Exchange 2013 mailbox permissions

Posted on 2013-05-15
1 Endorsement
Last Modified: 2013-05-17
I have a brand new Exchange 2013 installation and trying to undertsand the concept of mailbox permissions a bit more.

My original goal was to have the Administrator user be able to have full access to all other user's mailboxes by default. This led to a rabbit hold of learning about Mailbox Permissions.

So when I run "Get-MailboxPermission -Identity jdoe", I get a table listing all of the permissions for that user. Example:

Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
abcd.local/jdoe     NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False
abcd.local/jdoe     ABCD\marybrown       {FullAccess}                                                False       False
abcd.local/jdoe     ABCD\administrator   {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Domain Admins   {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Enterprise A... {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Organization... {FullAccess}                                                True        True
abcd.local/jdoe     NT AUTHORITY\SYSTEM  {FullAccess}                                                True        False
abcd.local/jdoe     NT AUTHORITY\NETW... {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\administrator   {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Domain Admins   {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Enterprise A... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Organization... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Public Folde... {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\Delegated Setup {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\Exchange Ser... {FullAccess, ReadPermission}                                True        False
abcd.local/jdoe     ABCD\Exchange Tru... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False

Open in new window

Notice how in the table above, the second line shows that the user "marybrown" has been granted full access to "jdoe"'s mailbox? That's me granting full access rights to the marybrown user via Mailbox Delegation in EAC. The "IsInherited" column is set to FALSE because it's a permission for that specific mailbox.

Now I also see a handful of permissions where the DENY column is set to "true" - These columns are explicitly DENYING the Administrator, Domain Admins, Enterprise Admins etc. from acessing the mailbox. These columns have the "IsInherited" column set to TRUE.

I guess my question is:

1) Where did those "deny" permissions come from? What are they being inherited FROM? The database / organization? Where can I go to look at those permissions?

2) Can I turn some of those deny permissions off? I'd really like the "Administrator" user to be able to access everyone's mailbox

3) Can I add an inherited permission somehow? I'd really like to be able to create a Security Group which grants access to ALL mailboxes by having the permission be inherited by all mailboxes
Question by:Frosty555
  • 3
  • 2
LVL 63

Accepted Solution

Simon Butler (Sembee) earned 500 total points
ID: 39171261
Don't use Administrator for access to all mailboxes. That is against best practises.
The best practise, which Exchange will enforce unless you undo a lot of settings, is that accounts in the protected groups (Administrator, Domain Admins Power Users etc) cannot have permissions to other mailboxes. Those will be get an inherited deny.

If you require an account to have access to all mailboxes (Which I personally don't think anyone needs other than a BES Admin account) then use a regular account that is not a member of the above groups and has permissions in Exchange.

You should be operating a split permissions model - where you personal account is a regular user and you have a seperate Domain Admin model.

You can add a group to the permissions structure, again I would use a specific group for the task that isn't a member of anything else.

Get-MailboxDatabase | Add-ADPermission -User "Group-Name" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

Receive As will give you permissions to open the mailbox content.

Don't try to undo the inherited permissions, as that will cause you nothing but problems.

LVL 31

Author Comment

ID: 39173500
I ran into this forum post just as you posted as well:

The post above pretty clearly explains part (1) if what I was asking.

But it's clear you are suggesting that I *NOT* do exactly what is described in this article.... and for good reason I suppose. So there's my answer to part (2).

And the command you gave me sounds like the answer to (3) so I'll give that a try. I just have to realize that a Domain Admin or the Administrator account cannot be used for the purpose of opening other people's mailboxes.

The main reason for needing to do this right now is because we're in the middle of a migration from Google Apps, and after I finish importing all their mail from the old account I need to be able to go into their mailboxes and make sure everything came over properly, tweak if necessary etc.
LVL 31

Author Comment

ID: 39173518
Okay so I created a group, called "Full Mailbox Access", added my regular unprivileged account to that group, and ran the command you gave me. The results were:

User                : MYCOMPANY\Full Mailbox Access
Identity            : Mailbox Database 12341234
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : MYCOMPANY\Full Mailbox Access
Identity            : Mailbox Database 12341234
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

.... but still no joy. If I login as my regular account to OWA, and then try to go to "Open Another Mailbox", I get a "MapiExceptionLogonFailed: Unable to open message store." error. This is the same error I get when I don't have sufficient access to a mailbox. If I were to go add myself to the "Full Access" list for that mailbox in ECP->Recipients->mailbox delegation->Full Access, I can access it just fine.

If I run the Get-MailboxPermission on one of my mailboxes, I don't see the "Full Mailbox Access" in the list.

Is there maybe somewhere else we need to add the permission to?
LVL 31

Author Comment

ID: 39173534
Nevermind, I just needed to restart the "Microsoft Exchange Information Store" service, the changes hadn't taken affect right away.

This was a helpful article, in particular, the "Using EMS method 2" section, and the big red disclaimer at the bottom that said to restart the Microsoft Exchange Information Store service
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39174506
I am a little behind on my posts...
Exchange caches permissions. Therefore it can take two hours before a change is effective. Therefore it is best if you presume you don't have any permissions, check/change and then attempt access.

Restarting the information store flushes the cache - although with the disruption.


Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now