliar to granting Full Access however I have seen it not always function and full access is still needed.

Exchange 2007 sp1 has added the perms back to the gui as well if you dont want to use powershell but it sounds like you want an automatic process

to grant to multiple people can be done easily depending on who needs it
lets say everyone needs access

get-mailbox -resultsize:unlimited | add-mailboxpermission -user XXXX -accessrights fullaccess

this can be done to an OU etc.....
0
 

Author Comment

by:Bagur
ID: 20423514
Hi ATIG,
          I got what you were trying to say. So, the only way to extend mailbox rights to an account programmatically is through Exchange Management Shell command right? I assume we cannot do it from VB 6.0 or VB.NET like we do it on Exchange 2003, right? In my case, we had a program written in VB 6.0 wherein the user can select any user(s) from AD and extend full mailbox access for these user accounts to some account xyz. Everything was done in VB 6.0 program itself.

Now my question is do I have to have 2 programs to accomplish the same task?

1. First program to select the AD users which is already there in my current VB program
2. Second one which will be the script file which has to be dynamically created at the runtime and execute this file in the Exchange Management Shell depending on the users selected so we can extend full mailbox rights over these accounts.

Let me know if I am not clear in explaining this.

Thanks.
0
 
LVL 22

Expert Comment

by:ATIG
ID: 20423616
Sounds like you should be able to call powershell from your VB script.... you should still be able to use VB I dont believe you are forced to powershell but some of the hooks may be different

you could pass variable to powershell ie users

I am curious what you are using your VB for?
Here is a cool tool
http://powergui.org/index.jspa

Really powershell is so much better then VB for what you need and 1 line of powershell can take 1 page of VB

Maybe  right an interface like powergui for powershell commands

you say your tool lets users select and grant perms.... why wouldnt you users just delegate what they want in OL?
0
 
LVL 6

Expert Comment

by:spyordie007
ID: 20423619
Either that or you could do it with a single PowerShell script ;)

Erik
$user1 = read-host "Enter The Mailbox you want to Grant Privilages to"
$user2 = read-host "Enter the user who should have privilages to this mailbox"
add-mailboxpermission $user1 -user $user2 -accessrights fullaccess
add-adpermissions $user1 -user $user2 -extendedrights "Send As"

Open in new window

0
 
LVL 22

Expert Comment

by:ATIG
ID: 20423634
I am not a scripting by any means but powershell is $$$ and pretty easy to use
0
 

Author Comment

by:Bagur
ID: 20423734
The fact is the VB program currently does lot of things and extending rights to the mailboxes is the last piece of the program. So, I cannot afford enough time to re-write the whole code in PowerShell and I am little bit reluctant to have another shell program just to extend/delete the mailbox access rights. ATIG, also, the users do not select and grant permissions, but, the administrator goes to our program and then selects any user(s) he wants and then extend the rights to those people.

So, I assume I have 2 options left

1)  I can pass parameters to powershell from VB 6.0 if that is possible
2)  Create a powershell script from VB and execute the script file from powershell through VB so the end user does not have to go to 2 different programs to finish the task.

Thanks.
0
 
LVL 6

Accepted Solution

by:
spyordie007 earned 300 total points
ID: 20423776
Option 2 would probably be the easiest to do.
0
 
LVL 22

Assisted Solution

by:ATIG
ATIG earned 200 total points
ID: 20426790
sounds like you are on track .........

oK, so you created a management tool for admins basically.......

good stuff, you will find out that everything will be powershell able and may want to look at eventual transitioning...
0
 

Author Closing Comment

by:Bagur
ID: 31413229
Hi guys, thanks for sharing the information. I am basically just dividing the points between you two. I hope I have assigned the points ok.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange Server logs 5 35
Exchange Server 2016 certifiate error 13 46
Need help to understand PowerShell code 4 22
Office 365 Cutover Migration no report with passwords 9 20
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question