How to set Full MB permissions globally in Ex2007
I need to know how to grant full access permissions to a service account. The permissions need to be global, static, and inherited to every new mailbox we create. We've got a service account that runs an internal application and it makes no sense to run a cmdlet every time we create a new mailbox. I'm confused because when I check the Full Access permission on the Ex2007 accounts via the EMC it lists this service account as having Full Access. This is what I have been running every time we create a new mailbox: Get-Mailbox username | Add-MailboxPermission -user servicename -AccessRights FullAccess The apps purpose is to set the OOF for users from a web interface (don't ask...)Without running that cmdlet, the app doesn't have permissions to set the OOF on the account. After I run that, the account has access. What am I missing? What can I do to set this on all existing/new Ex2007 mailboxes? Thanks!
October 14th, 2008 12:15am

Hello Jay, This should help you to give permisson on all mailboxes of a server includingfutured mailboxes... FAQ: Access on All the Mailboxes of a Server - Exchange2007 http://exchangeshare.wordpress.com/2008/09/05/faq-access-on-all-the-mailboxes-of-a-server-exchange-2007/
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2008 1:58am

Amit, thanks, but that doesn't appear to be the fix. I ran this: Get-MailboxDatabase -server myServerName | Add-ADPermission -user serviceAccount -extendedrights Receive-As I was told the appropriate ACE is already present on the object. Any other ideas?
October 14th, 2008 4:03pm

Well, this is the common method to give full mailbox access to service account. How to Allow Mailbox Access http://technet.microsoft.com/en-us/library/aa996343(EXCHG.80).aspx But looks like you are opening mailbox through web services/interface and it is similar to giving permission to access mailbox through OWA. Actually OWA requires Full Access permission on all the mailboxes explicitly and you need to run below command to give it everytime when you create a new mailbox. Reference for OWA: How to Enable Explicit Logons in Outlook Web Accesshttp://technet.microsoft.com/en-us/library/aa998830(EXCHG.80).aspx Get-Mailbox username | Add-MailboxPermission -user servicename -AccessRights FullAccess Alternatively, you can schedule a script to run every night on your Exchange server which execute this command & gives FullAccess on all newly created mailboxes explicitly so you dont have to take care about it every time. Sample Script: Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin Get-Mailbox-Server "ServerName"| Add-MailboxPermission -user servicename -AccessRights FullAccess Regarding how to schedule a script, point 3 in below article can be referred. Exchange 2007 & Display Name Format http://exchangeshare.wordpress.com/2008/08/17/exchange-2007-display-name-format/ Note: This article is for another issue but method of scheduling a script can be referred from it.
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2008 4:24pm

Yep, this is using EWS. Thank you for the responses, Amit. I appreciate what you've done to point me in the right direction. Now for some commentary directed at Microsoft. I'll be honest, this is not a "solution". How is a large environment supposed to deal with this? Writing a script that needs to run every night isn't acceptable in my mind. There should be some way to make this happen without the need for running a script constantly. For a small environment this will work. For an organization that could have hundreds of new accounts created every day, this is absurd. Amit, please understand I am not in any way directing those comments at you. Hopefully you can use some of your MVP influence to talk to those at MS and have some hotfix happen or an addition for Ex2007 SP2. I'm highly disappointed.
October 14th, 2008 4:46pm

Hi, I understood the situation and your point too. I think we are on two different tracks, I explained from the admin prospective and I guess you need an answer from a programmers prospective. I am not a developer but this would help you to configure what you want. Configuring Exchange Impersonation (Exchange Web Services) http://msdn.microsoft.com/en-us/library/bb204095.aspx For more description or information on how to access mailbox or what permissions needed to access OOF through EWS, I would suggest you to post your query in Development forum. You may also speak with your application owner / developer about it, they might have some standard way to configure permission to access through EWS. TechNet Forums Exchange Server Development I hope you would get some permanent solution soon
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2008 5:07pm

Wow, now that is what I am looking for! You're the man, Amit. Ok, so I read the link and here is one thing I am confused on: ms-Exch-EPI-Impersonation The ms-Exch-EPI-Impersonation permission gives the caller the ability to submit an impersonation call through the Client Access server. This does not mean that the caller has permission to access any particular account. Permission to impersonate on a server is set on the security descriptor of the Server object in ActiveDirectory. The calling account cannot be a member of any administrator group.This permission is explicitly denied to those groups. What administrator groups are they talking about? Exchange admin? Local server admin? Any idea? If you can answer that, excellent. If not, I'll post it in the Dev forums. Amit, thank you again.
October 14th, 2008 5:25pm

Those should be Exchange and Active Directory Administrator groups. Local server admin group is OK. Calling account is your service account. My Pleasure...
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2008 5:39pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics