Exchange 2010 SP1 Grant Full Access to all current and future mailboxes on a mailboxdatabase to a domain account

Have used the following PS command which is supposed to grant permissions to both current and any future users - checking ADSIEdit, it does give the permissions on the mailboxdatabase object, but NOT to any of the mailboxes on the database either current or future.
get-mailboxdatabase <db_name> | add-adpermission -user <user_account> -accessrights genericall

Can anyone advise if this SHOULD work, and if so, why it is not working please.

I have also tried a similar command :-

get-mailboxdatabase <db_name> | add-mailboxpermission -user <user_account> -accessrights genericall
get-mailboxdatabase <db_name> | add-adpermission -user <user_account> -accessrights fullaccess - inheritancetype all

Neither of these are accepted commands (suspect PS does not allow output of get-mailboxdatabase to be piped to the add-mailboxpermission cmdlet).

If not, can someone suggest how to do this using ADUC/ADSIEDit - I can set the Send-As permission by adding it into the Root permissions, but which permissions constitute Mailbox-Full Access ?

Thanks again
LVL 11
Who is Participating?
TheGeezer2010Author Commented:
OK I have discovered the reason why this cannot be applied to all future accounts. The attribute which applies this permission in AD is MsExchDelegateListLink. This attibute is ONLY available at the account level within AD, therefore there seems to be no way (other than programmatically) to populate this attribute. I would like to close this query.
>> Neither of these are accepted commands  can you give me the error ???

TheGeezer2010Author Commented:
Please bear in mind that when using the Add-ADPermission the first part (get-mailboxdatabase <Database_Name> works fine and is correctly piped into the following cmdlet - the command completes successfully.

Genericall :-

Cannot process argument transformation on parameter 'AccessRights'. Cannot conv
ert value "genericall" to type "Microsoft.Exchange.Management.RecipientTasks.Ma
ilboxRights[]". Error: "Cannot convert value "genericall" to type "Microsoft.Ex
change.Management.RecipientTasks.MailboxRights" due to invalid enumeration valu
es. Specify one of the following enumeration values and try again. The possible
 enumeration values are "FullAccess, SendAs, ExternalAccount, DeleteItem, ReadP
ermission, ChangePermission, ChangeOwner"."
    + CategoryInfo          : InvalidData: (:) [Add-MailboxPermission], Parame
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-Mailbox

FullAccess (either with/without -inheritancetype all) :-

<Database_Name> wasn't found. Please make sure you've typed it correctly.
    + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxPermission],
    + FullyQualifiedErrorId : 3A923970,Microsoft.Exchange.Management.Recipient
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

both the below should work if not please give me the error of either
get-mailboxdatabase <db_name> | add-ADpermission -user <user_account> -accessrights genericall

get-mailboxdatabase <db_name> | add-adpermission -user <user_account> -accessrights fullaccess -inheritancetype all

Open in new window

TheGeezer2010Author Commented:
Hi Akhater and thank you for your assistance

The first of these commands was the one I initially tried and, although the command completes successfully and I can see that the mailboxdatabase object shows the corect added permission in AD, the sub-objects (mailboxes) do not.
The second of these commands does not complete with the following error :-

Cannot process argument transformation on parameter 'AccessRights'. Cannot conv
ert value "fullaccess" to type "System.DirectoryServices.ActiveDirectoryRights[
]". Error: "Cannot convert value "fullaccess" to type "System.DirectoryServices
.ActiveDirectoryRights" due to invalid enumeration values. Specify one of the f
ollowing enumeration values and try again. The possible enumeration values are
"CreateChild, DeleteChild, ListChildren, Self, ReadProperty, WriteProperty, Del
eteTree, ListObject, ExtendedRight, Delete, ReadControl, GenericExecute, Generi
cWrite, GenericRead, WriteDacl, WriteOwner, GenericAll, Synchronize, AccessSyst
    + CategoryInfo          : InvalidData: (:) [Add-ADPermission], ParameterBi
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-ADPermi

Hope this is useful for you to continue your troubleshooting !
well actually it is my bad :) the second one should be add-mailboxpermission however it will not work with get-mailboxdatabase

just to make sure of something after you have run the first command succesfully if you create a new mailbox will the access right be effective ?
TheGeezer2010Author Commented:
I will test again today but definitely was not the case yesterday. Will test again and let you know.
kindly note that these kinds of changes needs recycling of the information store and the system attendant services

TheGeezer2010Author Commented:
Are you absolutely sure of that as this is production environment and cannot just do that easily ?
I am aware of it being a production environment. permissions changes can take up to 4 hours to be effective if the services are not recycled. but they will eventually kick in
TheGeezer2010Author Commented:
The solutions provided do not work unfortunately, but I have managed to figure this one out. The following command works like a charm :-

Get-mailboxdatabase <database_name> | get-mailbox | add-mailboxpermission –user <Account_to_give_full_access_to> accessriights fullaccess

Thank you for your suggestions Akhater but on this occasion I cannot award the points as I worked this out myself.
It is not a question of points your command will work only for current mailboxes and not for new ones and that is exactly why i asked you if the command i gave you wiol work for newly created users i would have givin you that one.
TheGeezer2010Author Commented:
Hi Akhater

You are right - this does only work with current mailboxes. The problem is that the two commands you provided did not even work for current mailboxes - which of these commands should work with both current and future mailboxes ?
I was not trying to be funnt about the points, this is the way it was explained to me that this works !
for the current ones

get-mailbox -database <dbname> -resutsize Unlimited| add-mailboxpermission –user <Account_to_give_full_access_to> -accessriights fullaccess

should work

for the future ones try

get-mailboxdatabase <db_name> | add-ADpermission -user <user_account> -accessrights genericall -inheritancetype all
TheGeezer2010Author Commented:
Hi Akheter

The first of these needs to be the command I gave as you cannot pipe the results of get-mailboxdatabase directly into the add-mailboxpermission command, you need to pipe it firstly into get-mailbox command, then into get-mailboxpermission.

I will try the other command when I get back Monday.
the first command is get-mailbox not get-mailboxdatabase it shld work just fine. In any case it will give the same result as the one you gave me
TheGeezer2010Author Commented:
Have fully tested the commands - giving fullaccess mailbox permissions on all current mailboxes is not a problem. The problem is in giving this fullaccess to future mailboxes. I have tried the following command which again, works for current but NOT future mailboxes :-

get-mailboxdatabase <DB_Name> | get-mailbox | add-mailboxpermission -user <Account_to_give_access_to> -accessrights fullaccess -inheritancetype all

I have also tried this command which is supposed to work for all FUTURE mailboxes but tests show this does not seem to work (either create profile for the mailbox or add as an additional mailbox gives - unable to expand folder) :-

get-mailboxdatabase <DB_Name> | get-mailbox | add-adpermission -user <Account_to_give_access_to> -accessrights genericall

Surely there MUST be a way of achieving this which actually works ? It looks as if the mailboxpermission accessrights are NOT inherited by new mailboxes even when applied to the mailboxstore ?
TheGeezer2010Author Commented:
Anyone have any more suggestions - maybe someone has managed to get this working ?
TheGeezer2010Author Commented:
Reviewing this again - Akhater are you prepared to continue working with this ? Have you successfully managed this ?
The issue is exactly this :-

Need to run a Powershell command which assigns mailboxpermission fullaccess for an account to all current (the command works for all current) and future (does not work for future) mailboxes on a particular Database/Server/OU/Organization. The test of success will be this :-

1. Create a new account
2. Open Outlook with the administrative account profile.
3. Add the target mailbox as additional mailbox
4. Open the additional mailbox and view contents

I will look again at suggestions thus far, but the genericall does NOT work for this - cannot open the additional mailbox folder. I have also increased points to 350 as this seems to accurately reflect the difficulty of this.
I suspect that this may require permissions on a particular object (through ADSIEdit) BUT the problem is in working out whwther there are equivalent permissions in AD to those of mailboxpermissions, or WHERE and HOW the mailboxpermissions can be assigned. Note that mailboxpermissions and ADPermissions are two very separate and distinct entities.
Thanks to anyone who is prepared to assist.
TheGeezer2010Author Commented:
Only 50% of question answered - found out remainder myself
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.