Add-ADPermissions is not enough to read all mailboxes on Exchange 2010

April 14, 2011 · 0 comments

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

We have recently upgraded from Exchange 2003 to 2010 and we are still in the midst of the details.  At first glance, it would seem that the biggest hurdle is to get a good understanding of the differences and plan your migration.  However, we have found the undocumented details about how to configure a number of features is where you will spend all your time.  So here, is my first article that may help you get it done with far less pain and aggravation.

Our security policy states that E-mail is the property of the company and we have the right to audit and review all incoming/outgoing messages.  It is rarely done, but it has saved us a few times and is just generally a good practice.  All companies should have a stated policy that is signed by the users and updated with reminders.  That said, lets move on the the issue at hand.

A number of articles indicate that this action can be done by running Add-ADPermisison:

After a lot of testing, I found these solutions just do not work.  After execution of the commands, I could use ADSIEdit and see that the changes were made and the mailstore databases correctly inherited the correct values.  The only problem was, it did not work.  When I ran “Get-MailboxPermission” on any mailbox, the user did not have permission to read anything.  Attempting to use OWA to access the mailbox also failed.

By coincidence, I was also migrating our Blackberry Enterprise Server to connect to Exchange 2010 and in their documentation for the BESAdmin user, they documented a different approach.  They suggest the following approach:

  • Get-MailboxDatabase | Add-ADPermission -User “BESAdmin” -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin
  • Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User “BESAdmin” -Identity “CN=<common_name>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>”
  • If you create a mailbox database for Microsoft Exchange, repeat step 1

Following these steps actually works!  I replaced BESAdmin with a domain administrator’s account and voila, they had the access they needed.  I also found that I could use the security tab from ADSIEdit to accomplish the same thing, so either way works.  If you use ADSIEdit, just remember to set the values for this object and all descendants.

I think the problem with the earlier articles is that they are setting the permissions on the mailstore objects but there is no inheritance to the descendants user objects and consequently they do not accomplish  their goal.  It might be possible to develop a mechanism that does not require executing the Add-ADPermission for each store and placing it on the “Databases” object in AD, but I didn’t have time to experiment as I have a production shop to run.  If anyone has a more elegant solution, I would love to hear it.

Enhanced by Zemanta

Article by Steve Van Domelen

Steve has written 47 awesome articles.

Previous post:

Next post: