check to see if domain admins have receive as permission

Posted on 2012-04-10
Last Modified: 2012-05-12
Hi all,

I am trying to find out if domain admins have the receive-as permission by running the following command:
get-mailboxdatabase |get-adpermission -user "domain admins"

I get the following error:
There are multiple users/groups matching the identity domain admins".  plase specify a unique value.

Am I doing something incorrectly?

I have an Exchange 2007 SP3
Question by:annayeg
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
LVL 37

Expert Comment

by:Neil Russell
ID: 37830036
Your trying to get the ad permissions on a group, you can NOT do that. Only one user at a time as it explains.

You can use something like....

Get-Mailbox -Server “ESS-Exch702¿ - database "DBName" | Get-ADPermission | where { ($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | ft -wrap

Author Comment

ID: 37830266
When I run the get-adpermission on a user, my domain admins have genericALL rights on all the users.  Is it in adpermission that you allow or deny mailboxpermissions?

Sorry, I am all over the map.   Basically, I am trying to find out what kind of permissions do domain admins have so I can remove the full mailbox permsisions.   So far, I am seeing Accessrights GenericAll.  If I remove the Accessright GenericAll would that remove their permissions from accessing all the mailboxes?


Author Comment

ID: 37856968
i am trying to test it with one mailbox but I still get the "there are multiple users/groups matching the identity "domain admins.  Please specify a unique value"

get-mailbox -identity  latrain |remove-adpermission  -user "domain admins" -accessrights genericall

Any suggestion how I can accomplish this?

Accepted Solution

annayeg earned 0 total points
ID: 37939548
get-mailbox - database "servername\databasename" |add-mailboxpermission -user "distinguished name of the domain admins" -denyu -accessrights -fullaccess

This did the trick.

Author Closing Comment

ID: 37960029
This solved my problem.

Featured Post

Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question