exchange mailbox rights permissions

I’m trying to amend the exchange mailbox rights permissions for a system account (EAS Admin)
The system account need to have Full mailbox access, but a “deny” Full mailbox Access has been inherited from the parent object.


Exchange 2007

LCDawitAsked:
Who is Participating?
 
Dunedan79Commented:
This is actually easier for all mailboxes.

Open the Exchange Management Shell (the dos prompt looking interface). Run the following script:

get-mailbox -resultsize:unlimited | add-mailboxpermission -user YourServiceAccount -accessright Fullaccess
0
 
Dunedan79Commented:
Which version of Exchange are you running?
0
 
AmitIT ArchitectCommented:
Check if accout is part of below groups

Administrators, Domain Users, Domain Admins

Remove other groups.

Run the command from EMS

Get-MailboxDatabase | Add-ADPermission -user <EASADMIN> -AccessRights GenericAll

Secondly, account should not be disabled in AD and not hidden from GAL.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Dunedan79Commented:
Bah, I didn't see the comment in your original post.

You can easily set Send-As or Full permission from the Exchange Management Console.

Recipient Configuration - Mailbox in the left pane. Click on the account you want to work with in the center pane. Manage Send-As or Full permissions will be an option on the bottom of the right pane.
0
 
LCDawitAuthor Commented:
@amitkulshrestha:
I run Get-MailboxDatabase | Add-ADPermission -user EASADMIN -AccessRights GenericAll
but I got a warning see below for all 12 storage groups
WARNING: Appropriate ACE is already present on object......

The account was a member of domain Admins so I have taken that out
0
 
AmitIT ArchitectCommented:
This is a warning, which means that the permissions were already brought over from old.

Test it, if you are able to access it or not.

I would suggest you to create a new user and follow the instruction as mentioned in the article below
http://technet.microsoft.com/en-us/library/aa996343(EXCHG.80).aspx
0
 
LCDawitAuthor Commented:
The full mailbox access is there but the "Deny" overrides it. What I probably need is the go to the parent object and remove the Deny "Full mailbox" access permission
0
 
Dunedan79Commented:
Actually an explicit Grant overrides an inherited Deny. You shouldn't have to remove anything inherited from above.
0
 
LCDawitAuthor Commented:
@Dunedan79:
Thank you for your comment,my problem is on how to apply the explicit permission on the parent object. I understand that I will need to apply theses permission on the object it self ( the Mailbox Object)
The Scenario is this:
few Months ago we upgraded to Exchange 2007 and are still in co-existence phase where both Exchange servers are operational.
Prior to the upgrade "EASAdmin"( System account for Mail Archive) had Full Access to all mailboxes, but after the upgrade  a “deny” Full mailbox Access has been inherited from the parent object.
0
 
Dunedan79Commented:
If this is a mailbox on a 2007 Exchange server it is easy from the Exchange Management Console (the GUI, not the dos prompt). I described how to set full permission in one of the above comments.
0
 
LCDawitAuthor Commented:
not only on a single mailbox but on all mailboxes
0
 
LCDawitAuthor Commented:
@Dunedan79
Thanks for you help

I have tried something similar, but wont take the "deny" Full mailbox access permission. the deny permission is inherited from the parent object so what ever I do in the mailbox wont remove the "deny"

0
 
Dunedan79Commented:
No, it will not but a specified allow takes precedence over an inherited deny.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.