Exchange 2013 mailbox permissions

I have a brand new Exchange 2013 installation and trying to undertsand the concept of mailbox permissions a bit more.

My original goal was to have the Administrator user be able to have full access to all other user's mailboxes by default. This led to a rabbit hold of learning about Mailbox Permissions.

So when I run "Get-MailboxPermission -Identity jdoe", I get a table listing all of the permissions for that user. Example:

Identity             User                 AccessRights                                                IsInherited Deny
--------             ----                 ------------                                                ----------- ----
abcd.local/jdoe     NT AUTHORITY\SELF    {FullAccess, ReadPermission}                                False       False
abcd.local/jdoe     ABCD\marybrown       {FullAccess}                                                False       False
abcd.local/jdoe     ABCD\administrator   {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Domain Admins   {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Enterprise A... {FullAccess}                                                True        True
abcd.local/jdoe     ABCD\Organization... {FullAccess}                                                True        True
abcd.local/jdoe     NT AUTHORITY\SYSTEM  {FullAccess}                                                True        False
abcd.local/jdoe     NT AUTHORITY\NETW... {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\administrator   {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Domain Admins   {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Enterprise A... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Organization... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False
abcd.local/jdoe     ABCD\Public Folde... {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\Delegated Setup {ReadPermission}                                            True        False
abcd.local/jdoe     ABCD\Exchange Ser... {FullAccess, ReadPermission}                                True        False
abcd.local/jdoe     ABCD\Exchange Tru... {FullAccess, DeleteItem, ReadPermission, ChangePermissio... True        False

Open in new window


Notice how in the table above, the second line shows that the user "marybrown" has been granted full access to "jdoe"'s mailbox? That's me granting full access rights to the marybrown user via Mailbox Delegation in EAC. The "IsInherited" column is set to FALSE because it's a permission for that specific mailbox.

Now I also see a handful of permissions where the DENY column is set to "true" - These columns are explicitly DENYING the Administrator, Domain Admins, Enterprise Admins etc. from acessing the mailbox. These columns have the "IsInherited" column set to TRUE.

I guess my question is:

1) Where did those "deny" permissions come from? What are they being inherited FROM? The database / organization? Where can I go to look at those permissions?

2) Can I turn some of those deny permissions off? I'd really like the "Administrator" user to be able to access everyone's mailbox

3) Can I add an inherited permission somehow? I'd really like to be able to create a Security Group which grants access to ALL mailboxes by having the permission be inherited by all mailboxes
LVL 31
Frosty555Asked:
Who is Participating?
 
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
Don't use Administrator for access to all mailboxes. That is against best practises.
The best practise, which Exchange will enforce unless you undo a lot of settings, is that accounts in the protected groups (Administrator, Domain Admins Power Users etc) cannot have permissions to other mailboxes. Those will be get an inherited deny.

If you require an account to have access to all mailboxes (Which I personally don't think anyone needs other than a BES Admin account) then use a regular account that is not a member of the above groups and has permissions in Exchange.

You should be operating a split permissions model - where you personal account is a regular user and you have a seperate Domain Admin model.

You can add a group to the permissions structure, again I would use a specific group for the task that isn't a member of anything else.

Get-MailboxDatabase | Add-ADPermission -User "Group-Name" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

Receive As will give you permissions to open the mailbox content.

Don't try to undo the inherited permissions, as that will cause you nothing but problems.

Simon.
0
 
Frosty555Author Commented:
I ran into this forum post just as you posted as well:

http://serverfault.com/questions/453940/grant-full-mailbox-access-to-domain-admins-in-exchange-2010-including-all-new-m

The post above pretty clearly explains part (1) if what I was asking.

But it's clear you are suggesting that I *NOT* do exactly what is described in this article.... and for good reason I suppose. So there's my answer to part (2).

And the command you gave me sounds like the answer to (3) so I'll give that a try. I just have to realize that a Domain Admin or the Administrator account cannot be used for the purpose of opening other people's mailboxes.

The main reason for needing to do this right now is because we're in the middle of a migration from Google Apps, and after I finish importing all their mail from the old account I need to be able to go into their mailboxes and make sure everything came over properly, tweak if necessary etc.
0
 
Frosty555Author Commented:
Okay so I created a group, called "Full Mailbox Access", added my regular unprivileged account to that group, and ran the command you gave me. The results were:

User                : MYCOMPANY\Full Mailbox Access
Identity            : Mailbox Database 12341234
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : MYCOMPANY\Full Mailbox Access
Identity            : Mailbox Database 12341234
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All



.... but still no joy. If I login as my regular account to OWA, and then try to go to "Open Another Mailbox", I get a "MapiExceptionLogonFailed: Unable to open message store." error. This is the same error I get when I don't have sufficient access to a mailbox. If I were to go add myself to the "Full Access" list for that mailbox in ECP->Recipients->mailbox delegation->Full Access, I can access it just fine.

If I run the Get-MailboxPermission on one of my mailboxes, I don't see the "Full Mailbox Access" in the list.

Is there maybe somewhere else we need to add the permission to?
0
 
Frosty555Author Commented:
Nevermind, I just needed to restart the "Microsoft Exchange Information Store" service, the changes hadn't taken affect right away.

This was a helpful article, in particular, the "Using EMS method 2" section, and the big red disclaimer at the bottom that said to restart the Microsoft Exchange Information Store service

http://msundis.wordpress.com/2011/06/21/manage-full-access-permissions-on-mailboxes-in-exchange-2010/
0
 
Simon Butler (Sembee)ConsultantCommented:
I am a little behind on my posts...
Exchange caches permissions. Therefore it can take two hours before a change is effective. Therefore it is best if you presume you don't have any permissions, check/change and then attempt access.

Restarting the information store flushes the cache - although with the disruption.

Simon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.