I have taken over admin of an existing exchange infrastructure and transfered this to a new domain structure. I now need to go through every mailbox and remove all permissions from anyone in the old domain and then apply permissions for the new domain. For each mailbox there is the following setup. domain1\user1 <some permissions> domain1\user2 <some permissions> domain1\user3 <some permissions> I need them to be domain2\exchange admins <full access> I guess this can be accomplished with remove-adpermission and add-adpermission but i just cant seem to work out the correct syntax. Sorry if this should have been in a powershell forum, I dont know if a mod can cross post it there.

To remove the existing permissions get-mailbox | remove-adpermissions -user domain1\user1 get-mailbox | remove-adpermissions -user domain1\user2 get-mailbox | remove-adpermissions -user domain1\user3 This would remove all full access granted to these accounts from all mailboxes, they will still have access to their own mailboxes as the NT AUTHORITY\SELF will still be there. The next part requires additional info, what are you trying to do? Is this a service account that needs full access to all the mailboxes? Are you just trying to grant full access to all of the exchange admins? Adding all of the exchange admins isn't really neccessary if they have Exchange Org Admin rights, you can grant the full access ____ needed, or do you want that as a standard practice? If you want that as standard practise i would set the rights on the store or database, that way when you create a new mailbox those permissions are inherited rather then you having to readd the exchange admins to each new mailbox. To grant per mailbox try get-mailbox | Add-mailboxpermissions -user domain2\exchange admin -accessrights full access To grant based on the database you could do a get-mailboxdatabase | add-adpermissions -user domain2\exchange admin -extendedrights Send-as, Receive-as or get-mailboxserver | add-adpermissions -user domain2\exchange admin -extendedrights Send-as, Receive-as Another way would be through adsiedit which may be easier as i believe only this route will allow you to set full access to a security group 1 On Exchange Server 2007 with Mailbox Role installed, run adsiedit.msc to configure the permissions for the Exchange Admin account in Active Directory; adsiedit.msc is included in Windows support tools. 2 Expand the tree as follows: Configuration[your domain]/CN=Configuration,[your domain]/CN=Services/CN=Microsoft Exchange/CN=[your Exchange organization]/CN=Administrative Groups/CN=Exchange Administrative Group(FYDIBOHF23SPDLT)/CN=Servers. 3 For each server object representing an Exchange Server 2007 with Mailbox Role installed, do the following: Right-click the object and select Properties. Click the Security tab. Add the Exchange Admin account and grant this account Full Control. Click Apply. Click Advanced. For the permission entry for the Exchange Admin account Select the permission entry and click Edit.... Change Apply onto to This object and all child objects. Click OK. Click OK to close the Advanced Security Settings window. Click OK and close the Properties window.

Hi, If you can get all the users whose permissions need to be changes into a CSV file. This is how it would look like.UserAccessrights xyzAdmin123ReadAccess.So the command should look something like this Import-csv "Filename.csv" | foreach-Object { Add/Remove-Adpermissions -Identity $_.User -AccessRights $_.AccessRights } Hope this helps.Thanks Shiv