I’ll start this out by saying ‘Full Mailbox Access to All Mailboxes’ is generally a bad idea. It should be done on demand with the appropriate approvals and paper trails, but there are times when this may be needed – for example a service account for 3rd party software that has to read or add things to everyone’s mailbox in the company.
In my last post “End User Management of Distribution Groups in Exchange 2010” I explained how the new Role Based Access Control (RBAC) worked. Although this can be used to configure many things, it won’t give you full access to a mailbox as it’s an Active Directory based permission.
You can manually do this on a per mailbox level by either using the Exchange Management Console, or the Exchange Management Shell by following the Microsoft Technet documentation here and it’s fairly easy to convert this to all mailboxes in powershell, but that won’t help you with newly created mailboxes after running the command.
Yes you could run a daily task to get around that, but an alternative is giving AD access at the database level. Any existing or newly created mailbox will get permissions this way.
So, with that all in mind, the Exchange Powershell command to run on a particular database is:
Get-MailboxDatabase -identity “[mailbox database name]” | Add-ADPermission -user [username] -AccessRights GenericAll
If you don’t know what your databases are, just run ‘Get-MailboxDatabase’ or if you want to just apply the permissions to all databases:
Get-MailboxDatabase | Add-ADPermission -user [username] -AccessRights GenericAll
You can apply this to a AD group rather than a user which I’d suggest (no changes to the command required apart from typing the group name rather than user name), because it’s then easier to manage the members of the AD group than re-run this command. Also if you apply the settings to a particular user, and that user launches Outlook, all mailboxes they have full access to will auto-load into their Outlook session. Not ideal if you’ve got hundreds!
If you’d like to know more about the Add-AdPermission command, and the possible AccessRights settings check out this Technet article.
Thank you, thank you, thank you. I know it has been a while since you posted this, but this is exactly the information I needed.
No problem, it’s great to know it’s helped someone – doesn’t matter on the timeframe! Thanks for letting me know.
My search-fo is failing me tonight. I need to create a (i guess custom) role that can log into any mailbox in the ORG via outlook impersonation and maybe OWA, however it should be read-only access. Or at a minimum, it should limit the role to only work within the account but not send any email, and of course not be able to do any admin level tasks above the mailbox level. So the role could undelete a message but preferably not grant another user delegate access or share a folder.
thanks in advance
I came across a similar issue – the above won’t grant access to a mailbox via Outlook. I wrote this article to cover a way of doing it for newly created mailboxes:
http://blog.enowsoftware.com/solutions-engine/bid/185323/Scripting-Agent-Cmdlet-Extension
But also, this may not cover the exact custom permissions you’re after. You may have to do a combination of both, the linked article to apply certain permissions to allow outlook impersonation with read only access, and then a custom RBAC for the other permissions you need.
Bit messy, might be a nicer way but not that I know of off the top of my head sorry!
Thanks much for this helpful post! I have two questions:
1) Can this command as written be appended with “–AutoMapping $False” to prevent Outlook folder clutter for the reviewing user, or can automapping prevention be applied only with MailboxPermission?
2) Once FullAccess is provided, can I restrict the reviewing user to Read-Only permission without disturbing any existing editing permissions that need to stay in place?
Thanks in advance for any direction.
Hi,
1) If you use a group rather than a user, you don’t need to provide that switch which is that way I’d recommend doing it for easy add/remove of permissions.
2) You want to give full access via this method, then selectively remove that permission on a selected mailbox, or all mailboxes? If it’s all, I’d have a second group set up with just the read-only at the database level. If there’s just one mailbox that you want to treat differently then I don’t actually know – you’d have to test this (easily done by creating another database and having a single user in there, then change the settings).
Let me know how you go!
Hi, so to be clear if I do the Get-MailboxDatabase | Add-ADPermission -user [username] -AccessRights GenericAll for an AD group, it will apply to new mailboxes as well?
Hi Michael, Yes it applies to any mailbox existing or created after the fect that exists in that database. It won’t allow login access though.
OK, my need is to prepare a client for migration to o365. They need an account with full access to all mail dbs. I don’t want to give them a domain admin account….
I want to thank you for your response and willingness to share…
Hi,
Thank you for posting such a helpful post. i am having a problem, if you can help as per my understanding when a new user will be created in that specific database where i have assigned full access permission as per above command, that service account should automatically added in user “Manage FullAccess Permission” Right? but i am unable to see service account there, only “NT Authority\Self” exists there.
Any Idea?
Adam,
I tried the command Get-MailboxDatabase | Add-ADPermission -user [username] -AccessRights GenericAll but the specific user still does not have full access permission to the newly created mailbox. We have a 3rd party software that requires a specific user (not group) to have full permission to all mailbox in order for their outlook plugin to work. We have exchange 2010 with SP3 and update rollup 13. Thanks
I had an identical problem. Although this gives access to the mailbox, login access doesn’t seem to work this way.
I wrote a solution here: http://blog.enowsoftware.com/solutions-engine/bid/185323/Scripting-Agent-Cmdlet-Extension
For a once off, try this command from that post:
Add-Mailboxpermission -identity XYZ -User “Exchange Mailbox Full Access” -AccessRights FullAccess -InheritanceType All
For an ongoing solution, read that post as it’ll tell you how to apply that to all newly created mailboxes. That was the only way I could work out how to do it.
Please let me know if it works for you :)
thanks for the article great read, what I want to do is the opposite, I have a group that has full access to everyones mailbox. business rules have changed and I need that group REMOVED from everyones mailbox. can I use your powershell command? instead of add-adpermission would it be remove-adpermission?
Hey Mick – should be, and if you’re not usre, add -whatif at the end of your command. It should give you some idea what it WOULD do if you ran the command, rather than actually doing it :)