Add-Mailbox Permissions VS Add-AdPermission Part 2

Filed in SendAS on Aug.12, 2007

This is the follow up blog

Add-ADPermission (Section not completed)

Who can run this be default?
Exchange Recipient Administrator role Account Operator role for the applicable Active Directory containers

What are the valid permission that can be applied?
(http://technet.microsoft.com/en-us/library/bb124403.aspx)
CreateChild –DeleteChild–ListChildren–Self–ReadProperty–WriteProperty DeleteTree–ListObject–ExtendedRight–Delete–ReadControl–GenericExecute GenericWrite–GenericRead–WriteDacl–WriteOwner–GenericAll–Synchronize AccessSystemSecurity AD-

ADPermssions also has some extended rights that can be associated with it Send-As Receive-As View Information Store status

Lets start with the number 1 item everyone typcially uses, delegating the rights to Send As another user. This can be used with items like Black Berry or to delegate rights to a shared mailbox.

Extended Rights:

Scenario 1: Send AS

Lets view the current permission on the account
- Get-ADPermission User1 fl user,accessrights

1. Delegate Sends AS

2. Open Outlook – attempt send as user from Outlook

We can see the message is delivered and shows that it was sent from user1

After granting Send AS permission we are still unable to open a users mailbox, with add-mailboxpermission we can only apply permissions to an individual mailbox however what if we need to deploy rights to a single database or storage group?

*Note to all to all users we can pipe the command

example get-mailbox add-mailboxpermission**

Granting Recieve As is similar to granting fullaccess to a mailbox, however with Exchange 2007 if you wish to open a users mailbox in OWA you will need to grant fullaccess with add-mailboxpermission as well.

Scenario 2: Recieve AS
http://technet.microsoft.com/en-us/library/aa996343.aspx
http://msexchangeteam.com/archive/2006/01/25/418099.aspx

1. Lets grant recieve as permission

Lets validate our permission, but this time we will use adsiedit.msc. Since these are AD permssion we can view them with adsiedit.

**note you have to load the support tools to install adsiedit.msc**

Scenario 3: View Information Store
Why reinvent the wheel if I dont have too http://www.windowsitpro.com/Article/ArticleID/49432/49432.html

http://technet.microsoft.com/en-us/library/aa996343.aspx

Tags: Add-adpermission, add-mailboxpermission, Exchange 2007 Permissions, recieveas, Send AS, SendAS

Comments (5)

5 Responses to “Add-Mailbox Permissions VS Add-AdPermission Part 2”

Allowishes Says:
June 24th, 2008 at 3:45 pm
Try this…

Add-ADPermission -Identity “Ellen Adams” -User TedBrem -AccessRights extendedright -ExtendedRights “send as”

Works much better…
Anonymous Says:
October 6th, 2008 at 7:32 am
Thank you! Old article but usefull!

All my love for you!
Alexis Says:
May 15th, 2009 at 5:26 pm
Good site, admin.
billy fung Says:
December 16th, 2009 at 12:23 pm
I tried it in exchange 2010. But it does not work.
adsiedit.msc Says:
April 2nd, 2010 at 6:34 am
[...] Configuration-Configuration-Services-Microsoft Exchange-Orgname-Administrative Groups-Exchange …Add-Mailbox Permissions VS Add-AdPermission Part 2Lets validate our permission, but this time we will use adsiedit.msc. … support tools to install [...]

Exchange-Genie

This blog is dedicated to Microsoft Exchange