Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2839
  • Last Modified:

Exchange 2010 - granting full access to all mailboxes

I am having problems granting full mailbox access to the domain administrator account for mailboxes on Exch2010 server.

When running only Exch2007 I created a group “Exchange Mail Admins” as a “Security Group/Domain Local”. I then granted access to the mailbox databases as follows:

Add-ADPermission -Identity "Exch2007 MBX Database" -User "Exchange Mail Admins" -ExtendedRights Receive-As
Add-ADPermission -Identity "Exch2007 MBX Database" -User "Exchange Mail Admins" -ExtendedRights Send-As
Add-ADPermission -Identity "Exch2007 MBX Database" -User "Exchange Mail Admins" -ExtendedRights "Administer Information Store"

The users (including the domain administrator account) that are members of the security group can access any mailbox on my Exch2007 server. They can also do send-as

After installing Exch2010 and granting the exact same permissions to the same group I find that the “ordinary” users in the group can access all mailboxes, however they can not do send-as. The domain administrator can not access any mailboxes at all. What am I missing here? Is there a “deny” on the Exch2010 databases for the domain administrator account by default in Exch2010 that is overriding the grant I am doing?

The same commands as listed above have been executed on Exch2010 – exactly the same as on Exch2007, but now I am thinking I should have done this differently using the new RBAC method. Can anyone tell me if there is already a predefind group in Exch2010 that I should add the users that should have access to all mailboxes to? What they need is to be able to open mailboxes, read/export any content, do send-as.

Any help appreciated!
0
brathenj
Asked:
brathenj
  • 3
  • 3
2 Solutions
 
BusbarSolutions ArchitectCommented:
Yes there is explicit deny for admins, also you might want to use the GUI in the RMC and re-grant them full mailbox access and send/as again
0
 
brathenjAuthor Commented:
Hi,

thanks for confirming what I suspected re explicit deny for admins.

Where in the GUI would I re-grant the the full mailbox access and send-as? I assume I can do this on database-level - not on individual mailbox level? I had a look around and couldn't find anywhere to set it on databaselevel in the GUI.

0
 
sunnyc7Commented:
GUI - Exchange management Console
go to REcipient Configuration > Mailbox

details here
http://technet.microsoft.com/en-us/library/aa996343.aspx
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
brathenjAuthor Commented:
But is there a way to grant the permissions in EMC on database level? As far as I can understand I can only do it one mailbox at a time in EMC (on mailbox level). I understand from busbar's comment that I should re-grant on database level using the EMC? Or doesn't it make a difference if I do it using my 3 commands listed earlier:

Add-ADPermission -Identity "Exch2007 MBX Database" -User "Exchange Mail Admins" -ExtendedRights Receive-As
Add-ADPermission -Identity "Exch2007 MBX Database" -User "Exchange Mail Admins" -ExtendedRights Send-As
Add-ADPermission -Identity "Exch2007 MBX Database" -User "Exchange Mail Admins" -ExtendedRights "Administer Information Store"

Thanks for your help!
0
 
sunnyc7Commented:
that sounds about right, with one exception.
You cannot grant those rights to Administrators :-)

Pick a normal user and see if that works.
0
 
brathenjAuthor Commented:
But I can use a "Security Group/Domain Local" in AD - right? And then add/remove "normal" users in this group?
0
 
sunnyc7Commented:
What you are saying is correct and it should work.


the syntax says

- User SecurityPrincipalIdParameter
and it should take "Exchange Mail Admins"

http://technet.microsoft.com/en-us/library/bb124403.aspx

Let me research this a bit

PS:
Can you try a group which is one word and not three - like ExAdmin and not "Exchange Admins" and then execute the above command after adding 1 user to the group.

aliases can mess up things..
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now