Grant full access and send as permissions on a group of mailboxes
I need some help accomidating a set of mailbox permissions on a group of mailboxes.
A little background:
I've got 2 different groups of mailboxes, Group D and group U.
All of the group D mailboxes are in OU example.com - company - department A.
All of the group U mailboxes are in OU example.com - company - department B, and each group U mailbox is also a member of a mail-enabled security group .
I need every user / mailbox in group U to have full access and send as permission on all of the group D mailboxes.
The mailboxes in group D and group U are fairly fluid. They get created, disabled, and replaced fairly regularly.
I don't want to have to have an Exchange Organization Administrator be responsible for granting full and send-as permissions to each group U member on each group D mailbox as these mailboxes come and go. I'd rather have these permissions inherited
from an OU level or possibly a mailbox database level. If that's not possible, my next best option would be to grant my Exchange Recipient Administrators the rights they need to change send-as and full mailbox permissions on only one OU or mailbox database
so that they can manage these permissions.
So my question is, can I grant full access and send-as permissions to a mail-enabled security group on all mailbox objects in an OU or mailbox database? Alternatively, could I grant the permissions necessary to set full access and send as permissions
to a group of jr. administrators on all mailboxes on a single mailbox database? If so, what would the commands for doing so look like?
June 24th, 2010 7:30pm
Hello Utegrad,
Unfortunately I can only answer half your question, although you may be able to answer the other half on your own with the below command. This will grant full access to the username you specify:
Get-MailboxDatabase | Add-ADPermission -user username -AccessRights GenericAll
As for setting the Send as permissions, I have never tried it but I am guessing it is a modification of the above...
Hope this helps...
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2010 9:36pm
Hi,
By using exchange shell, we are unable to query the mailboxes from a Distribution
Group. so I recommend you use the following method to do this task:
1. Create a organizational Unit (OU), GroupU, move all the GroupU users
to this OU.
2. Create a OU, name it as GroupD, move all the GroupD users to this OU.
3. Open Notepad and copy the following scripts. Then save the file
as xx.ps1.
--------------------------
$Allusers=get-user -organizationalunit GroupU
Foreach($user in $Allusers){
Get-mailbox -organizationalunit GroupD|add-mailboxpermission -user
$user.Identity –accessright sendas, Fullaccess
}
---------------------------------
4. Open exchange shell, run the xx.ps1 file.
June 25th, 2010 11:57am
Let me see if I can simplify and ask this question better.
Can I grant a group permissions to manage send as and full access permissions for mailboxes on one mailbox database only and leave that group's view only and recipient administrator permissions as-is on the other mailbox databases on the server?
I could be mistaken about this, but I think I could grant them the manage information store rights on an Exchange 2003 mailbox database and it would accomplish this? I'm not sure how I would do something similar in my Exchange 2007 environment.
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2010 8:50pm
You can't do that. The closest would be the Split Permissions model (http://technet.microsoft.com/en-us/library/bb232100%28EXCHG.80%29.aspx) but that only allows you to modify permissions at the OU or Domain Level and not restrict it down to full
access or sendas. For what you want, you'll have to go to Exchange 2010 (and you'll have to wait for SP1 as well) and take advantage of the RBAC Model where you can customize roles and add them to a role group which you assign that group of users to
and scope it down. Exchange 2010 SP1 allows you to scope it down to the database level which isn't available in RTM which is why I stated earlier you'll have to wait till SP1.MVP | MCSE:M | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization |
http://www.shudnow.net
July 3rd, 2010 12:03am