Providing administrator(s) full mailbox access to all mailboxes (database) not working

I'm setting up a new Exchange 2013 org.  Everything is pretty fresh, only a few mailboxes have been added for testing.

I've added this permission, to provide full access to all the mailboxes in the database:

Get-MailboxDatabase -identity Mailbox Database | Add-ADPermission -user netadmin -AccessRights GenericAll -ExtendedRights Receive-As, Send-As
.
I've verified the permission in ADSI Edit.

I have verified the permission in the recipient's mailbox delegation properties. 

However, while logged into OWA using the admin account, if I try to open another user's mailbox from OWA, I just get a sad face that says "Something went wrong :( " .

Any ideas? I've tried resetting the owa virtual directory...reset IIS, rebooted several times, no luck.

Thanks

February 22nd, 2013 6:36pm

I noticed this in the URL bar:
/owa/auth/errorfe.aspx?httpCode=500
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2013 6:56pm

When you say mailbox delegation properties, that's in the EAC, under user properties? Like in the EMC of E2K10, where you could right-click on the mailbox and check both "Full" and "Send As" permissions?

Just wondering, because there are permissions that can be assigned to delegates in Outlook too (there's a tab about delegation).

February 22nd, 2013 10:25pm

Hi

Is that ok when you set to single mailbox?

If ok, please try

Get-Mailbox -database Mailbox Database | Add-ADPermission -user netadmin -AccessRights GenericAll -ExtendedRights Receive-As, Send-As

Cheers

Free Windows Admin Tool Kit Click here and download it now
February 25th, 2013 8:05am

Hi

Is that ok when you set to single mailbox?

If ok, please try

Get-Mailbox -database Mailbox Database | Add-ADPermission -user netadmin -AccessRights GenericAll -ExtendedRights Receive-As, Send-As

Cheers

March 1st, 2013 10:49pm

This is the cmd that I run every so often when I want access to an account, this will add the permission to all mailboxes

I have a Security Group in AD called "ExchangeViewAll", which my user is a member of.

get-mailbox | Add-MailboxPermission -User Exchangeviewall -AccessRights FullAccess -InheritanceType All

I also got the /owa/auth/errorfe.aspx?httpCode=500, but after a few minutes (most likely when AD replicated the permissions), I was able to access the accounts without issue

  • Edited by Brenny87 Thursday, March 14, 2013 1:57 AM
Free Windows Admin Tool Kit Click here and download it now
March 14th, 2013 1:56am

Brenny, are you running this in Exchange 2013?  I also tried doing it with a group, pretty much exactly as above, called it ExchangeAdmins.  I see the permission showing up for each recipient in EAC.  Outlook permission doesn't work, can't expand a user, and opening in OWA I get the same result "Something went wrong :( " .
March 20th, 2013 8:35pm

Don't forget, but default, Domain Admins have 'deny' access from 'Send As'. You can change this in ADSIedit. Not sure if these Exchange admins are also Domain Admins in your setup.

Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2013 2:06am

I'm having the same problem - has anyone found a solution?

Mike - that's interesting, I hadn't noticed Domain and Enterprise Admins have deny permissions set.  It would seem that the deny permissions do not take precedence over allow permission on Exchange 2010 - we have domain admin accounts that have been granted the send and receive as permissions - and the permissions work.

Maybe Exchange 2013 is enforcing permission properly?

  • Edited by DJL Wednesday, May 08, 2013 5:39 PM
May 8th, 2013 3:34pm

I'm having the same problem as well.

I have run both

Get-MailboxDatabase -identity mailbox Database 1686610167 | Add-ADPermission -user kirk -AccessRights GenericAll
Get-MailboxDatabase -identity "mailbox Database 1686610167" | Add-ADPermission -user kirk -ExtendedRights Receive-As, Send-As

 I can get to some mail boxes but not most of them.

I have tried to add rights in EAC as well and that does not seem to change my ability to open a mail box.

Free Windows Admin Tool Kit Click here and download it now
May 8th, 2013 7:35pm

Just to add...

I've tried adding an account that isn't affected by Deny permissions (i.e the user isn't a member of Domain or Enterprise Admins etc).  The account can access mailboxes on Exchange 2010 but it still can't access mailboxes on Exchange 2013.

May 11th, 2013 2:07pm

Does removing the "Deny" on those fix the problem?
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2014 2:30pm

Subscribed I need an answer to this to, was working flawless in Exchange 2007, but since migrating to 2013.

I have the same issue and tried the steps above as well no go!  HR and CIO  need access to everyones MBX.

April 3rd, 2014 8:14pm

Sombody resolve the problem?



  • Edited by Step_BLR Saturday, April 05, 2014 2:21 PM
Free Windows Admin Tool Kit Click here and download it now
April 5th, 2014 2:21pm

I just add the permissions directly to the mailboxes these days:

Get-Mailbox -ResultSize unlimited -Database "dbname" | Add-MailboxPermission -AccessRights FullAccess -User "Group or Username"


It can take a while for the permission to get re-evaluated
  • Edited by DJL Sunday, April 06, 2014 11:15 AM
April 6th, 2014 11:13am

...BUMP....

I am having the same issue with Full Access permissions in Exchange 2013. When assigned to the database they do not work. When assigned directly to a mailbox they do work.

This all worked fine in Exchange 2010.

Free Windows Admin Tool Kit Click here and download it now
October 15th, 2014 1:03pm

It works fine for me in Exchange 2013.

I suspect the problem might be for you (and others in this topic) that the account you are working with is a member of a group (e.g. Organization Management) that has an explicit Deny entry set at the Exchange Org level and is inherited by all child objects.  If this is the case what happens down at the mailbox level is, I believe, that there will be both a Deny ACE (inherited from Exchange Org) and the Allow ACE (inherited from the database level).  An inherited Deny ACE will beat an inherited Allow ACE.  In this scenario the only way to assign the Full Access would be to set it explicitly on the mailbox, as this would override the inherited Deny ACE.

April 28th, 2015 4:51pm

Tony,

I understand and agree with what you have said. I can't remove myself from Domain Admins which has the Deny ACE and at the same time I don't want to have to add permissions to each individual mailbox when it is created (which is what I am doing in the interim).

I guess the long term solution I am looking for is removing the Deny ACE for Domain Admins....but is that safe? Anyone tried it?

Free Windows Admin Tool Kit Click here and download it now
April 28th, 2015 4:59pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics