Link to home
Start Free TrialLog in
Avatar of ncomper
ncomper

asked on

Exchange 2010 permissions set at DB level

Hi All

We have a migration taking place by a 3rd party who are going to use a migration.admin account to remotely migrate emails onto there hosted platform.

When they tried to do the migration it failed due to permissions issues so they asked us to set full access permissions on the mailbox database, I have tested this on a DB below

get-mailboxdatabase "TestDB1" | Add-ADPermission -user "migration.admin" -accessrights GenericAll

I have checked using the below command and see the migration.admin account in the list

get-adpermission "TestDB1" | ft -auto

My question is if I look on the properties of an AD account that is in this mailbox store I do not see the migration.admin account listed

if I run the below command on a mailbox that is in that store I also do not see the migration.admin account listed

get-adpermission "TestUser1" | ft -auto

Is this correct behavior or does this mean that the permission I set on the database level is not filtering down to the mailboxes.

Thanks
Avatar of Mohammed Khawaja
Mohammed Khawaja
Flag of Canada image

This is correct as these permissions are applied on the mailbox object only.  Both users do not need identical ACLs (i.e. you want to give full access to mailbox but not to all shares, group memberships, etc.).
Avatar of ncomper
ncomper

ASKER

Hi

Thanks for the feedback, basically I need to achieve the same result as right clicking on a mailbox and running the add manage full access command, but I need to do this on the database level so all mailboxes get it.

Are the commands I specified correct, I have run the above commands but then have looked at the mailbox permissions and they are not there.

so I ran get-mailboxpermission "TestUser1"  | ft -auto

the migration account does not show up

I have a 2nd test mailbox in this database, I right clicked on the mailbox and run the manage full access wizzard and added my migration account that way, when I then run the below my migration account show up however I don't want to do it manually at the mailbox level

get-mailboxpermission "TestUser2"  | ft -auto

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ncomper

ASKER

Hi Simon

Can I ask what the difference is, I just found that online somewhere

Thanks
Avatar of ncomper

ASKER

Hi Simon

I have run that command and then restarted the information store, I then tested one of the mailboxes that are in that store but my migration.admin account does still not show up.

ANy ideas where im going wrong? Thanks

[
[PS] C:\Windows\system32>Get-MailboxDatabase "TestDB1"| Add-ADPermission -User "migration.admin" -AccessRights ExtendedR
ight -ExtendedRights Receive-As, ms-Exch-Store-Admin
WARNING: The appropriate access control entry is already present on the object "CN=TestDB1,CN=Databases,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=test2k8,DC=local" for account "TEST2K8\migration.admin".
WARNING: The appropriate access control entry is already present on the object "CN=TestDB1,CN=Databases,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=test2k8,DC=local" for account "TEST2K8\migration.admin".

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
TestDB1              TEST2K8\migration... False False
TestDB1              TEST2K8\migration... False False


[PS] C:\Windows\system32>get-mailboxpermission "nicktest10" | ft -auto

Identity                       User              AccessRights                 IsInherited Deny
--------                       ----              ------------                 ----------- ----
test2k8.local/Users/nicktest10 NT AUTHORITY\SELF {FullAccess, ReadPermission} False       False


[PS] C:\Windows\system32>get-mailboxpermission "nicktest10" | ft -auto

Identity                       User              AccessRights                 IsInherited Deny
--------                       ----              ------------                 ----------- ----
test2k8.local/Users/nicktest10 NT AUTHORITY\SELF {FullAccess, ReadPermission} False       False


[PS] C:\Windows\system32>

Open in new window

I haven't used GenericAll ever. People get confused with AD permissions, for example thinking that Full Control gives access to the mailbox (it doesn't), "Read" allows read only access to the mailbox (it doesn't).

Don't forget that after making the change it may not work immediately because of the way Exchange caches permissions.

Simon.
I wouldn't expect the account to show up in the permissions because it is granting the permissions in a different way.
If you want the permission to show in those commands then you need to grant the account Full Mailbox Access, which cannot be done at the database level.

Simon.
Avatar of ncomper

ASKER

Ok thanks

I suppose realistically it doesn't really matter whether it shows up or not, as long as the migration account has full access to all the mailboxes in the datastore then that will satisfy the company that are doing the migration.

Ill try it on our prod servers now.

Thanks for the help
Avatar of ncomper

ASKER

Spot on as always

Thanks