If I use Add-ADPermission to grant a security principal the Send-As and Receive-As extended rights on a mailbox database, this results in an inherited FullMailboxAccess permission on each mailbox in that database. For example: Add-ADPermission server1\SG01\MailboxDB01 -user masterchief -Extendedright Send-As,Receive-As Results in this: Get-MailboxPermission <any mailbox in MailboxDB01> -user masterchief User AccessRights IsInherited Deny---- ------------ ----------- ----domain\masterchief {FullAccess} True False This used to be enough to achieve service account permission to all mailboxes in Exchange 200x. In those products you had full access to the mailbox using any protocol/method. If I try to open a mailbox using the account with the extended rights in Outlook 2007 I can open any mailbox and do whatever I want inside that mailbox. However, if I try to open the mailbox using Outlook Web Access (OWA) I get an error saying I do not have the correct permissions to access that particular mailbox. To be able to access the mailbox from OWA I have to do this, in addition to the aforementioned Add-ADPermission command: Get-Mailbox server1\SG01\MailboxDB01 | Add-MailboxPermission -user masterchief -AccessRights FullAccess This, in turn, results in these permissions when queried: Get-MailboxPermission <any mailbox in MailboxDB01> -user masterchief User AccessRights IsInherited Deny---- ------------ ----------- ----domain\masterchief {FullAccess} False False domain\masterchief {FullAccess} True False Anynone know why this "double-tap" is necessary? FullAccess should be FullAccess right? I guess it has something to do with inheritance and that non-inheriuted ACEs are checked before inherited ones. Question is; what is Exchange checking for? Morgan

This is actually a known issue. Please check the following KB http://support.microsoft.com/kb/940846/en-us Hope this helps Frederic