Exchange
United States - English
Home
Online
2010
2007
2003
Library
Forums
Partners
EHLO Blog
31 out of 43 rated this helpful - Rate this topic

How to Allow Mailbox Access

Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007

Topic Last Modified: 2010-04-28

This topic explains how to use the Exchange Management Shell to grant the Full Access permission for a mailbox or the Receive As permission for a mailbox database.

When you grant a user the Full Access permission for a mailbox, that user has full access to only the mailbox for which the permissions are applied. With the Full Access permission, the user can open and read the contents of the mailbox. However, the user cannot send from that mailbox without having additional permissions. For information about granting the Send As permission, see How to Grant the Send As Permission for a Mailbox.

When you grant the Receive As permission for a mailbox database to a user, that user can log on to all mailboxes within that database. However, that user cannot send e-mail messages from those mailboxes. Also, if you grant Receive As permission at the storage group level, the specified user can log on to all mailboxes within all databases in the storage group. For example, you may want to grant access to the mailbox database for mobile access or for legal review.

Full Access or Receive As permissions are not granted until the Microsoft Exchange Information Store service caches the permissions and updates the cache. To grant the permissions immediately, stop and then start the Microsoft Exchange Information Store service.

To perform this procedure, the account you use must be delegated the following:

  • Exchange Server Administrator role
  • Administrator rights on the computer

For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.

  1. Start the Exchange Management Console.

  2. In the console tree, click Recipient Configuration.

  3. In the result pane, select the mailbox for which you want to grant the Full Access permission.

  4. In the action pane, under the mailbox name, click Manage Full Access Permission. The Manage Full Access Permission wizard opens.

  5. On the Manage Full Access Permission page, click Add.

  6. In Select User or Group, select the user to which you want to grant the Full Access permission, and then click OK.

  7. Click Manage.

  8. On the Completion page, the Summary states whether the Full Access permission was successfully granted. The summary also displays the Exchange Management Shell command that was used to grant the Full Access permission.

  9. Click Finish.

  • Run the following command to add the Full Access permission directly to the mailbox.

    Copy 
    Add-MailboxPermission "Mailbox" -User "Trusted User" -AccessRights FullAccess

  • Run the following command to add the Receive As permission to the mailbox database.

    Copy 
    Add-ADPermission -Identity "Mailbox Store" -User "Trusted User" -ExtendedRights Receive-As

For detailed syntax and parameter information, see the Add-MailboxPermission and Add-ADPermission reference topics.

  • Run the following command to add the Full Access permission directly to the mailbox.

    Copy 
    Add-MailboxPermission "Mailbox" -User "Trusted User" -AccessRights FullAccess

  • Run the following command to add the Receive As permission to the mailbox database.

    Copy 
    Add-ADPermission -Identity "Mailbox Store" -User "Trusted User" -ExtendedRights Receive-As

For detailed syntax and parameter information, see the Add-MailboxPermission (RTM) and Add-ADPermission (RTM) reference topics.

For more information about granting Microsoft Outlook permissions, see Delegate Access Permissions in Outlook Help.

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
Works not as expected
The ace is set on the store, but the defined user (e. g. tester1) cannot open the mailbox. When i was added an other user (e. g. tester2) to the mailbox with the Exchange Management Console with full mailbox access and then remove the user tester2 again then i can access the mailbox. It seems that the task stamps the mailbox with the correct ace and this is not done automatically. (i waited two day´s). Is there a command that inherits the ace´s to the store?


[tfl - 16 04 12] Hi - and thanks for your post. Community content is not the appropriate place for technical support queries. Instead, you should visit the Technet Forums at http://forums.microsoft.com/technet, where such posts are welcomed and where you stand a much better chance of getting your query resolved. Sorry if that's not the answer you wanted to hear.
History
add-mailboxpermission
To add mailbox permission one doesn't need to be orgadmin as mentioned in the article. A server admin can add permissions on the mailboxes on a particular server.
History
Commandlet for does not work as advertised

I agree with Max. I tried the commandlet for granting "Receive As permission for a mailbox database" and it does not work. I am trying to grant full mailbox access to members of the Exch.. Org Admin group. I applied the above comdlet, restarted the Exchange services, even rebooted the Server and still no show. I still cannot access the Mailboxes unless I specifically grant them at the mailbox level. It appears the "Deny" right of the Exchange Org Admin still take precedence on the mailbox. Is there a commandlet you can apply only just once and not have to worry about it when you add new mailboxes?

History
Are permissions for Full Access transient?

Exchange 2007
Are permissions for Full Access transient? Scenerio...Grant userA Full Access to userB. Grant userB Full Access to userC. Will userA have Full Access to userC?

History
This clearly does not work.
I have set perms via the GUI AND Powershell. The perms are set, yet I cannot open the mailbox. Microsoft needs to address this issue. It's comes up regularly in my organization.

Here's the powershell output:

[PS] C:\>Add-MailboxPermission "Some mailbox" -user "testaccount" -Accessrights fullaccess
WARNING: Appropriate ACE is already present on object "CN=some mailbox
,CN=Users,DC=xxx,DC=xxx,DC=org" for account "domain\testaccount".

Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
xxx.xxx.org/U... domain\testaccount {FullAccess} False False

History
How do you add perms to a mailbox store?

How do you add permissions to an entire store or storage group so it will include current AND new mailboxes? We have a small IT group and often need to access other users folders in order to perform trouble shooting. I had our Exchange 2003 server set up to allow this, but I can't access the security properties on the new databases via the EMC.

History