Add-mailboxpermission vs Add-adpermission

Lets start by taking a look at the Add-MailboxPermission, as this cmdlet states it is used to apply permission at the mailbox level.

Who can run this command?
By default only members of the Exchange Organization Admin role

What permissions can be assigned?

This parameter specifies the rights needed to perform the operation. Valid values include:
FullAccess –SendAs–ExternalAccount–DeleteItem–ReadPermission–ChangePermission – ChangeOwner
(http://technet.microsoft.com/en-us/library/bb124097.aspx)

Some of these permissions names have change from 2003 to 2007

http://technet.microsoft.com/en-us/library/a7de9bbd-54b5-45b7-8421-b32dad648654.aspx

Exchange 2003 _________Exchange 2007
Delete mailbox storage ——- DeleteItem
Read permissions ———–= ReadPermission
Change permissions ——–= ChangePermission
Take ownership ————–= ChangeOwner
Full mailbox access ———-= FullAccess
Associated external account= external account

****From this article you will find that the SendAs permission does not work at this level and must be applied with the add-ADPermission ***

What can I do with each permission?
FullAccess -These permissions are similar mbx owner with exception of SendAs and a few other rights.

SendAs — does not work at this level

ExternalAccount- will allow a user to associate an external account to this mailbox, this is typically used when working with resource forests.

DeleteItem- allows a user to delete a mailbox which they have been delegated this right.

ReadPermission- by deafult everyone has this permission which allows users to view the permissions on a mailbox

ChangePermission- allows a user to change (add/remove) permission on a mailbox

ChangeOwner- allows a user to change the owner of the mailbox.

Lets work our way through the permissions and see what we can do:

Example1 :
User2 has been granted readpermission to user1′s mailbox

*Note- By default Everyone has ReadPermission**

Test:
1. Open EMS
2. Get-mailboxpermissions user1 fl
We see the output returned

2. Lets attempt to change/add a permission

add-mailboxpermission user1 -user user2 -accessright fullaccess

We recieve an error- we can see that readpermission allows a user to view the current permission on a mailbox
Example 2 Send AS:
We have removed the read permission from above (remove-mailboxpermission user1 -user user2 -accessright readpermission)

Lets delegate Send As permission to User2
Add-MailboxPermission user1 -User user2 -AccessRights sendas

Now lets logon with Outlook and see what we can do?
Test1:
Open users mailbox Outlook
Failed
Test2:
Open users mailbox in OW A
failed
Test3:
Send As user1 in Outlook
Recieve Error Message

Test4:
Sends AS user1 in OWA
not method in OWA -would have to open users mbx which fails

** As stated before the SendAs permission no longer works at this level **

Now we will remove the Send As permission and see what fullaccess does

Example 3: FuallAccess

Add-MailboxPermission user1 -Usr user2 -AccessRights fullaccess
Now lets logon with Outlook and see what we can do?
Test1: Open users mailbox Outlook
Successful
Test2: Open users mailbox in OWA
Successful
Test3: Send As user1 in Outlook Recieve
Error Message
Test4: Open user1 mbx- attempt send
Open Sucessful
Send from mbx Fails
Test5: Open user1 mbx in OWA and delete messages
Successful

Example 4: DeleteItem
add-mailboxpermission user1 -user user2 -accessrights deleteitem

Test2: Delete User1 mbx

Example 5: ChangePermission
add-mailboxpermission user1 -user user2 -accessrights changepermission

Test 1: Attempt to change permission on mailbox

Example 6:ChangeOwner
add-mailboxpermission user1 -user user2 -accessrights changeowner

Test 1: Attempt to change mbx owner