Exchange 2007 - Help needed! - Full access permission

[eddycarp]

Hi, I am wondering if anyone knows the answer to this?!

Basically we have Exchange 2007 running with 2500+ users set up in it,

If you go into the EMC and right click on a user, you can set a full access permission, so that the administrator can also open the mailbox via OWA.

Obviously having 2500+ users means doing it manually would take ages!

Does anyone know how to set it over the entire site and set it in a way that new accounts would have it set by default.

Thanks in advance.

[BGM]

use powershell

this may help: http://exchangepedia.com/blog/2007/06/how-...box-access.html

i don't really know much about powershell, but there is literally LOADS of stuff on google, so knock yourself out :D

good luck

[MMaster23]

Also consider giving those kinds of premissions to a special admin-access-group.

Then add proper admins to that group.

Please also consider futher security risks by opening up 2500 boxes to admins.

Enforce auditting to be sure.

[Aldur82]

Have a read over this page, as it appears certain exchange 2007 groups already have full access permissions anyway...you just need to be a member of the right group.

http://www.msexchange.org/articles_tutoria...oles-part1.html

[Brian M. Veteran]

Moved here.

[eddycarp]

Hi, thanks for all of the replies, at the moment I have only been able to find a powershell command that will grant a full access permission on a single mailbox - rather than over the entire lot.

We (as in the administrators - there are 3 of us) are already in the exchange administrators group, but this refuses to allow us to open any of the mailboxes.

Any further ideas would be appreciated!

Thanks again!

[BGM]

Hi, thanks for all of the replies, at the moment I have only been able to find a powershell command that will grant a full access permission on a single mailbox - rather than over the entire lot.

you could perhaps get a list of users (using powershell?) and then using a macro/textpad/excel create a list of commands to execute, see attached..

however, there must be a way to loop through all the users? (perhaps use this idea as a last resort)

Edited October 5, 2008 by BGM

[EcPercy]

I would create a service account and do the following: (do not give this account domain or enterprise admins)

get-mailboxserver <mail_server_name> | add-exchangeadministrator <service_account_name> ?role ViewOnlyAdmin

get-mailboxserver <mail_server_name> | add-adpermission ?user <service_account_name> ?accessrights ExtendedRight ?extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

If you give this service account domain admin it will set a deny on the send-as and receive-as which will override the permissions you set with the cmdlets above.

To look at the mailbox you can login to owa with the service account and then click on the account name and you will get the option to connect to another mailbox.

If the first command doesn't work completely use this one:

get-mailboxserver <mail_server_name> | add-adpermission ?user <service_account_name> ?accessrights genericall ?extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

P.S. Don't be upset if this doesn't work perfectly. I left the company I was at after I setup Exchange 2007 w/ UM, but those commands were the ones I used to setup the EXMerge account and the BESAdmin account when I installed the BES. It should get you pretty close to what you are asking.

Edited October 7, 2008 by EcPercy

[eddycarp]

Thanks done the trick!

Perfect

Thanks for your help!