Hello I have a security group called "Help desk". I need to assign full access to the group on all mailboxes on a databse so that they can open the mailboxes using OWA. I used this command which works. Get-Mailbox -ResultSize Unlimited -Database "DatabaseName" | Add-mailboxpermission –user "Help desk" –AccessRights FullAccess However, I need them to have access to any newly created mailbox on that database and not only the ones that were present at the time of issuing the command. How can we set this once for all for that group? We don't want to run this for any new mailboxes. We still have exchange 2007 SP2 Thanks

You have to run this for new mailboxes. you can assign the permissions when you create the mailbox. new-mailbox | add-permission

But we don't want to run anything for new mailboxes. We want this to be inherited to any new mailbox created on that database.

http://technet.microsoft.com/en-us/library/aa996343.aspx See the section "Use the Shell to grant Receive As permission for a mailbox database "

Do we need a combination of fullaccess and receive-as or just receive-as? All we need for these users is to be able to open the mailbox using OWA.

Recieve As is the mininum required to open a mailbox, however OWA requires explicit full mailbox access to open: http://technet.microsoft.com/en-us/library/aa998830(EXCHG.80).aspx

That won't work for OWA and hence my question.

That won't work for OWA and hence my question. Yep, caught that OWA requirement at the last minute. Your only other option is to create a scheduled task that grants full access or assign when you create the mailbox.

No problem. As I thought, the only way is to grant full access for the entire DB and then somehow query the newly created MBX and do it again. I just need to confirm that's pretty much it and there is no way around.

Well, there kinda is. You can access web parts : http://technet.microsoft.com/en-us/library/bb232199(EXCHG.80).aspx But you would still need permissions to specfic folders and not at the store level.

It's mainly for our help desk to check mobile devices status so we don't really care about folder permissions.

Hi, Run this cmdlet to grant FullAccess permission on database level(all the mailbox include newly creating) Add-ADPermission -Identity "Mailbox Database" -User "User-Account" -ExtendedRights Receive-AsPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

jason, This is what I am getting with your command: You do not have permission to open this mailbox. For access or for more information, contact technical support for your organization.

Hi, The user account type should be User instead of Security group. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.