Exchange 2007 - Help needed! - Full access permission

By eddycarp
in Microsoft (Windows)

 Share

Recommended Posts

Apprentice

eddycarp

Posted
Posted

Hi, I am wondering if anyone knows the answer to this?!

Basically we have Exchange 2007 running with 2500+ users set up in it,

If you go into the EMC and right click on a user, you can set a full access permission, so that the administrator can also open the mailbox via OWA.

Obviously having 2500+ users means doing it manually would take ages!

Does anyone know how to set it over the entire site and set it in a way that new accounts would have it set by default.

Thanks in advance.

Experienced

MMaster23

Posted
Posted

Also consider giving those kinds of premissions to a special admin-access-group.

Then add proper admins to that group.

Please also consider futher security risks by opening up 2500 boxes to admins.

Enforce auditting to be sure.

Rising Star

Aldur82

Posted
Posted

Have a read over this page, as it appears certain exchange 2007 groups already have full access permissions anyway...you just need to be a member of the right group.

http://www.msexchange.org/articles_tutoria...oles-part1.html

Apprentice

eddycarp

Posted
  • Author
Posted

Hi, thanks for all of the replies, at the moment I have only been able to find a powershell command that will grant a full access permission on a single mailbox - rather than over the entire lot.

We (as in the administrators - there are 3 of us) are already in the exchange administrators group, but this refuses to allow us to open any of the mailboxes.

Any further ideas would be appreciated!

Thanks again!

Grand Master

BGM

Posted
Posted (edited)
Hi, thanks for all of the replies, at the moment I have only been able to find a powershell command that will grant a full access permission on a single mailbox - rather than over the entire lot.

you could perhaps get a list of users (using powershell?) and then using a macro/textpad/excel create a list of commands to execute, see attached..

however, there must be a way to loop through all the users? (perhaps use this idea as a last resort)

post-24841-1223204238.png

Edited by BGM
Community Regular

EcPercy

Posted
Posted (edited)

I would create a service account and do the following: (do not give this account domain or enterprise admins)

get-mailboxserver <mail_server_name> | add-exchangeadministrator <service_account_name> ?role ViewOnlyAdmin

get-mailboxserver <mail_server_name> | add-adpermission ?user <service_account_name> ?accessrights ExtendedRight ?extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

If you give this service account domain admin it will set a deny on the send-as and receive-as which will override the permissions you set with the cmdlets above.

To look at the mailbox you can login to owa with the service account and then click on the account name and you will get the option to connect to another mailbox.

If the first command doesn't work completely use this one:

get-mailboxserver <mail_server_name> | add-adpermission ?user <service_account_name> ?accessrights genericall ?extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

P.S. Don't be upset if this doesn't work perfectly. I left the company I was at after I setup Exchange 2007 w/ UM, but those commands were the ones I used to setup the EXMerge account and the BESAdmin account when I installed the BES. It should get you pretty close to what you are asking.

Edited by EcPercy
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.