?
Solved

Copy exchnage database permissions with ADSIEdit

Posted on 2011-02-21
4
Medium Priority
?
1,046 Views
Last Modified: 2012-05-11
After creating a new mailstore in exchange 2010 I would normally use ADSI Edit to add the permissions for the BES and the backup software account manually.

Is there  a way to copy the permissions from the existing mailstore to the new one with out having to manually open it in adsi-edit?
0
Comment
Question by:BMI-IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 34943024
>> Is there  a way to copy the permissions from the existing mailstore to the new one with out having to manually open it in adsi-edit?

No way to "copy" permissions like you describe, but an alternative would be to set the necessary permissions "higher" in the tree - at the organization level - so the BES and backup software can always access any mail store you create.

I also would not recommend you use ADSIEdit for this procedure. Everything can be achieved using the Exchange Management Shell, and that environment is MUCH safer for this purpose.

I would also, as a best practice, use a security group, grant the permissions to the group and then put the BES and backup service user accounts into that group.

I don't know what permissions you want these application service users to have, but here's how to grant them full control at both levels:

At the Mailbox Database level:
Get-MailboxDatabase "DB NAME" | Add-ADPermission -User DOMAIN\MyUserOrGroupName -AccessRights FullControl

Open in new window

At the Organization level:
Get-OrganizationConfig | Add-ADPermission -User DOMAIN\MyUserOrGroupName -AccessRights FullControl

Open in new window

Those examples show how to grant full control - DO NOT give full control if your applications don't need it. If you set the permissions at the organization level, that IS very high in the AD structure, so be sure to document that modification too.

-Matt
0
 

Author Comment

by:BMI-IT
ID: 34943065
Ahh I see,  for the Besadmin account I need to add Send As, Receive As, and Administer Information Store for the new mailstore I created
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 34943210

If you want to grant that at the mailbox store level, the following command will do the trick:

Get-MailboxDatabase "DB NAME" | Add-ADPermission -user DOMAIN\BESAdmin -ExtendedRight Send-As,Receive-As,ms-Exch-Store-Admin

Open in new window


-Matt
0
 

Author Comment

by:BMI-IT
ID: 34943228
That did the trick  thank you :)
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question