Solved

In Exchange 2007, What is the best way to add mail box permission (Full mailbox access)?

Posted on 2007-12-06
13
1,163 Views
Last Modified: 2010-04-21
Hi,
     This may be a very simple question, but, I did some googling and did not find a satisfying answer. So far, we have been working with Exchange 2000 and Exchange 2003 and I have been using MS Visual Basic 6.0 to grant full mailbox rights to another account and the program resides on the Exchange server. Now clients are moving to Exchange 2007 and the program does not work any more on the Exchange 2007. After doing some googling, I found out that we need to write the code in Exchange management shell scripting to grant mailbox access by using "Add-MailboxPermission "Mailbox" -User "Trusted User" -AccessRights FullAccess" method. This ofcourse is an option and I assume whenever we want to grant mailbox rights to multiple people at once, we have to create a shell batch file  from VB or any other programming language and store it somewhere and then execute the batch file from the Exchange Management Shell command line. The batch file being somewhat appearing like this.
----------------------------------------------------------------------------------------------------------------------------
Add-MailboxPermission -Identity "Ellen Adams" -User TedBrem -Accessright Fullaccess -InheritanceType all

Add-MailboxPermission -Identity "John Smith" -User TedBrem -Accessright Fullaccess -InheritanceType all

Add-MailboxPermission -Identity "Terry Johnson" -User TedBrem -Accessright Fullaccess -InheritanceType all

..... and goes on like this.

----------------------------------------------------------------------------------------------------------------------------

and then execute this script file from Exchange Management Shell.

My question is even though it is a possible solution, is there a better way of doing this? If so, please let me know.
0
Comment
Question by:Bagur
  • 5
  • 4
  • 4
13 Comments
 
LVL 6

Expert Comment

by:spyordie007
Comment Utility
You've got it right, the permissions are stored in AD and the only native way they are exposed are through the Exchange Management Shell.
0
 

Author Comment

by:Bagur
Comment Utility
Hi spyordie007,
              Thanks for your quick response. I will wait for 1-2 days and if don't get any alternative
workable solution, I will definitely award the points to you.

Thanks for your patience.
0
 
LVL 6

Expert Comment

by:spyordie007
Comment Utility
For what it's worth I just did a quick search for 3rd party tools and I'm not seeing any (not to say for sure that there aren't any out there).

Good luck,
Erik
0
 

Author Comment

by:Bagur
Comment Utility
I increased the points to 500.
0
 
LVL 22

Expert Comment

by:ATIG
Comment Utility
http://exchange-genie.blogspot.com/2007/08/add-adpermission.html
http://exchange-genie.blogspot.com/2007/07/add-mailbox-permission-vs-add.html

certain permissions have been change and must be explicitly applied, you can write a script and run it as a schedule task....

depending on what your doing you and use the add-adpersmission and grant Send-As and recieve-as which is simliar to granting Full Access however I have seen it not always function and full access is still needed.

Exchange 2007 sp1 has added the perms back to the gui as well if you dont want to use powershell but it sounds like you want an automatic process

to grant to multiple people can be done easily depending on who needs it
lets say everyone needs access

get-mailbox -resultsize:unlimited | add-mailboxpermission -user XXXX -accessrights fullaccess

this can be done to an OU etc.....
0
 

Author Comment

by:Bagur
Comment Utility
Hi ATIG,
          I got what you were trying to say. So, the only way to extend mailbox rights to an account programmatically is through Exchange Management Shell command right? I assume we cannot do it from VB 6.0 or VB.NET like we do it on Exchange 2003, right? In my case, we had a program written in VB 6.0 wherein the user can select any user(s) from AD and extend full mailbox access for these user accounts to some account xyz. Everything was done in VB 6.0 program itself.

Now my question is do I have to have 2 programs to accomplish the same task?

1. First program to select the AD users which is already there in my current VB program
2. Second one which will be the script file which has to be dynamically created at the runtime and execute this file in the Exchange Management Shell depending on the users selected so we can extend full mailbox rights over these accounts.

Let me know if I am not clear in explaining this.

Thanks.
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 22

Expert Comment

by:ATIG
Comment Utility
Sounds like you should be able to call powershell from your VB script.... you should still be able to use VB I dont believe you are forced to powershell but some of the hooks may be different

you could pass variable to powershell ie users

I am curious what you are using your VB for?
Here is a cool tool
http://powergui.org/index.jspa

Really powershell is so much better then VB for what you need and 1 line of powershell can take 1 page of VB

Maybe  right an interface like powergui for powershell commands

you say your tool lets users select and grant perms.... why wouldnt you users just delegate what they want in OL?
0
 
LVL 6

Expert Comment

by:spyordie007
Comment Utility
Either that or you could do it with a single PowerShell script ;)

Erik
$user1 = read-host "Enter The Mailbox you want to Grant Privilages to"

$user2 = read-host "Enter the user who should have privilages to this mailbox"

add-mailboxpermission $user1 -user $user2 -accessrights fullaccess

add-adpermissions $user1 -user $user2 -extendedrights "Send As"

Open in new window

0
 
LVL 22

Expert Comment

by:ATIG
Comment Utility
I am not a scripting by any means but powershell is $$$ and pretty easy to use
0
 

Author Comment

by:Bagur
Comment Utility
The fact is the VB program currently does lot of things and extending rights to the mailboxes is the last piece of the program. So, I cannot afford enough time to re-write the whole code in PowerShell and I am little bit reluctant to have another shell program just to extend/delete the mailbox access rights. ATIG, also, the users do not select and grant permissions, but, the administrator goes to our program and then selects any user(s) he wants and then extend the rights to those people.

So, I assume I have 2 options left

1)  I can pass parameters to powershell from VB 6.0 if that is possible
2)  Create a powershell script from VB and execute the script file from powershell through VB so the end user does not have to go to 2 different programs to finish the task.

Thanks.
0
 
LVL 6

Accepted Solution

by:
spyordie007 earned 300 total points
Comment Utility
Option 2 would probably be the easiest to do.
0
 
LVL 22

Assisted Solution

by:ATIG
ATIG earned 200 total points
Comment Utility
sounds like you are on track .........

oK, so you created a management tool for admins basically.......

good stuff, you will find out that everything will be powershell able and may want to look at eventual transitioning...
0
 

Author Closing Comment

by:Bagur
Comment Utility
Hi guys, thanks for sharing the information. I am basically just dividing the points between you two. I hope I have assigned the points ok.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now