TheGeezer2010
asked on
Exchange 2010 SP1 Grant Full Access to all current and future mailboxes on a mailboxdatabase to a domain account
Have used the following PS command which is supposed to grant permissions to both current and any future users - checking ADSIEdit, it does give the permissions on the mailboxdatabase object, but NOT to any of the mailboxes on the database either current or future.
get-mailboxdatabase <db_name> | add-adpermission -user <user_account> -accessrights genericall
Can anyone advise if this SHOULD work, and if so, why it is not working please.
I have also tried a similar command :-
get-mailboxdatabase <db_name> | add-mailboxpermission -user <user_account> -accessrights genericall
OR
get-mailboxdatabase <db_name> | add-adpermission -user <user_account> -accessrights fullaccess - inheritancetype all
Neither of these are accepted commands (suspect PS does not allow output of get-mailboxdatabase to be piped to the add-mailboxpermission cmdlet).
If not, can someone suggest how to do this using ADUC/ADSIEDit - I can set the Send-As permission by adding it into the Root permissions, but which permissions constitute Mailbox-Full Access ?
Thanks again
get-mailboxdatabase <db_name> | add-adpermission -user <user_account> -accessrights genericall
Can anyone advise if this SHOULD work, and if so, why it is not working please.
I have also tried a similar command :-
get-mailboxdatabase <db_name> | add-mailboxpermission -user <user_account> -accessrights genericall
OR
get-mailboxdatabase <db_name> | add-adpermission -user <user_account> -accessrights fullaccess - inheritancetype all
Neither of these are accepted commands (suspect PS does not allow output of get-mailboxdatabase to be piped to the add-mailboxpermission cmdlet).
If not, can someone suggest how to do this using ADUC/ADSIEDit - I can set the Send-As permission by adding it into the Root permissions, but which permissions constitute Mailbox-Full Access ?
Thanks again
>> Neither of these are accepted commands can you give me the error ???
ASKER
Please bear in mind that when using the Add-ADPermission the first part (get-mailboxdatabase <Database_Name> works fine and is correctly piped into the following cmdlet - the command completes successfully.
Genericall :-
Cannot process argument transformation on parameter 'AccessRights'. Cannot conv
ert value "genericall" to type "Microsoft.Exchange.Manage ment.Recip ientTasks. Ma
ilboxRights[]". Error: "Cannot convert value "genericall" to type "Microsoft.Ex
change.Management.Recipien tTasks.Mai lboxRights " due to invalid enumeration valu
es. Specify one of the following enumeration values and try again. The possible
enumeration values are "FullAccess, SendAs, ExternalAccount, DeleteItem, ReadP
ermission, ChangePermission, ChangeOwner"."
+ CategoryInfo : InvalidData: (:) [Add-MailboxPermission], Parame
terBindin...mationExceptio n
+ FullyQualifiedErrorId : ParameterArgumentTransform ationError ,Add-Mailb ox
Permission
FullAccess (either with/without -inheritancetype all) :-
<Database_Name> wasn't found. Please make sure you've typed it correctly.
+ CategoryInfo : NotSpecified: (0:Int32) [Add-MailboxPermission],
ManagementObjectNotFoundEx ception
+ FullyQualifiedErrorId : 3A923970,Microsoft.Exchang e.Manageme nt.Recipie nt
Tasks.AddMailboxPermission
Genericall :-
Cannot process argument transformation on parameter 'AccessRights'. Cannot conv
ert value "genericall" to type "Microsoft.Exchange.Manage
ilboxRights[]". Error: "Cannot convert value "genericall" to type "Microsoft.Ex
change.Management.Recipien
es. Specify one of the following enumeration values and try again. The possible
enumeration values are "FullAccess, SendAs, ExternalAccount, DeleteItem, ReadP
ermission, ChangePermission, ChangeOwner"."
+ CategoryInfo : InvalidData: (:) [Add-MailboxPermission], Parame
terBindin...mationExceptio
+ FullyQualifiedErrorId : ParameterArgumentTransform
Permission
FullAccess (either with/without -inheritancetype all) :-
<Database_Name> wasn't found. Please make sure you've typed it correctly.
+ CategoryInfo : NotSpecified: (0:Int32) [Add-MailboxPermission],
ManagementObjectNotFoundEx
+ FullyQualifiedErrorId : 3A923970,Microsoft.Exchang
Tasks.AddMailboxPermission
both the below should work if not please give me the error of either
get-mailboxdatabase <db_name> | add-ADpermission -user <user_account> -accessrights genericall
get-mailboxdatabase <db_name> | add-adpermission -user <user_account> -accessrights fullaccess -inheritancetype all
ASKER
Hi Akhater and thank you for your assistance
The first of these commands was the one I initially tried and, although the command completes successfully and I can see that the mailboxdatabase object shows the corect added permission in AD, the sub-objects (mailboxes) do not.
The second of these commands does not complete with the following error :-
Cannot process argument transformation on parameter 'AccessRights'. Cannot conv
ert value "fullaccess" to type "System.DirectoryServices. ActiveDire ctoryRight s[
]". Error: "Cannot convert value "fullaccess" to type "System.DirectoryServices
.ActiveDirectoryRights" due to invalid enumeration values. Specify one of the f
ollowing enumeration values and try again. The possible enumeration values are
"CreateChild, DeleteChild, ListChildren, Self, ReadProperty, WriteProperty, Del
eteTree, ListObject, ExtendedRight, Delete, ReadControl, GenericExecute, Generi
cWrite, GenericRead, WriteDacl, WriteOwner, GenericAll, Synchronize, AccessSyst
emSecurity"."
+ CategoryInfo : InvalidData: (:) [Add-ADPermission], ParameterBi
ndin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransform ationError ,Add-ADPer mi
ssion
Hope this is useful for you to continue your troubleshooting !
The first of these commands was the one I initially tried and, although the command completes successfully and I can see that the mailboxdatabase object shows the corect added permission in AD, the sub-objects (mailboxes) do not.
The second of these commands does not complete with the following error :-
Cannot process argument transformation on parameter 'AccessRights'. Cannot conv
ert value "fullaccess" to type "System.DirectoryServices.
]". Error: "Cannot convert value "fullaccess" to type "System.DirectoryServices
.ActiveDirectoryRights" due to invalid enumeration values. Specify one of the f
ollowing enumeration values and try again. The possible enumeration values are
"CreateChild, DeleteChild, ListChildren, Self, ReadProperty, WriteProperty, Del
eteTree, ListObject, ExtendedRight, Delete, ReadControl, GenericExecute, Generi
cWrite, GenericRead, WriteDacl, WriteOwner, GenericAll, Synchronize, AccessSyst
emSecurity"."
+ CategoryInfo : InvalidData: (:) [Add-ADPermission], ParameterBi
ndin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransform
ssion
Hope this is useful for you to continue your troubleshooting !
well actually it is my bad :) the second one should be add-mailboxpermission however it will not work with get-mailboxdatabase
just to make sure of something after you have run the first command succesfully if you create a new mailbox will the access right be effective ?
just to make sure of something after you have run the first command succesfully if you create a new mailbox will the access right be effective ?
ASKER
I will test again today but definitely was not the case yesterday. Will test again and let you know.
kindly note that these kinds of changes needs recycling of the information store and the system attendant services
ASKER
Are you absolutely sure of that as this is production environment and cannot just do that easily ?
I am aware of it being a production environment. permissions changes can take up to 4 hours to be effective if the services are not recycled. but they will eventually kick in
ASKER
The solutions provided do not work unfortunately, but I have managed to figure this one out. The following command works like a charm :-
Get-mailboxdatabase <database_name> | get-mailbox | add-mailboxpermission –user <Account_to_give_full_acce ss_to> accessriights fullaccess
Thank you for your suggestions Akhater but on this occasion I cannot award the points as I worked this out myself.
Get-mailboxdatabase <database_name> | get-mailbox | add-mailboxpermission –user <Account_to_give_full_acce
Thank you for your suggestions Akhater but on this occasion I cannot award the points as I worked this out myself.
It is not a question of points your command will work only for current mailboxes and not for new ones and that is exactly why i asked you if the command i gave you wiol work for newly created users i would have givin you that one.
ASKER
Hi Akhater
You are right - this does only work with current mailboxes. The problem is that the two commands you provided did not even work for current mailboxes - which of these commands should work with both current and future mailboxes ?
I was not trying to be funnt about the points, this is the way it was explained to me that this works !
You are right - this does only work with current mailboxes. The problem is that the two commands you provided did not even work for current mailboxes - which of these commands should work with both current and future mailboxes ?
I was not trying to be funnt about the points, this is the way it was explained to me that this works !
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Akheter
The first of these needs to be the command I gave as you cannot pipe the results of get-mailboxdatabase directly into the add-mailboxpermission command, you need to pipe it firstly into get-mailbox command, then into get-mailboxpermission.
I will try the other command when I get back Monday.
The first of these needs to be the command I gave as you cannot pipe the results of get-mailboxdatabase directly into the add-mailboxpermission command, you need to pipe it firstly into get-mailbox command, then into get-mailboxpermission.
I will try the other command when I get back Monday.
the first command is get-mailbox not get-mailboxdatabase it shld work just fine. In any case it will give the same result as the one you gave me
ASKER
Have fully tested the commands - giving fullaccess mailbox permissions on all current mailboxes is not a problem. The problem is in giving this fullaccess to future mailboxes. I have tried the following command which again, works for current but NOT future mailboxes :-
get-mailboxdatabase <DB_Name> | get-mailbox | add-mailboxpermission -user <Account_to_give_access_to > -accessrights fullaccess -inheritancetype all
I have also tried this command which is supposed to work for all FUTURE mailboxes but tests show this does not seem to work (either create profile for the mailbox or add as an additional mailbox gives - unable to expand folder) :-
get-mailboxdatabase <DB_Name> | get-mailbox | add-adpermission -user <Account_to_give_access_to > -accessrights genericall
Surely there MUST be a way of achieving this which actually works ? It looks as if the mailboxpermission accessrights are NOT inherited by new mailboxes even when applied to the mailboxstore ?
get-mailboxdatabase <DB_Name> | get-mailbox | add-mailboxpermission -user <Account_to_give_access_to
I have also tried this command which is supposed to work for all FUTURE mailboxes but tests show this does not seem to work (either create profile for the mailbox or add as an additional mailbox gives - unable to expand folder) :-
get-mailboxdatabase <DB_Name> | get-mailbox | add-adpermission -user <Account_to_give_access_to
Surely there MUST be a way of achieving this which actually works ? It looks as if the mailboxpermission accessrights are NOT inherited by new mailboxes even when applied to the mailboxstore ?
ASKER
Anyone have any more suggestions - maybe someone has managed to get this working ?
ASKER
Reviewing this again - Akhater are you prepared to continue working with this ? Have you successfully managed this ?
The issue is exactly this :-
Need to run a Powershell command which assigns mailboxpermission fullaccess for an account to all current (the command works for all current) and future (does not work for future) mailboxes on a particular Database/Server/OU/Organiz ation. The test of success will be this :-
1. Create a new account
2. Open Outlook with the administrative account profile.
3. Add the target mailbox as additional mailbox
4. Open the additional mailbox and view contents
I will look again at suggestions thus far, but the genericall does NOT work for this - cannot open the additional mailbox folder. I have also increased points to 350 as this seems to accurately reflect the difficulty of this.
I suspect that this may require permissions on a particular object (through ADSIEdit) BUT the problem is in working out whwther there are equivalent permissions in AD to those of mailboxpermissions, or WHERE and HOW the mailboxpermissions can be assigned. Note that mailboxpermissions and ADPermissions are two very separate and distinct entities.
Thanks to anyone who is prepared to assist.
The issue is exactly this :-
Need to run a Powershell command which assigns mailboxpermission fullaccess for an account to all current (the command works for all current) and future (does not work for future) mailboxes on a particular Database/Server/OU/Organiz
1. Create a new account
2. Open Outlook with the administrative account profile.
3. Add the target mailbox as additional mailbox
4. Open the additional mailbox and view contents
I will look again at suggestions thus far, but the genericall does NOT work for this - cannot open the additional mailbox folder. I have also increased points to 350 as this seems to accurately reflect the difficulty of this.
I suspect that this may require permissions on a particular object (through ADSIEdit) BUT the problem is in working out whwther there are equivalent permissions in AD to those of mailboxpermissions, or WHERE and HOW the mailboxpermissions can be assigned. Note that mailboxpermissions and ADPermissions are two very separate and distinct entities.
Thanks to anyone who is prepared to assist.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Only 50% of question answered - found out remainder myself