Exchange 2013 mailbox permissions

Posted on 2013-05-15
1 Endorsement
Last Modified: 2013-05-17
I have a brand new Exchange 2013 installation and trying to undertsand the concept of mailbox permissions a bit more.

My original goal was to have the Administrator user be able to have full access to all other user's mailboxes by default. This led to a rabbit hold of learning about Mailbox Permissions.

So when I run "Get-MailboxPermission -Identity jdoe", I get a table listing all of the permissions for that user. Example:

Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
abcd.local/jdoe     NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False
abcd.local/jdoe     ABCD\marybrown       {FullAccess}                                                False       False
abcd.local/jdoe     ABCD\administrator   {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Domain Admins   {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Enterprise A... {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Organization... {FullAccess}                                                True        True
abcd.local/jdoe     NT AUTHORITY\SYSTEM  {FullAccess}                                                True        False
abcd.local/jdoe     NT AUTHORITY\NETW... {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\administrator   {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Domain Admins   {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Enterprise A... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Organization... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Public Folde... {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\Delegated Setup {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\Exchange Ser... {FullAccess, ReadPermission}                                True        False
abcd.local/jdoe     ABCD\Exchange Tru... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False

Open in new window

Notice how in the table above, the second line shows that the user "marybrown" has been granted full access to "jdoe"'s mailbox? That's me granting full access rights to the marybrown user via Mailbox Delegation in EAC. The "IsInherited" column is set to FALSE because it's a permission for that specific mailbox.

Now I also see a handful of permissions where the DENY column is set to "true" - These columns are explicitly DENYING the Administrator, Domain Admins, Enterprise Admins etc. from acessing the mailbox. These columns have the "IsInherited" column set to TRUE.

I guess my question is:

1) Where did those "deny" permissions come from? What are they being inherited FROM? The database / organization? Where can I go to look at those permissions?

2) Can I turn some of those deny permissions off? I'd really like the "Administrator" user to be able to access everyone's mailbox

3) Can I add an inherited permission somehow? I'd really like to be able to create a Security Group which grants access to ALL mailboxes by having the permission be inherited by all mailboxes
Question by:Frosty555
  • 3
  • 2
LVL 63

Accepted Solution

Simon Butler (Sembee) earned 500 total points
ID: 39171261
Don't use Administrator for access to all mailboxes. That is against best practises.
The best practise, which Exchange will enforce unless you undo a lot of settings, is that accounts in the protected groups (Administrator, Domain Admins Power Users etc) cannot have permissions to other mailboxes. Those will be get an inherited deny.

If you require an account to have access to all mailboxes (Which I personally don't think anyone needs other than a BES Admin account) then use a regular account that is not a member of the above groups and has permissions in Exchange.

You should be operating a split permissions model - where you personal account is a regular user and you have a seperate Domain Admin model.

You can add a group to the permissions structure, again I would use a specific group for the task that isn't a member of anything else.

Get-MailboxDatabase | Add-ADPermission -User "Group-Name" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

Receive As will give you permissions to open the mailbox content.

Don't try to undo the inherited permissions, as that will cause you nothing but problems.

LVL 31

Author Comment

ID: 39173500
I ran into this forum post just as you posted as well:

The post above pretty clearly explains part (1) if what I was asking.

But it's clear you are suggesting that I *NOT* do exactly what is described in this article.... and for good reason I suppose. So there's my answer to part (2).

And the command you gave me sounds like the answer to (3) so I'll give that a try. I just have to realize that a Domain Admin or the Administrator account cannot be used for the purpose of opening other people's mailboxes.

The main reason for needing to do this right now is because we're in the middle of a migration from Google Apps, and after I finish importing all their mail from the old account I need to be able to go into their mailboxes and make sure everything came over properly, tweak if necessary etc.
LVL 31

Author Comment

ID: 39173518
Okay so I created a group, called "Full Mailbox Access", added my regular unprivileged account to that group, and ran the command you gave me. The results were:

User                : MYCOMPANY\Full Mailbox Access
Identity            : Mailbox Database 12341234
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : MYCOMPANY\Full Mailbox Access
Identity            : Mailbox Database 12341234
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

.... but still no joy. If I login as my regular account to OWA, and then try to go to "Open Another Mailbox", I get a "MapiExceptionLogonFailed: Unable to open message store." error. This is the same error I get when I don't have sufficient access to a mailbox. If I were to go add myself to the "Full Access" list for that mailbox in ECP->Recipients->mailbox delegation->Full Access, I can access it just fine.

If I run the Get-MailboxPermission on one of my mailboxes, I don't see the "Full Mailbox Access" in the list.

Is there maybe somewhere else we need to add the permission to?
LVL 31

Author Comment

ID: 39173534
Nevermind, I just needed to restart the "Microsoft Exchange Information Store" service, the changes hadn't taken affect right away.

This was a helpful article, in particular, the "Using EMS method 2" section, and the big red disclaimer at the bottom that said to restart the Microsoft Exchange Information Store service
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39174506
I am a little behind on my posts...
Exchange caches permissions. Therefore it can take two hours before a change is effective. Therefore it is best if you presume you don't have any permissions, check/change and then attempt access.

Restarting the information store flushes the cache - although with the disruption.


Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Outlook OWA  - Exchange 2010 Server 2 17
DNS Record - External Public IP (Sonicwall VPN) 9 29
exchange, SPF 21 19
exchange 2007 9 12
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
When you have clients or friends from around the world, it becomes a challenge to arrange a meeting or effectively manage your time. This is where Outlook's capability to show 2 time zones in one calendar comes in handy.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question