4

I am trying to grant the Domain Admins group full access to all mailboxes in Exchange 2010, including new ones created after this is implemented. Doing some reading, I came up with the following Powershell command:

Get-MailboxDatabase | Add-ADPermission -User "Domain Admins" -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

This didn't work, however. How can I do this?

Thanks!

NaOH
  • 411
  • 2
  • 10
  • 19
  • 1
    What is the reason for doing this? Seems there could be some legal or company policy ramifications that need to be verified beforehand. – mdpc Nov 30 '12 at 21:43
  • Want to be able to check users' mailboxes to verify mail delivery and the like. – NaOH Nov 30 '12 at 23:13

4 Answers4

4

DISCLAIMER: be careful of legal implications of allowing administrators to access mailbox contents.

The easiest way to accomplish this is to remove the explicit Deny permissions for Send As and Receive As which are assigned to the Domain Admins and Enterprise Admins groups on the main Exchange Organization object in AD, and subsequently get inherited everywhere. These permissions are there exactly to block administrators from accessing mailbox contents, which otherwise they could access freely.

You can modify the permissions for the Organization object usind AD Sites and Services (just make sure to show the Services node).

Exchange Organization

Permissions

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • Massimo, I'm not seeing those Deny permissions. I can't tell from your screenshot which specific object you're looking at... It looks like it's immediately under Microsoft Exchange, under Services, but not only do I have more than one object under Microsoft Exchange myself (`Active Directory Connections`) and (`*Our Organization Name*`), but neither of them have a Receive As or Send As permission that can be set for them (in fact, the `*Our Organization Name*` object doesn't even have any other tabs but General). Can you verify where I should be applying these permissions? Thanks! – NaOH Nov 30 '12 at 18:49
  • The right object is "your organization name". – Massimo Dec 01 '12 at 05:16
  • If you can't see its permisssions, then maybe something is really *wrong* in your environment... – Massimo Dec 01 '12 at 05:17
  • [This](http://i.imgur.com/Xdtt7.png) is what I'm getting in ADSS when I open Properties for that object. I don't think anything is wrong, though... Email is flowing, no crazy errors in Event Viewer, etc. – NaOH Dec 03 '12 at 17:08
  • Do you have Enterprise Admin rights? – Massimo Dec 03 '12 at 18:23
  • Yes, I do have them. – NaOH Dec 03 '12 at 22:46
2

I've continued to use this link ever since our Exchange 2010 deployment: http://msundis.wordpress.com/2011/06/21/manage-full-access-permissions-on-mailboxes-in-exchange-2010/

Specifically:

Get-Mailbox | Where { $_.Database –eq “” } | Add-MailboxPermission -User “Domain Admins” -AccessRights Fullaccess -InheritanceType all

And then this one for send as:
Get-Mailbox | Where { $_.Database –eq “” } | Add-AdPermission -User “Domain Admins” -AccessRights extendedright -ExtendedRights “send as

Create PS scripts for them and set them as scheduled nightly (or whatever) tasks and it will handle any new mailboxes too.

The whole explicit deny for enterprise admins and domain admins in Exchange causes all kinds of issues like this.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • Is that the most elegant solution out there for this? – ewwhite Dec 03 '14 at 04:10
  • @ewwhite it works...but Massimo's ACL change works as well but is wide sweeping. There's methods in the link for a single script now to handle future mailboxes as well. – TheCleaner Dec 03 '14 at 14:16
0

Only way I've found is to:

  1. Script a loop to apply the permission to all existing mailboxes.
  2. Bake in the domain admin permissions assignment to my new mailbox setup script.

I'm hopeful someone's got a better way though, since that's not quite ideal. Having permissions inherit down to mailboxes from the mailstore or database level sure would be nice...

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
0

You need the Scripting Agent! This executes a PowerShell script every time a mailbox is created.

We use it to assign the mailbox cleanup policy and set the user's language and time zone so they are not prompted when logging in to OWA. Here's our script:

<?xml version="1.0" encoding="utf-8" ?>
<Configuration version="1.0">
 <Feature Name="MailboxProvisioning" Cmdlets="new-mailbox">
  <ApiCall Name="OnComplete">

   if($succeeded)    {
    $newmailbox = $provisioningHandler.UserSpecifiedParameters["Name"]
    set-mailbox -identity $newmailbox -language 'en-US' -RetentionPolicy "Mailbox Cleanup"
    set-mailboxregionalconfiguration -identity $newmailbox -language 'en-US' -timezone 'Eastern Standard Time'
   }
  </ApiCall>
 </Feature>
</Configuration>
longneck
  • 23,082
  • 4
  • 52
  • 86