Add-mailboxpermission vs Add-AdPermission Part 1
Recently I have seen an increase of questions related to setting permissions with Exchange 2007 so I decided to write this blog about the 2 commands that will be used to assign permissions.
Add-mailboxpermission vs Add-adpermission
Lets start by taking a look at the Add-MailboxPermission, as this cmdlet states it is used to apply permission at the mailbox level.
Who can run this command?
By default only members of the Exchange Organization Admin role
What permissions can be assigned?
This parameter specifies the rights needed to perform the operation. Valid values include:
FullAccess –SendAs–ExternalAccount–DeleteItem–ReadPermission–ChangePermission – ChangeOwner
(http://technet.microsoft.com/en-us/library/bb124097.aspx)
Some of these permissions names have change from 2003 to 2007
http://technet.microsoft.com/en-us/library/a7de9bbd-54b5-45b7-8421-b32dad648654.aspx
Exchange 2003 _________Exchange 2007
Delete mailbox storage ——- DeleteItem
Read permissions ———–= ReadPermission
Change permissions ——–= ChangePermission
Take ownership ————–= ChangeOwner
Full mailbox access ———-= FullAccess
Associated external account= external account
****From this article you will find that the SendAs permission does not work at this level and must be applied with the add-ADPermission ***
What can I do with each permission?
FullAccess -These permissions are similar mbx owner with exception of SendAs and a few other rights.
SendAs — does not work at this level
ExternalAccount- will allow a user to associate an external account to this mailbox, this is typically used when working with resource forests.
DeleteItem- allows a user to delete a mailbox which they have been delegated this right.
ReadPermission- by deafult everyone has this permission which allows users to view the permissions on a mailbox
ChangePermission- allows a user to change (add/remove) permission on a mailbox
ChangeOwner- allows a user to change the owner of the mailbox.
Lets work our way through the permissions and see what we can do:
Example1 :
User2 has been granted readpermission to user1’s mailbox
*Note- By default Everyone has ReadPermission**
Test:
1. Open EMS
2. Get-mailboxpermissions user1 fl
We see the output returned
2. Lets attempt to change/add a permission
add-mailboxpermission user1 -user user2 -accessright fullaccess
We recieve an error- we can see that readpermission allows a user to view the current permission on a mailbox
Example 2 Send AS:
We have removed the read permission from above (remove-mailboxpermission user1 -user user2 -accessright readpermission)
Lets delegate Send As permission to User2
Add-MailboxPermission user1 -User user2 -AccessRights sendas
Now lets logon with Outlook and see what we can do?
Test1:
Open users mailbox Outlook
Failed
Test2:
Open users mailbox in OW A
failed
Test3:
Send As user1 in Outlook
Recieve Error Message
Test4:
Sends AS user1 in OWA
not method in OWA -would have to open users mbx which fails
** As stated before the SendAs permission no longer works at this level **
Now we will remove the Send As permission and see what fullaccess does
Example 3: FuallAccess
Add-MailboxPermission user1 -Usr user2 -AccessRights fullaccess
Now lets logon with Outlook and see what we can do?
Test1: Open users mailbox Outlook
Successful
Test2: Open users mailbox in OWA
Successful
Test3: Send As user1 in Outlook Recieve
Error Message
Test4: Open user1 mbx- attempt send
Open Sucessful
Send from mbx Fails
Test5: Open user1 mbx in OWA and delete messages
Successful
Example 4: DeleteItem
add-mailboxpermission user1 -user user2 -accessrights deleteitem
Test2: Delete User1 mbx
Example 5: ChangePermission
add-mailboxpermission user1 -user user2 -accessrights changepermission
Test 1: Attempt to change permission on mailbox
Example 6:ChangeOwner
add-mailboxpermission user1 -user user2 -accessrights changeowner
Test 1: Attempt to change mbx owner
May 14th, 2008 at 12:20 pm
And if anyone cares, ’send-as’ is issued as an ExtendedRight with the Add-ADPermission cmdlet.
May 14th, 2008 at 4:06 pm
That is correct and part 2 goes over the Add-AdPerms
May 29th, 2008 at 8:14 am
Can you help with FullAccess on a Storage group? There are a few areas I’ve looked at using the Get-MailboxDatabase cmdlet, but the “-Identity” piece/parameter isn’t working for me. One caveat is that my databases (I have 4 storage grps) are on different drives (e.g. G:\ and F:\) so obviously my syntax is wrong somewhere in the path. This is what I tried:
Get-MailboxDatabase -Identity “Servername\G:\Storage Group\DBName.edb” | Add-ADPermission -User Me.User -AccessRights GenericAll
Thanks a bunch!
May 29th, 2008 at 9:02 am
Shane,
First question what is your goal that you are attempting?
Send you dont need the drive path in the syntax it should be
get-mailboxdatabase Servername\dbname
if you are on the server you dont even need the servername
use the get-mailboxdatabase to get your name to validate and if you have any spaces add quotes get-mailboxdatabase “edb 1″
June 5th, 2008 at 3:08 pm
Shane,
Your stated by default, only members of the Exchange Organization Admin Role could run the add-mailbox permission.
Is there a way to modify the permissions to allow Exchange Recipent Administrators to use this command?
We are currently in a multidomain environment where the domain administrators are also exchange admins for users in their domain and have the Exchange Recipient Administrator Role assigned. The goal is to have the domain admins to have full access to manage mailboxes only in their respective domains.
Thanks
June 5th, 2008 at 6:47 pm
Let me doublecheck but I believe as along a you delegate the change permission to a user they will be able to run the command and modify the perms.
June 12th, 2008 at 10:18 am
Thanks Shane,
Can you delegate the change permission to a security group as well?
Thanks
John
August 5th, 2008 at 7:05 am
Hi,
Thanks for the lead – since the exchange administrator is also a domain administrator , he was specificly denied. We also are multi domain (politicly)
this solved it
Get-MailboxDatabase | SetAdPermission -User domain\user -AccessRights extendedright -ExtendedRights “Send As”
And the same for “Receive As”
March 2nd, 2009 at 8:57 am
What if I want to allow a user just to view emails on another user’s mailbox? -fullaccess allows a user to add the mailbox in Outlook and delete emails if they want to. I would like the same but just with read or viewing rights
March 10th, 2009 at 7:11 pm
> John R
> I would like the same but just with read or viewing rights
I’ve been searching for a “read-only” access to a shared mailbox for quite a while. Most threads are generally ending like this one – with a question on how to deny users the right to delete – and then no answer…
I simply can’t believe there’s no way to achieve this, and yet, didn’t find a solution either.
Any help out there?
May 30th, 2009 at 6:06 am
I used the cmdlet get-mailbox | Add-MailboxPermission -Identity {$_.Name} -AccessRights FullAccess -User “testuser”
And it worked fine giving me permission to all mailboxes.
But now when i am trying to remove these permissions using:
get-mailbox | Remove-MailboxPermission -Identity {$_.Name} -AccessRights FullAccess -User “testuser”
It does not work. I am still able to open other user’s mailbox ad I still my SID in the EMC under “Manage Full Access Permission”
Running Exchange server 2007 and I am in all the required admin groups – Exchange Recepient, Exchange Organization, Dns admin, Domain Administrators,etc..
Can someone help me out here? Thanks
June 10th, 2009 at 1:26 pm
Hey very nice blog!! Man .. Beautiful .. Amazing .. I will bookmark your blog and take the feeds also…
July 9th, 2009 at 8:43 am
I have a NT 4.0 domain with users that have mailboxes in an AD domain hosting exchange 2007. ADMT has migrated and disabled the accounts, primary accounts for exchange 2007 mailboxes, from the NT 4.0 domain.( These accounts will be used in future , post migration).
I migrated from exchange 5.5 – Exchange 2003 – Exchange 2007. All the mailboxes migrated are set as linked mailboxes and work just fine. any NEW mailboxes are set as user mailboxes however I need to change them to linked however :
I have tried to create a linked mailbox via the shell and gui tools but cannot. The GUI Exchange management console does not show the trusted NT 4.0 domain, andf I cannot therefore select a user account for the linked mailbiox. The add-mailbox shell command requires a AD domain controller (-linkeddomaincontroller).
Does Exchange 2007 not supported trusted NT 4.0 domains ?
July 15th, 2009 at 10:10 pm
Wow NT 4 still out there huh