Exchange 2010 - granting full access to all mailboxes

I am having problems granting full mailbox access to the domain administrator account for mailboxes on Exch2010 server.

When running only Exch2007 I created a group “Exchange Mail Admins” as a “Security Group/Domain Local”. I then granted access to the mailbox databases as follows:

Add-ADPermission -Identity "Exch2007 MBX Database" -User "Exchange Mail Admins" -ExtendedRights Receive-As
Add-ADPermission -Identity "Exch2007 MBX Database" -User "Exchange Mail Admins" -ExtendedRights Send-As
Add-ADPermission -Identity "Exch2007 MBX Database" -User "Exchange Mail Admins" -ExtendedRights "Administer Information Store"

The users (including the domain administrator account) that are members of the security group can access any mailbox on my Exch2007 server. They can also do send-as

After installing Exch2010 and granting the exact same permissions to the same group I find that the “ordinary” users in the group can access all mailboxes, however they can not do send-as. The domain administrator can not access any mailboxes at all. What am I missing here? Is there a “deny” on the Exch2010 databases for the domain administrator account by default in Exch2010 that is overriding the grant I am doing?

The same commands as listed above have been executed on Exch2010 – exactly the same as on Exch2007, but now I am thinking I should have done this differently using the new RBAC method. Can anyone tell me if there is already a predefind group in Exch2010 that I should add the users that should have access to all mailboxes to? What they need is to be able to open mailboxes, read/export any content, do send-as.

Any help appreciated!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BusbarSolutions ArchitectCommented:
Yes there is explicit deny for admins, also you might want to use the GUI in the RMC and re-grant them full mailbox access and send/as again

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
brathenjAuthor Commented:

thanks for confirming what I suspected re explicit deny for admins.

Where in the GUI would I re-grant the the full mailbox access and send-as? I assume I can do this on database-level - not on individual mailbox level? I had a look around and couldn't find anywhere to set it on databaselevel in the GUI.

GUI - Exchange management Console
go to REcipient Configuration > Mailbox

details here
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

brathenjAuthor Commented:
But is there a way to grant the permissions in EMC on database level? As far as I can understand I can only do it one mailbox at a time in EMC (on mailbox level). I understand from busbar's comment that I should re-grant on database level using the EMC? Or doesn't it make a difference if I do it using my 3 commands listed earlier:

Add-ADPermission -Identity "Exch2007 MBX Database" -User "Exchange Mail Admins" -ExtendedRights Receive-As
Add-ADPermission -Identity "Exch2007 MBX Database" -User "Exchange Mail Admins" -ExtendedRights Send-As
Add-ADPermission -Identity "Exch2007 MBX Database" -User "Exchange Mail Admins" -ExtendedRights "Administer Information Store"

Thanks for your help!
that sounds about right, with one exception.
You cannot grant those rights to Administrators :-)

Pick a normal user and see if that works.
brathenjAuthor Commented:
But I can use a "Security Group/Domain Local" in AD - right? And then add/remove "normal" users in this group?
What you are saying is correct and it should work.

the syntax says

- User SecurityPrincipalIdParameter
and it should take "Exchange Mail Admins"

Let me research this a bit

Can you try a group which is one word and not three - like ExAdmin and not "Exchange Admins" and then execute the above command after adding 1 user to the group.

aliases can mess up things..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.