Exchange 2010 permissions set at DB level

Hi All

We have a migration taking place by a 3rd party who are going to use a migration.admin account to remotely migrate emails onto there hosted platform.

When they tried to do the migration it failed due to permissions issues so they asked us to set full access permissions on the mailbox database, I have tested this on a DB below

get-mailboxdatabase "TestDB1" | Add-ADPermission -user "migration.admin" -accessrights GenericAll

I have checked using the below command and see the migration.admin account in the list

get-adpermission "TestDB1" | ft -auto

My question is if I look on the properties of an AD account that is in this mailbox store I do not see the migration.admin account listed

if I run the below command on a mailbox that is in that store I also do not see the migration.admin account listed

get-adpermission "TestUser1" | ft -auto

Is this correct behavior or does this mean that the permission I set on the database level is not filtering down to the mailboxes.

Thanks
LVL 5
ncomperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
This is correct as these permissions are applied on the mailbox object only.  Both users do not need identical ACLs (i.e. you want to give full access to mailbox but not to all shares, group memberships, etc.).
0
ncomperAuthor Commented:
Hi

Thanks for the feedback, basically I need to achieve the same result as right clicking on a mailbox and running the add manage full access command, but I need to do this on the database level so all mailboxes get it.

Are the commands I specified correct, I have run the above commands but then have looked at the mailbox permissions and they are not there.

so I ran get-mailboxpermission "TestUser1"  | ft -auto

the migration account does not show up

I have a 2nd test mailbox in this database, I right clicked on the mailbox and run the manage full access wizzard and added my migration account that way, when I then run the below my migration account show up however I don't want to do it manually at the mailbox level

get-mailboxpermission "TestUser2"  | ft -auto

Thanks
0
Simon Butler (Sembee)ConsultantCommented:
The permission you have set isn't what I would have done if asked to provide access.
This is the command I would have used:

Get-MailboxDatabase | Add-ADPermission -User "Account" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

Where account is the name of the account they are using.

Receive As gives full mailbox access.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

ncomperAuthor Commented:
Hi Simon

Can I ask what the difference is, I just found that online somewhere

Thanks
0
ncomperAuthor Commented:
Hi Simon

I have run that command and then restarted the information store, I then tested one of the mailboxes that are in that store but my migration.admin account does still not show up.

ANy ideas where im going wrong? Thanks

[
[PS] C:\Windows\system32>Get-MailboxDatabase "TestDB1"| Add-ADPermission -User "migration.admin" -AccessRights ExtendedR
ight -ExtendedRights Receive-As, ms-Exch-Store-Admin
WARNING: The appropriate access control entry is already present on the object "CN=TestDB1,CN=Databases,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=test2k8,DC=local" for account "TEST2K8\migration.admin".
WARNING: The appropriate access control entry is already present on the object "CN=TestDB1,CN=Databases,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=test2k8,DC=local" for account "TEST2K8\migration.admin".

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
TestDB1              TEST2K8\migration... False False
TestDB1              TEST2K8\migration... False False


[PS] C:\Windows\system32>get-mailboxpermission "nicktest10" | ft -auto

Identity                       User              AccessRights                 IsInherited Deny
--------                       ----              ------------                 ----------- ----
test2k8.local/Users/nicktest10 NT AUTHORITY\SELF {FullAccess, ReadPermission} False       False


[PS] C:\Windows\system32>get-mailboxpermission "nicktest10" | ft -auto

Identity                       User              AccessRights                 IsInherited Deny
--------                       ----              ------------                 ----------- ----
test2k8.local/Users/nicktest10 NT AUTHORITY\SELF {FullAccess, ReadPermission} False       False


[PS] C:\Windows\system32>

Open in new window

0
Simon Butler (Sembee)ConsultantCommented:
I haven't used GenericAll ever. People get confused with AD permissions, for example thinking that Full Control gives access to the mailbox (it doesn't), "Read" allows read only access to the mailbox (it doesn't).

Don't forget that after making the change it may not work immediately because of the way Exchange caches permissions.

Simon.
0
Simon Butler (Sembee)ConsultantCommented:
I wouldn't expect the account to show up in the permissions because it is granting the permissions in a different way.
If you want the permission to show in those commands then you need to grant the account Full Mailbox Access, which cannot be done at the database level.

Simon.
0
ncomperAuthor Commented:
Ok thanks

I suppose realistically it doesn't really matter whether it shows up or not, as long as the migration account has full access to all the mailboxes in the datastore then that will satisfy the company that are doing the migration.

Ill try it on our prod servers now.

Thanks for the help
0
ncomperAuthor Commented:
Spot on as always

Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.