For exchange 2003 there's an article in the knowledge base http://support.microsoft.com/default.aspx?scid=kb;en-us;821897 In exchange 2007 everything is "a little" different and I just started playing with it. Did anybody already figure this out? I know it is possible to add mailbox permissions with (technet example) Add-MailboxPermission MyServiceAccount -user Test2 -accessright fullaccess -inheritanceType allbut it does not accept an astrix (*) so this does not workAdd-MailboxPermission MyServiceAccount -user * -accessright fullaccess -inheritanceType allstill if it would work, it would not appy permissions to future users/new mailboxes.I need something to give MyServiceAccount full access at a higher (store) level.

I haven't tested this, but I would think you need to do something like get-mailbox and then pipe the results to the line you used up there using a variable instead of the *. -Mark

That would work too, but its directly stamping ACLs on the mailboxes, I believe the solution you're looking for is to do it at once at the MDB level. According to the KB article, what's happening is that the ACLs are being put on the store object. You can do the similar notion in E2007 like this (btw: haven't tested that the store continues to work the same way, but I don't think anything in this area changed in the store): Get-MailboxDatabase server1\mdb1 | get-adpermission -user someuser This will show you all the perms for some user on the mdb object. You can omit -user to see everything. Also use Format-table (ft) to see extended rights and inheritance as those are not in the default view. To add permissions, its similar: Get-MailboxDatabase server1\mdb1 | add-adpermission -user someuser -accessRights GenericRead, GenericWrite -extendedrights Send-As And so on. I don't have a translation from the rights in the KB article to the choices in the permission cmdlets, but you should be able to use the english display name to assign rights as well (for extended rights). If that doesn't work, the full schema name of the right (for example: ms-exch-view-information-store will definately work). Let us know if that does the trick. I haven't tried service accounts myself though. Thanks, ~vivek

If you just replace the MyServiceAccount with themailbox you want to place the permissions, and use the myServiceAccount behind the -user properties it will work ! Add-MailboxPermissionMailbox -userMyServiceAccount -accessright fullaccess -inheritanceType all Why is this not configurable using the GUI .. I'm so over DOS based stuff

Thanks Vivek / mark / CalciumDude I finaly had some time to look at it again. This example works, or at least it works setting permissions. Get-MailboxDatabase server1\mdb1 | add-adpermission -user someuser -accessRights GenericRead, GenericWrite -extendedrights Send-As I now understand how to change the permissions. i added 'receive-as' and 'delete' also but it still does not seem to be sufficient. But now I start to understand how that shell works, I was able to get a list of permissions on one of the users that has a mailbox in the database. The service account has: Fullaccess, deleteitem, readpermission, changepermission, changeowner on that user with the get-mailboxpermission command.... all inherrited as one would expected, as the permissions are set at the store level Still those permissions seem to be insufficient. My application running with the service account identity logs "access denied" when it tries to open an item in the mailbox of the user. Do you have an idea on what permission would be needed? [EDIT] This is weird.. I just configured an outlook profile for the service account on a workstation. In exchange properties, advanced, I added the mailbox of one of the users in the mailbox database. As an illustration on the fact that it has access, it opens fine.The service account can not only see everything in that mailbox but also add or delete items in the user mailbox. So.. from outlook it works fine but when the application on the server tries it with the same identity it gets 'Access denied' ??!. The application on the server is not using Outlook however but CDOEX... very basic stuff: Dim objcdo as new cdo.item objcdo.DataSource.Open url-Of-The-Item, , adModeRead, adFailIfNotExistsDid they change anything there as well? Does cdoex need other permissions? Vivek Sharma - MSFT wrote: That would work too, but its directly stamping ACLs on the mailboxes, I believe the solution you're looking for is to do it at once at the MDB level. According to the KB article, what's happening is that the ACLs are being put on the store object. You can do the similar notion in E2007 like this (btw: haven't tested that the store continues to work the same way, but I don't think anything in this area changed in the store): Get-MailboxDatabase server1\mdb1 | get-adpermission -user someuser This will show you all the perms for some user on the mdb object. You can omit -user to see everything. Also use Format-table (ft) to see extended rights and inheritance as those are not in the default view. To add permissions, its similar: Get-MailboxDatabase server1\mdb1 | add-adpermission -user someuser -accessRights GenericRead, GenericWrite -extendedrights Send-As And so on. I don't have a translation from the rights in the KB article to the choices in the permission cmdlets, but you should be able to use the english display name to assign rights as well (for extended rights). If that doesn't work, the full schema name of the right (for example: ms-exch-view-information-store will definately work). Let us know if that does the trick. I haven't tried service accounts myself though. Thanks, ~vivek