ncomper
asked on
Exchange 2010 permissions set at DB level
Hi All
We have a migration taking place by a 3rd party who are going to use a migration.admin account to remotely migrate emails onto there hosted platform.
When they tried to do the migration it failed due to permissions issues so they asked us to set full access permissions on the mailbox database, I have tested this on a DB below
get-mailboxdatabase "TestDB1" | Add-ADPermission -user "migration.admin" -accessrights GenericAll
I have checked using the below command and see the migration.admin account in the list
get-adpermission "TestDB1" | ft -auto
My question is if I look on the properties of an AD account that is in this mailbox store I do not see the migration.admin account listed
if I run the below command on a mailbox that is in that store I also do not see the migration.admin account listed
get-adpermission "TestUser1" | ft -auto
Is this correct behavior or does this mean that the permission I set on the database level is not filtering down to the mailboxes.
Thanks
We have a migration taking place by a 3rd party who are going to use a migration.admin account to remotely migrate emails onto there hosted platform.
When they tried to do the migration it failed due to permissions issues so they asked us to set full access permissions on the mailbox database, I have tested this on a DB below
get-mailboxdatabase "TestDB1" | Add-ADPermission -user "migration.admin" -accessrights GenericAll
I have checked using the below command and see the migration.admin account in the list
get-adpermission "TestDB1" | ft -auto
My question is if I look on the properties of an AD account that is in this mailbox store I do not see the migration.admin account listed
if I run the below command on a mailbox that is in that store I also do not see the migration.admin account listed
get-adpermission "TestUser1" | ft -auto
Is this correct behavior or does this mean that the permission I set on the database level is not filtering down to the mailboxes.
Thanks
This is correct as these permissions are applied on the mailbox object only. Both users do not need identical ACLs (i.e. you want to give full access to mailbox but not to all shares, group memberships, etc.).
ASKER
Hi
Thanks for the feedback, basically I need to achieve the same result as right clicking on a mailbox and running the add manage full access command, but I need to do this on the database level so all mailboxes get it.
Are the commands I specified correct, I have run the above commands but then have looked at the mailbox permissions and they are not there.
so I ran get-mailboxpermission "TestUser1" | ft -auto
the migration account does not show up
I have a 2nd test mailbox in this database, I right clicked on the mailbox and run the manage full access wizzard and added my migration account that way, when I then run the below my migration account show up however I don't want to do it manually at the mailbox level
get-mailboxpermission "TestUser2" | ft -auto
Thanks
Thanks for the feedback, basically I need to achieve the same result as right clicking on a mailbox and running the add manage full access command, but I need to do this on the database level so all mailboxes get it.
Are the commands I specified correct, I have run the above commands but then have looked at the mailbox permissions and they are not there.
so I ran get-mailboxpermission "TestUser1" | ft -auto
the migration account does not show up
I have a 2nd test mailbox in this database, I right clicked on the mailbox and run the manage full access wizzard and added my migration account that way, when I then run the below my migration account show up however I don't want to do it manually at the mailbox level
get-mailboxpermission "TestUser2" | ft -auto
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Simon
Can I ask what the difference is, I just found that online somewhere
Thanks
Can I ask what the difference is, I just found that online somewhere
Thanks
ASKER
Hi Simon
I have run that command and then restarted the information store, I then tested one of the mailboxes that are in that store but my migration.admin account does still not show up.
ANy ideas where im going wrong? Thanks
[
I have run that command and then restarted the information store, I then tested one of the mailboxes that are in that store but my migration.admin account does still not show up.
ANy ideas where im going wrong? Thanks
[
[PS] C:\Windows\system32>Get-MailboxDatabase "TestDB1"| Add-ADPermission -User "migration.admin" -AccessRights ExtendedR
ight -ExtendedRights Receive-As, ms-Exch-Store-Admin
WARNING: The appropriate access control entry is already present on the object "CN=TestDB1,CN=Databases,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=test2k8,DC=local" for account "TEST2K8\migration.admin".
WARNING: The appropriate access control entry is already present on the object "CN=TestDB1,CN=Databases,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=test2k8,DC=local" for account "TEST2K8\migration.admin".
Identity User Deny Inherited
-------- ---- ---- ---------
TestDB1 TEST2K8\migration... False False
TestDB1 TEST2K8\migration... False False
[PS] C:\Windows\system32>get-mailboxpermission "nicktest10" | ft -auto
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
test2k8.local/Users/nicktest10 NT AUTHORITY\SELF {FullAccess, ReadPermission} False False
[PS] C:\Windows\system32>get-mailboxpermission "nicktest10" | ft -auto
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
test2k8.local/Users/nicktest10 NT AUTHORITY\SELF {FullAccess, ReadPermission} False False
[PS] C:\Windows\system32>
I haven't used GenericAll ever. People get confused with AD permissions, for example thinking that Full Control gives access to the mailbox (it doesn't), "Read" allows read only access to the mailbox (it doesn't).
Don't forget that after making the change it may not work immediately because of the way Exchange caches permissions.
Simon.
Don't forget that after making the change it may not work immediately because of the way Exchange caches permissions.
Simon.
I wouldn't expect the account to show up in the permissions because it is granting the permissions in a different way.
If you want the permission to show in those commands then you need to grant the account Full Mailbox Access, which cannot be done at the database level.
Simon.
If you want the permission to show in those commands then you need to grant the account Full Mailbox Access, which cannot be done at the database level.
Simon.
ASKER
Ok thanks
I suppose realistically it doesn't really matter whether it shows up or not, as long as the migration account has full access to all the mailboxes in the datastore then that will satisfy the company that are doing the migration.
Ill try it on our prod servers now.
Thanks for the help
I suppose realistically it doesn't really matter whether it shows up or not, as long as the migration account has full access to all the mailboxes in the datastore then that will satisfy the company that are doing the migration.
Ill try it on our prod servers now.
Thanks for the help
ASKER
Spot on as always
Thanks
Thanks