Solved

Exchange 2010 SP1 Grant Full Access to all current and future mailboxes on a mailboxdatabase to a domain account

Posted on 2010-11-11
20
4,112 Views
Last Modified: 2012-05-10
Have used the following PS command which is supposed to grant permissions to both current and any future users - checking ADSIEdit, it does give the permissions on the mailboxdatabase object, but NOT to any of the mailboxes on the database either current or future.
get-mailboxdatabase <db_name> | add-adpermission -user <user_account> -accessrights genericall

Can anyone advise if this SHOULD work, and if so, why it is not working please.

I have also tried a similar command :-

get-mailboxdatabase <db_name> | add-mailboxpermission -user <user_account> -accessrights genericall
OR
get-mailboxdatabase <db_name> | add-adpermission -user <user_account> -accessrights fullaccess - inheritancetype all

Neither of these are accepted commands (suspect PS does not allow output of get-mailboxdatabase to be piped to the add-mailboxpermission cmdlet).

If not, can someone suggest how to do this using ADUC/ADSIEDit - I can set the Send-As permission by adding it into the Root permissions, but which permissions constitute Mailbox-Full Access ?

Thanks again
0
Comment
Question by:TheGeezer2010
  • 12
  • 8
20 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 34112092
>> Neither of these are accepted commands  can you give me the error ???

0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34112240
Please bear in mind that when using the Add-ADPermission the first part (get-mailboxdatabase <Database_Name> works fine and is correctly piped into the following cmdlet - the command completes successfully.

Genericall :-

Cannot process argument transformation on parameter 'AccessRights'. Cannot conv
ert value "genericall" to type "Microsoft.Exchange.Management.RecipientTasks.Ma
ilboxRights[]". Error: "Cannot convert value "genericall" to type "Microsoft.Ex
change.Management.RecipientTasks.MailboxRights" due to invalid enumeration valu
es. Specify one of the following enumeration values and try again. The possible
 enumeration values are "FullAccess, SendAs, ExternalAccount, DeleteItem, ReadP
ermission, ChangePermission, ChangeOwner"."
    + CategoryInfo          : InvalidData: (:) [Add-MailboxPermission], Parame
   terBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-Mailbox
   Permission

FullAccess (either with/without -inheritancetype all) :-

<Database_Name> wasn't found. Please make sure you've typed it correctly.
    + CategoryInfo          : NotSpecified: (0:Int32) [Add-MailboxPermission],
    ManagementObjectNotFoundException
    + FullyQualifiedErrorId : 3A923970,Microsoft.Exchange.Management.Recipient
   Tasks.AddMailboxPermission
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34112365
both the below should work if not please give me the error of either
get-mailboxdatabase <db_name> | add-ADpermission -user <user_account> -accessrights genericall

get-mailboxdatabase <db_name> | add-adpermission -user <user_account> -accessrights fullaccess -inheritancetype all

Open in new window

0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34112999
Hi Akhater and thank you for your assistance

The first of these commands was the one I initially tried and, although the command completes successfully and I can see that the mailboxdatabase object shows the corect added permission in AD, the sub-objects (mailboxes) do not.
The second of these commands does not complete with the following error :-

Cannot process argument transformation on parameter 'AccessRights'. Cannot conv
ert value "fullaccess" to type "System.DirectoryServices.ActiveDirectoryRights[
]". Error: "Cannot convert value "fullaccess" to type "System.DirectoryServices
.ActiveDirectoryRights" due to invalid enumeration values. Specify one of the f
ollowing enumeration values and try again. The possible enumeration values are
"CreateChild, DeleteChild, ListChildren, Self, ReadProperty, WriteProperty, Del
eteTree, ListObject, ExtendedRight, Delete, ReadControl, GenericExecute, Generi
cWrite, GenericRead, WriteDacl, WriteOwner, GenericAll, Synchronize, AccessSyst
emSecurity"."
    + CategoryInfo          : InvalidData: (:) [Add-ADPermission], ParameterBi
   ndin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-ADPermi
   ssion

Hope this is useful for you to continue your troubleshooting !
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34118286
well actually it is my bad :) the second one should be add-mailboxpermission however it will not work with get-mailboxdatabase

just to make sure of something after you have run the first command succesfully if you create a new mailbox will the access right be effective ?
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34118305
I will test again today but definitely was not the case yesterday. Will test again and let you know.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34118319
kindly note that these kinds of changes needs recycling of the information store and the system attendant services

0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34118410
Are you absolutely sure of that as this is production environment and cannot just do that easily ?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34118415
I am aware of it being a production environment. permissions changes can take up to 4 hours to be effective if the services are not recycled. but they will eventually kick in
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34121601
The solutions provided do not work unfortunately, but I have managed to figure this one out. The following command works like a charm :-

Get-mailboxdatabase <database_name> | get-mailbox | add-mailboxpermission –user <Account_to_give_full_access_to> accessriights fullaccess

Thank you for your suggestions Akhater but on this occasion I cannot award the points as I worked this out myself.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 49

Expert Comment

by:Akhater
ID: 34122664
It is not a question of points your command will work only for current mailboxes and not for new ones and that is exactly why i asked you if the command i gave you wiol work for newly created users i would have givin you that one.
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34125313
Hi Akhater

You are right - this does only work with current mailboxes. The problem is that the two commands you provided did not even work for current mailboxes - which of these commands should work with both current and future mailboxes ?
I was not trying to be funnt about the points, this is the way it was explained to me that this works !
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 175 total points
ID: 34125339
for the current ones

get-mailbox -database <dbname> -resutsize Unlimited| add-mailboxpermission –user <Account_to_give_full_access_to> -accessriights fullaccess

should work

for the future ones try


get-mailboxdatabase <db_name> | add-ADpermission -user <user_account> -accessrights genericall -inheritancetype all
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34130668
Hi Akheter

The first of these needs to be the command I gave as you cannot pipe the results of get-mailboxdatabase directly into the add-mailboxpermission command, you need to pipe it firstly into get-mailbox command, then into get-mailboxpermission.

I will try the other command when I get back Monday.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34130683
the first command is get-mailbox not get-mailboxdatabase it shld work just fine. In any case it will give the same result as the one you gave me
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34143724
Have fully tested the commands - giving fullaccess mailbox permissions on all current mailboxes is not a problem. The problem is in giving this fullaccess to future mailboxes. I have tried the following command which again, works for current but NOT future mailboxes :-

get-mailboxdatabase <DB_Name> | get-mailbox | add-mailboxpermission -user <Account_to_give_access_to> -accessrights fullaccess -inheritancetype all

I have also tried this command which is supposed to work for all FUTURE mailboxes but tests show this does not seem to work (either create profile for the mailbox or add as an additional mailbox gives - unable to expand folder) :-

get-mailboxdatabase <DB_Name> | get-mailbox | add-adpermission -user <Account_to_give_access_to> -accessrights genericall

Surely there MUST be a way of achieving this which actually works ? It looks as if the mailboxpermission accessrights are NOT inherited by new mailboxes even when applied to the mailboxstore ?
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34153820
Anyone have any more suggestions - maybe someone has managed to get this working ?
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 34162651
Reviewing this again - Akhater are you prepared to continue working with this ? Have you successfully managed this ?
The issue is exactly this :-

Need to run a Powershell command which assigns mailboxpermission fullaccess for an account to all current (the command works for all current) and future (does not work for future) mailboxes on a particular Database/Server/OU/Organization. The test of success will be this :-

1. Create a new account
2. Open Outlook with the administrative account profile.
3. Add the target mailbox as additional mailbox
4. Open the additional mailbox and view contents

I will look again at suggestions thus far, but the genericall does NOT work for this - cannot open the additional mailbox folder. I have also increased points to 350 as this seems to accurately reflect the difficulty of this.
I suspect that this may require permissions on a particular object (through ADSIEdit) BUT the problem is in working out whwther there are equivalent permissions in AD to those of mailboxpermissions, or WHERE and HOW the mailboxpermissions can be assigned. Note that mailboxpermissions and ADPermissions are two very separate and distinct entities.
Thanks to anyone who is prepared to assist.
0
 
LVL 11

Accepted Solution

by:
TheGeezer2010 earned 0 total points
ID: 34164175
OK I have discovered the reason why this cannot be applied to all future accounts. The attribute which applies this permission in AD is MsExchDelegateListLink. This attibute is ONLY available at the account level within AD, therefore there seems to be no way (other than programmatically) to populate this attribute. I would like to close this query.
0
 
LVL 11

Author Closing Comment

by:TheGeezer2010
ID: 34383955
Only 50% of question answered - found out remainder myself
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now