Add-ADPermission (Section not completed)

Who can run this be default?
Exchange Recipient Administrator role Account Operator role for the applicable Active Directory containers

What are the valid permission that can be applied?
(http://technet.microsoft.com/en-us/library/bb124403.aspx)
CreateChild –DeleteChild–ListChildren–Self–ReadProperty–WriteProperty DeleteTree–ListObject–ExtendedRight–Delete–ReadControl–GenericExecute GenericWrite–GenericRead–WriteDacl–WriteOwner–GenericAll–Synchronize AccessSystemSecurity AD-

ADPermssions also has some extended rights that can be associated with it Send-As Receive-As View Information Store status

Lets start with the number 1 item everyone typcially uses, delegating the rights to Send As another user. This can be used with items like Black Berry or to delegate rights to a shared mailbox.

Extended Rights:

Scenario 1: Send AS

Lets view the current permission on the account
- Get-ADPermission User1 fl user,accessrights

1. Delegate Sends AS

2. Open Outlook – attempt send as user from Outlook

We can see the message is delivered and shows that it was sent from user1

After granting Send AS permission we are still unable to open a users mailbox, with add-mailboxpermission we can only apply permissions to an individual mailbox however what if we need to deploy rights to a single database or storage group?

*Note to all to all users we can pipe the command

example get-mailbox add-mailboxpermission**

Granting Recieve As is similar to granting fullaccess to a mailbox, however with Exchange 2007 if you wish to open a users mailbox in OWA you will need to grant fullaccess with add-mailboxpermission as well.

Scenario 2: Recieve AS
http://technet.microsoft.com/en-us/library/aa996343.aspx
http://msexchangeteam.com/archive/2006/01/25/418099.aspx

1. Lets grant recieve as permission

Lets validate our permission, but this time we will use adsiedit.msc. Since these are AD permssion we can view them with adsiedit.

**note you have to load the support tools to install adsiedit.msc**

Scenario 3: View Information Store
Why reinvent the wheel if I dont have too http://www.windowsitpro.com/Article/ArticleID/49432/49432.html

http://technet.microsoft.com/en-us/library/aa996343.aspx

Add-mailboxpermission vs Add-adpermission

Lets start by taking a look at the Add-MailboxPermission, as this cmdlet states it is used to apply permission at the mailbox level.

Who can run this command?
By default only members of the Exchange Organization Admin role

What permissions can be assigned?

This parameter specifies the rights needed to perform the operation. Valid values include:
FullAccess –SendAs–ExternalAccount–DeleteItem–ReadPermission–ChangePermission – ChangeOwner
(http://technet.microsoft.com/en-us/library/bb124097.aspx)

Some of these permissions names have change from 2003 to 2007

http://technet.microsoft.com/en-us/library/a7de9bbd-54b5-45b7-8421-b32dad648654.aspx

Exchange 2003 _________Exchange 2007
Delete mailbox storage ——- DeleteItem
Read permissions ———–= ReadPermission
Change permissions ——–= ChangePermission
Take ownership ————–= ChangeOwner
Full mailbox access ———-= FullAccess
Associated external account= external account

****From this article you will find that the SendAs permission does not work at this level and must be applied with the add-ADPermission ***

What can I do with each permission?
FullAccess -These permissions are similar mbx owner with exception of SendAs and a few other rights.

SendAs — does not work at this level

ExternalAccount- will allow a user to associate an external account to this mailbox, this is typically used when working with resource forests.

DeleteItem- allows a user to delete a mailbox which they have been delegated this right.

ReadPermission- by deafult everyone has this permission which allows users to view the permissions on a mailbox

ChangePermission- allows a user to change (add/remove) permission on a mailbox

ChangeOwner- allows a user to change the owner of the mailbox.

Lets work our way through the permissions and see what we can do:

Example1 :
User2 has been granted readpermission to user1′s mailbox

*Note- By default Everyone has ReadPermission**

Test:
1. Open EMS
2. Get-mailboxpermissions user1 fl
We see the output returned

2. Lets attempt to change/add a permission

add-mailboxpermission user1 -user user2 -accessright fullaccess

We recieve an error- we can see that readpermission allows a user to view the current permission on a mailbox
Example 2 Send AS:
We have removed the read permission from above (remove-mailboxpermission user1 -user user2 -accessright readpermission)

Lets delegate Send As permission to User2
Add-MailboxPermission user1 -User user2 -AccessRights sendas

Now lets logon with Outlook and see what we can do?
Test1:
Open users mailbox Outlook
Failed
Test2:
Open users mailbox in OW A
failed
Test3:
Send As user1 in Outlook
Recieve Error Message

Test4:
Sends AS user1 in OWA
not method in OWA -would have to open users mbx which fails

** As stated before the SendAs permission no longer works at this level **

Now we will remove the Send As permission and see what fullaccess does

Example 3: FuallAccess

Add-MailboxPermission user1 -Usr user2 -AccessRights fullaccess
Now lets logon with Outlook and see what we can do?
Test1: Open users mailbox Outlook
Successful
Test2: Open users mailbox in OWA
Successful
Test3: Send As user1 in Outlook Recieve
Error Message
Test4: Open user1 mbx- attempt send
Open Sucessful
Send from mbx Fails
Test5: Open user1 mbx in OWA and delete messages
Successful

Example 4: DeleteItem
add-mailboxpermission user1 -user user2 -accessrights deleteitem

Test2: Delete User1 mbx

Example 5: ChangePermission
add-mailboxpermission user1 -user user2 -accessrights changepermission

Test 1: Attempt to change permission on mailbox

Example 6:ChangeOwner
add-mailboxpermission user1 -user user2 -accessrights changeowner

Test 1: Attempt to change mbx owner