Avatar of ncomper
ncomper asked on

Exchange 2010 permissions set at DB level

Hi All

We have a migration taking place by a 3rd party who are going to use a migration.admin account to remotely migrate emails onto there hosted platform.

When they tried to do the migration it failed due to permissions issues so they asked us to set full access permissions on the mailbox database, I have tested this on a DB below

get-mailboxdatabase "TestDB1" | Add-ADPermission -user "migration.admin" -accessrights GenericAll

I have checked using the below command and see the migration.admin account in the list

get-adpermission "TestDB1" | ft -auto

My question is if I look on the properties of an AD account that is in this mailbox store I do not see the migration.admin account listed

if I run the below command on a mailbox that is in that store I also do not see the migration.admin account listed

get-adpermission "TestUser1" | ft -auto

Is this correct behavior or does this mean that the permission I set on the database level is not filtering down to the mailboxes.

Thanks
ExchangeWindows Server 2008Active Directory

Avatar of undefined
Last Comment
ncomper

8/22/2022 - Mon
Mohammed Khawaja

This is correct as these permissions are applied on the mailbox object only.  Both users do not need identical ACLs (i.e. you want to give full access to mailbox but not to all shares, group memberships, etc.).
ASKER
ncomper

Hi

Thanks for the feedback, basically I need to achieve the same result as right clicking on a mailbox and running the add manage full access command, but I need to do this on the database level so all mailboxes get it.

Are the commands I specified correct, I have run the above commands but then have looked at the mailbox permissions and they are not there.

so I ran get-mailboxpermission "TestUser1"  | ft -auto

the migration account does not show up

I have a 2nd test mailbox in this database, I right clicked on the mailbox and run the manage full access wizzard and added my migration account that way, when I then run the below my migration account show up however I don't want to do it manually at the mailbox level

get-mailboxpermission "TestUser2"  | ft -auto

Thanks
ASKER CERTIFIED SOLUTION
Simon Butler (Sembee)

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
ncomper

Hi Simon

Can I ask what the difference is, I just found that online somewhere

Thanks
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
ncomper

Hi Simon

I have run that command and then restarted the information store, I then tested one of the mailboxes that are in that store but my migration.admin account does still not show up.

ANy ideas where im going wrong? Thanks

[
[PS] C:\Windows\system32>Get-MailboxDatabase "TestDB1"| Add-ADPermission -User "migration.admin" -AccessRights ExtendedR
ight -ExtendedRights Receive-As, ms-Exch-Store-Admin
WARNING: The appropriate access control entry is already present on the object "CN=TestDB1,CN=Databases,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=test2k8,DC=local" for account "TEST2K8\migration.admin".
WARNING: The appropriate access control entry is already present on the object "CN=TestDB1,CN=Databases,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=test2k8,DC=local" for account "TEST2K8\migration.admin".

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
TestDB1              TEST2K8\migration... False False
TestDB1              TEST2K8\migration... False False


[PS] C:\Windows\system32>get-mailboxpermission "nicktest10" | ft -auto

Identity                       User              AccessRights                 IsInherited Deny
--------                       ----              ------------                 ----------- ----
test2k8.local/Users/nicktest10 NT AUTHORITY\SELF {FullAccess, ReadPermission} False       False


[PS] C:\Windows\system32>get-mailboxpermission "nicktest10" | ft -auto

Identity                       User              AccessRights                 IsInherited Deny
--------                       ----              ------------                 ----------- ----
test2k8.local/Users/nicktest10 NT AUTHORITY\SELF {FullAccess, ReadPermission} False       False


[PS] C:\Windows\system32>

Open in new window

Simon Butler (Sembee)

I haven't used GenericAll ever. People get confused with AD permissions, for example thinking that Full Control gives access to the mailbox (it doesn't), "Read" allows read only access to the mailbox (it doesn't).

Don't forget that after making the change it may not work immediately because of the way Exchange caches permissions.

Simon.
Simon Butler (Sembee)

I wouldn't expect the account to show up in the permissions because it is granting the permissions in a different way.
If you want the permission to show in those commands then you need to grant the account Full Mailbox Access, which cannot be done at the database level.

Simon.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
ncomper

Ok thanks

I suppose realistically it doesn't really matter whether it shows up or not, as long as the migration account has full access to all the mailboxes in the datastore then that will satisfy the company that are doing the migration.

Ill try it on our prod servers now.

Thanks for the help
ASKER
ncomper

Spot on as always

Thanks