Running Exchange 2007 and AD 2008. Two forests: ExchForest: Contains mailboxes ADForest: Contains AD accounts The mailboxes in ExchForest are linked to the AD accounts in ADForest. The corresonding AD accounts for those mailboxes in ExchForest are disabled. I want to assign some permissions on a mailbox to a group of users. This is for an application and we need to assign the permission to AD accounts. Do I need to: 1. Assign the permissions to the users' AD accounts in ADForest 2. Assign the permissions to the users' AD accounts in ExchForest

You'll need to add the permissions to the account that the user is connecting to the mailbox with. I'm guessing they are logging in with their normal user account from the ADForest so that would give you the answer of: Give the permissions to the ADForest account. Add-MailboxPermissions -Identity <mbx alias> -User "Domain\User" -AccessRight FullAccess Add-MailboxPermissionJesper Bernle | Blog: http://xchangeserver.wordpress.com

Hi You can achieve your aim by EMS or EMC . you can read this article. http://technet.microsoft.com/en-us/library/aa996343(EXCHG.80).aspx To use the Exchange Management Shell to grant full access permissions for a particular mailbox, run the following command to add the permission directly to the mailbox: Add-MailboxPermission "Mailbox" –User "Trusted User" –AccessRights FullAccess To use the Exchange Management Shell to grant receive as permissions for a mailbox database (and thus allow access into all mailboxes within the database), run the following command to add the permission to the mailbox store: Add-ADPermission –Identity “Mailbox ” –User “Trusted User” –ExtendedRights Receive-As I can’t find official document about difference. I can offer you the opinion which I trust. Difference between AD permission and Mailbox permission is where the permission is stored (and, indirectly, on what object you're setting the permission). AD permission cmdlet sets permissions on AD objects. Mailbox permission cmdlet sets permissions on "store mailbox" objects inside the information store. There's a bit of overlap, however, because some of the permissions are AD permissions until the StoreMailbox object is provisioned in the information store, at which point they become read-only in the AD and are managed from the store object at that point forward. As for extended vs regular rights in AD - the easy way to think of this is that generally the extended rights are the special things that are unique to an object (and are added for that object as part of its schema). So things that are particular to mailbox objects are going to be extended rights, while the common AD permissions for the mailbox object will be regular rights.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi You can achieve your aim by EMS or EMC . you can read this article. http://technet.microsoft.com/en-us/library/aa996343(EXCHG.80).aspx To use the Exchange Management Shell to grant full access permissions for a particular mailbox, run the following command to add the permission directly to the mailbox: Add-MailboxPermission "Mailbox" –User "Trusted User" –AccessRights FullAccess To use the Exchange Management Shell to grant receive as permissions for a mailbox run the following command to add the permission to the mailbox Add-ADPermission –Identity “Mailbox ” –User “Trusted User” –ExtendedRights Receive-As I can’t find official document about difference. I can offer you the opinion which I trust. Difference between AD permission and Mailbox permission is where the permission is stored (and, indirectly, on what object you're setting the permission). AD permission cmdlet sets permissions on AD objects. Mailbox permission cmdlet sets permissions on "store mailbox" objects inside the information store. There's a bit of overlap, however, because some of the permissions are AD permissions until the StoreMailbox object is provisioned in the information store, at which point they become read-only in the AD and are managed from the store object at that point forward. As for extended vs regular rights in AD - the easy way to think of this is that generally the extended rights are the special things that are unique to an object (and are added for that object as part of its schema). So things that are particular to mailbox objects are going to be extended rights, while the common AD permissions for the mailbox object will be regular rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Do you have anything to update your issue?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.