Hi, i am about to start the move to exchnage 2007. I have two administrators who need access to all mailboxes in the organization. In 2003 I was able to set rights on the mailbox store level. I can't see how to do to this in 2007. I moved a few mailboxes to 2007 and the rights did not follow. Thanks in advance.

you lost mailbox permissions when you did the move-mailbox cmdlet? That is not expected behaviour. Try using a get-mailbox | set-ACL for individual mailbox rights that were lost. Otherwise check your move mailbox procedure against MS best practices as you should not be losing permissions.

Thanks for the reply. I just used the move mailbox cmd from the gui. What do I need to do to have this set automatically for new mailboxes? Is there a way to set permissions on the store level?

You used the EMC not the 2003 console right? trythis commandin powershell help set-mailboxdatabase i think that's the cmdlet that'll give you the database level perms

thanks I still haven't gotten the right syntax to get this going i found this http://technet.microsoft.com/en-us/library/aa996343.aspx but cant seem to find how to give full access on teh mailbox store level

fyi I see this on technet In the Exchange Management Shell, use the following commandto allow access to all mailboxes on a given mailbox storeIn the Exchange Management Shell, use the following commandto allow access to all mailboxes on a given mailbox store: Add-ADPermission identity "mailbox database" user "serviceaccount" ExtendedRights Receive-As this doesnt grant full access however. I may be going crazy, but I can't seem to find how to do this. I saw a post on usenet where someone had the same problem and went into adsi edit and changed the permissions there, but i am wary to do that.

Add-ADPermission identity "mailbox database" user "serviceaccount" .... Can this be performed instead of a 'user' account be performed with a 'security group' instead? I have a need for around 3 users in the orginisation to have FullAccess and Send-As capabilities for all mailboxes accross the 3 Storage Groups I have. Once the first line above can be provisioned at the mailbox storage database for a security group I can then add the permissions required to be appened to the above first line essentially looking similar to this with the -AccessRights "FullAccess" "Send-As" -ExtendedRights "Receive-As' -InheratenceType ALL. This needs to be on each storage group database so that these same permissions are maintained when new users are created. Ideally something similar to this Add-ADPermission identity "mailbox database" group "securitygroup" ....(Even though I know '-group' is not a valid parameter.) Thus the ideal CMDLet would be similar to this even though it is not permitted syntax for the 'Add-ADPermission' CMDLet Add-ADPermission identity "mailbox database" group "securitygroup" -AccessRights "FullAccess" "Send-As" -ExtendedRights "Receive-As' -InheratenceType ALL So like others here I have been reading the Exchange Blogs, TechNet, Newsgroups and cannot find a way to perform this task as was available at a 'storage database' level in Exchange 2003. Having checked the TechNet documentation that is listed above including I am no further down this path than anyone else. http://technet.microsoft.com/en-us/library/aa996343.aspx"EXC 2007 -> Operations -> Configuring Permissions ->How to allow Mailbox Access" http://technet.microsoft.com/en-us/library/bb124403.aspx"EXC2007 -> Tech Ref -> Global CMDlets -> Add-ADPermissions" Regards, Stephen Edgar TechNet Plus Subscriber

.... In 2003 this was also not possible..... You cannot assign full mailbox access at the database level. Full mailbox accessis aMAPIright andis set and stored onthemailbox and the Exchange security descriptor attribute on the user object. These are NOT AD permissions. Add-Adpermission does therefore not contain a 'full access' right and cannot be used to allow this kind of access to a database. You guys are refering to 'Administer Information Store'rights and 'Send-as', 'Receive-as'rights which are extended rights and set on the AD objects. These can - the same way you did in Exchange 2003 -still be set using the Add-Adpermission cmdlet using the distinguishedname or GUID of the object (in case of the store or serveryou can also use the store/servername). Add-ADPermission -Identity "Mailbox Store" -User "domain\user" -ExtendedRights Send-As, Receive-As, ms-Exch-Store-Admin Add-ADPermission is a raw editing tool which you can use to set any type of right to any type of object in AD, just as you would using ADSI-Edit. To add groups you can use the same syntax and use 'domain\groupname' | GroupGUID | DN as value for the -USER parameter Add-ADPermission -Identity "Mailbox Store" -User "domain\groupname" -ExtendedRights Send-As, Receive-As, ms-Exch-Store-Admin Cheers, Mark

Thanks for your reply Mark, much appreciated. That does make sense now when you mention that it was a MAPI permission and not an AD permission which puts things into perspective. Surprisingly though I used the exact same command you have mentioned to make the changes per user at this stage, I will now create a group and then add the group and remove the users for a'cleaner' solution. Icame across the 'ms-Exch-Store-Admin'right whilst diagnosing a Blackberry Server issue with EXC2007, which lists the same CMDlet you posted above. The 'ms-Exch-Store-Admin' right is not mentioned in the add-ADPermission article on TechNet in the context of Exchange 2007 permissions. A much greater detailed set of Exchange permissions including 'ms-Exch-Store-Admin' is listed in the EXC2003 section though these permissions are modified using ADSIEDIT rather than any reference of these ExtendedRights permissions being included in the PowerShell CMDlet references for Exchange 2007 and in general I have and try to keep away from ADSIEDIT unless an absolute necessity. There is also a vague reference to 'ms-Exch-Store-Admin' right in the Exchange 2007 article on 'Split Permissions Model Reference Article' making it a little obscure to say the least in finding this information on TechNet. So some updates on Exchange 2007 information on TechNet needs some updating IMHO. Regards, Stephen Edgar Update: Even a Google search for 'ms-Exch-Store-Admin' is lacking in results from MSFT, many more for Blackberry Server

I had same problem and found a solution. We needed a group to be able to do this not just one user so this is what we didopen adsiedit.mscexpand (i have left out the cn's)configuration>configuration>services>microsoft exchange>exchorgname>administrative groups>exchange administrative group>servers>nameofclusteredserver(if clustered)go to properties of last object then security tab. add a group or user. assign READ WRITE AND ADMINISTER INFORMATION STORE. click on advanced button and edit the two user or group permissions so the setting is 'Apply onto: This object and all child objects'done!this user or group can now use the add-mailboxpermission command ! this user/group is also a member of the exchange recipient administrators

I had the same problem and used CrazyHorse's fix. It works! You rock, CrazyHorse!