In Exchange 2007, What is the best way to add mail box permission (Full mailbox access)?

Hi,
     This may be a very simple question, but, I did some googling and did not find a satisfying answer. So far, we have been working with Exchange 2000 and Exchange 2003 and I have been using MS Visual Basic 6.0 to grant full mailbox rights to another account and the program resides on the Exchange server. Now clients are moving to Exchange 2007 and the program does not work any more on the Exchange 2007. After doing some googling, I found out that we need to write the code in Exchange management shell scripting to grant mailbox access by using "Add-MailboxPermission "Mailbox" -User "Trusted User" -AccessRights FullAccess" method. This ofcourse is an option and I assume whenever we want to grant mailbox rights to multiple people at once, we have to create a shell batch file  from VB or any other programming language and store it somewhere and then execute the batch file from the Exchange Management Shell command line. The batch file being somewhat appearing like this.
----------------------------------------------------------------------------------------------------------------------------
Add-MailboxPermission -Identity "Ellen Adams" -User TedBrem -Accessright Fullaccess -InheritanceType all

Add-MailboxPermission -Identity "John Smith" -User TedBrem -Accessright Fullaccess -InheritanceType all

Add-MailboxPermission -Identity "Terry Johnson" -User TedBrem -Accessright Fullaccess -InheritanceType all

..... and goes on like this.

----------------------------------------------------------------------------------------------------------------------------

and then execute this script file from Exchange Management Shell.

My question is even though it is a possible solution, is there a better way of doing this? If so, please let me know.
BagurAsked:
Who is Participating?
 
spyordie007Connect With a Mentor Commented:
Option 2 would probably be the easiest to do.
0
 
spyordie007Commented:
You've got it right, the permissions are stored in AD and the only native way they are exposed are through the Exchange Management Shell.
0
 
BagurAuthor Commented:
Hi spyordie007,
              Thanks for your quick response. I will wait for 1-2 days and if don't get any alternative
workable solution, I will definitely award the points to you.

Thanks for your patience.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
spyordie007Commented:
For what it's worth I just did a quick search for 3rd party tools and I'm not seeing any (not to say for sure that there aren't any out there).

Good luck,
Erik
0
 
BagurAuthor Commented:
I increased the points to 500.
0
 
ATIGCommented:
http://exchange-genie.blogspot.com/2007/08/add-adpermission.html
http://exchange-genie.blogspot.com/2007/07/add-mailbox-permission-vs-add.html

certain permissions have been change and must be explicitly applied, you can write a script and run it as a schedule task....

depending on what your doing you and use the add-adpersmission and grant Send-As and recieve-as which is simliar to granting Full Access however I have seen it not always function and full access is still needed.

Exchange 2007 sp1 has added the perms back to the gui as well if you dont want to use powershell but it sounds like you want an automatic process

to grant to multiple people can be done easily depending on who needs it
lets say everyone needs access

get-mailbox -resultsize:unlimited | add-mailboxpermission -user XXXX -accessrights fullaccess

this can be done to an OU etc.....
0
 
BagurAuthor Commented:
Hi ATIG,
          I got what you were trying to say. So, the only way to extend mailbox rights to an account programmatically is through Exchange Management Shell command right? I assume we cannot do it from VB 6.0 or VB.NET like we do it on Exchange 2003, right? In my case, we had a program written in VB 6.0 wherein the user can select any user(s) from AD and extend full mailbox access for these user accounts to some account xyz. Everything was done in VB 6.0 program itself.

Now my question is do I have to have 2 programs to accomplish the same task?

1. First program to select the AD users which is already there in my current VB program
2. Second one which will be the script file which has to be dynamically created at the runtime and execute this file in the Exchange Management Shell depending on the users selected so we can extend full mailbox rights over these accounts.

Let me know if I am not clear in explaining this.

Thanks.
0
 
ATIGCommented:
Sounds like you should be able to call powershell from your VB script.... you should still be able to use VB I dont believe you are forced to powershell but some of the hooks may be different

you could pass variable to powershell ie users

I am curious what you are using your VB for?
Here is a cool tool
http://powergui.org/index.jspa

Really powershell is so much better then VB for what you need and 1 line of powershell can take 1 page of VB

Maybe  right an interface like powergui for powershell commands

you say your tool lets users select and grant perms.... why wouldnt you users just delegate what they want in OL?
0
 
spyordie007Commented:
Either that or you could do it with a single PowerShell script ;)

Erik
$user1 = read-host "Enter The Mailbox you want to Grant Privilages to"
$user2 = read-host "Enter the user who should have privilages to this mailbox"
add-mailboxpermission $user1 -user $user2 -accessrights fullaccess
add-adpermissions $user1 -user $user2 -extendedrights "Send As"

Open in new window

0
 
ATIGCommented:
I am not a scripting by any means but powershell is $$$ and pretty easy to use
0
 
BagurAuthor Commented:
The fact is the VB program currently does lot of things and extending rights to the mailboxes is the last piece of the program. So, I cannot afford enough time to re-write the whole code in PowerShell and I am little bit reluctant to have another shell program just to extend/delete the mailbox access rights. ATIG, also, the users do not select and grant permissions, but, the administrator goes to our program and then selects any user(s) he wants and then extend the rights to those people.

So, I assume I have 2 options left

1)  I can pass parameters to powershell from VB 6.0 if that is possible
2)  Create a powershell script from VB and execute the script file from powershell through VB so the end user does not have to go to 2 different programs to finish the task.

Thanks.
0
 
ATIGConnect With a Mentor Commented:
sounds like you are on track .........

oK, so you created a management tool for admins basically.......

good stuff, you will find out that everything will be powershell able and may want to look at eventual transitioning...
0
 
BagurAuthor Commented:
Hi guys, thanks for sharing the information. I am basically just dividing the points between you two. I hope I have assigned the points ok.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.