I just completed a migration to Exchange 2007 sp2 from Exchange 2003 sp2 for our entire organization. I recognized right off the bat that by default i didnt have permission to open user mailboxes like i had in 2003. It hasnt been a big problem until now as i didnt have time to figure out what was wrong, i would just grant myself rights on a per mailbox basis. I finally had a minute to breathe and was able to research the problem further. Here is what i get when i look at a random mailbox with the get-mailboxpermission -identity "user name" AccessRights Deny InheritanceType User Identity Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All NT AUTHORITY\SELF full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\user1 full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\user2 full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\PROEXCH09B$ full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\PROEXCH09A$ full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] TRUE All DOMAIN\Exchange Servers full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] TRUE All DOMAIN\Domain Admins full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] TRUE All DOMAIN\Enterprise Admins full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] TRUE All DOMAIN\ME full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] TRUE All DOMAIN\Exchange Organization Administrators full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] TRUE All DOMAIN\administrator full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\Exchange Servers full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\Exchange Domain Servers full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\Exchange Public Folder Administrators full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All NT AUTHORITY\NETWORK SERVICE full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\Exchange Domain Servers full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\Exchange Servers full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\Exchange View-Only Administrators full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\ME full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\Exchange Organization Administrators full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\administrator full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\Enterprise Admins full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] FALSE All DOMAIN\Domain Admins full path to user account Notice for some reason DOMAIN\ME is both denied and allowed, not to mention DA's, EA's, Administrator, ETC. When i get-adpermission on any of the mailbox databases it seems to be the same problem. Minus the user1 and user2. They are only in this example because they are the users manager and have access to their mailbox. How can i fix this problem, PLEASE HELP.

Hi-By default Domain Admins and Enterprise Admins are explictly denied access to mailboxes. I generally encourage leaving it this way. Create a dedicated Exchange admin or mailbox access account and use it for this purpose.Active Directory, 4th Edition - www.briandesmond.com/ad4/

I understand why it is done this way, and i am for the most part the one that handles everything exchange wise, but my curiosity is why the following list was inherently denied: Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] TRUE All DOMAIN\Exchange Servers full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] TRUE All DOMAIN\Domain Admins full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] TRUE All DOMAIN\Enterprise Admins full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] TRUE All DOMAIN\ME full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] TRUE All DOMAIN\Exchange Organization Administrators full path to user account Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] TRUE All DOMAIN\administrator full path to user account that true is under the DENIED column. Exchange servers DA's EA's Myself EOA's and the domain administrator are all inherently blocked. Can you tell me where to find the permissions that it is inheriting these permissions? I have read that adsi edit would get me there but i dont want to be screwing with the permissions in the schema if i dont have to. I would like to remove my inherited DENY permission and any other DENY permissions that shouldnt be there, then were going to create and use a group with only myself and my boss and give permissions to all our database's for administration purposes. If possible we want to do this at the "Top" so that any and all current/future mailboxes inherit the permissions. thank you.

Hi,run the below mentioned command in shell so that the trusted user get the full access permissonget-mailbox | Add-MailboxPermission -User "Trusted User" -AccessRights FullAccess

but this will just apply the permissions to current mailboxes, it wont be set from the location where new mailbox's will inherit their permissions. Every couple of days as new mailboxes are created i would have to run the command again. I want to set the permission at the highest possible level so it is inherited by everything under it.