Link to home
Create AccountLog in
Avatar of Frosty555
Frosty555Flag for Canada

asked on

Exchange 2013 mailbox permissions

I have a brand new Exchange 2013 installation and trying to undertsand the concept of mailbox permissions a bit more.

My original goal was to have the Administrator user be able to have full access to all other user's mailboxes by default. This led to a rabbit hold of learning about Mailbox Permissions.

So when I run "Get-MailboxPermission -Identity jdoe", I get a table listing all of the permissions for that user. Example:

Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
abcd.local/jdoe     NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False
abcd.local/jdoe     ABCD\marybrown       {FullAccess}                                                False       False
abcd.local/jdoe     ABCD\administrator   {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Domain Admins   {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Enterprise A... {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Organization... {FullAccess}                                                True        True
abcd.local/jdoe     NT AUTHORITY\SYSTEM  {FullAccess}                                                True        False
abcd.local/jdoe     NT AUTHORITY\NETW... {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\administrator   {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Domain Admins   {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Enterprise A... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Organization... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Public Folde... {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\Delegated Setup {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\Exchange Ser... {FullAccess, ReadPermission}                                True        False
abcd.local/jdoe     ABCD\Exchange Tru... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False

Open in new window

Notice how in the table above, the second line shows that the user "marybrown" has been granted full access to "jdoe"'s mailbox? That's me granting full access rights to the marybrown user via Mailbox Delegation in EAC. The "IsInherited" column is set to FALSE because it's a permission for that specific mailbox.

Now I also see a handful of permissions where the DENY column is set to "true" - These columns are explicitly DENYING the Administrator, Domain Admins, Enterprise Admins etc. from acessing the mailbox. These columns have the "IsInherited" column set to TRUE.

I guess my question is:

1) Where did those "deny" permissions come from? What are they being inherited FROM? The database / organization? Where can I go to look at those permissions?

2) Can I turn some of those deny permissions off? I'd really like the "Administrator" user to be able to access everyone's mailbox

3) Can I add an inherited permission somehow? I'd really like to be able to create a Security Group which grants access to ALL mailboxes by having the permission be inherited by all mailboxes
Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Frosty555


I ran into this forum post just as you posted as well:

The post above pretty clearly explains part (1) if what I was asking.

But it's clear you are suggesting that I *NOT* do exactly what is described in this article.... and for good reason I suppose. So there's my answer to part (2).

And the command you gave me sounds like the answer to (3) so I'll give that a try. I just have to realize that a Domain Admin or the Administrator account cannot be used for the purpose of opening other people's mailboxes.

The main reason for needing to do this right now is because we're in the middle of a migration from Google Apps, and after I finish importing all their mail from the old account I need to be able to go into their mailboxes and make sure everything came over properly, tweak if necessary etc.
Okay so I created a group, called "Full Mailbox Access", added my regular unprivileged account to that group, and ran the command you gave me. The results were:

User                : MYCOMPANY\Full Mailbox Access
Identity            : Mailbox Database 12341234
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : MYCOMPANY\Full Mailbox Access
Identity            : Mailbox Database 12341234
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

.... but still no joy. If I login as my regular account to OWA, and then try to go to "Open Another Mailbox", I get a "MapiExceptionLogonFailed: Unable to open message store." error. This is the same error I get when I don't have sufficient access to a mailbox. If I were to go add myself to the "Full Access" list for that mailbox in ECP->Recipients->mailbox delegation->Full Access, I can access it just fine.

If I run the Get-MailboxPermission on one of my mailboxes, I don't see the "Full Mailbox Access" in the list.

Is there maybe somewhere else we need to add the permission to?
Nevermind, I just needed to restart the "Microsoft Exchange Information Store" service, the changes hadn't taken affect right away.

This was a helpful article, in particular, the "Using EMS method 2" section, and the big red disclaimer at the bottom that said to restart the Microsoft Exchange Information Store service
I am a little behind on my posts...
Exchange caches permissions. Therefore it can take two hours before a change is effective. Therefore it is best if you presume you don't have any permissions, check/change and then attempt access.

Restarting the information store flushes the cache - although with the disruption.