in

Exchange Exchange

Check the home page for details on our July/August contest!

This Blog

Syndication

Joel Stidley's Blog

Discuss general Microsoft news, focusing on Exchange and PowerShell.

Giving service account access to all mailboxes on an Exchange 2007 server

If you need to give a service account access to all mailboxes on a specific Exchange 2007 server you can run the following command:

Get-mailboxserver <servername> | add-adpermission –user <service account> -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

This should give the appropriate permissions to be able to get access for third party mobility products  like Blackberry Enterprise Server against Exchange 2007.  Not all versions of BES will work against Exchange 2007, but the newer versions (BES 4.1 SP2 +) seem to work fine in my testing.  RIM will not fully support Exchange 2007 until BES 4.1 SP2.  You still need to install the Exhchange 2003 SP2 tools on the BES server if this is a new install.  Of note however Microsoft Exchange 2000 through 2007 do not use a traditional service accounts to run the services rather they leverage the Local System account of each of the Exchange servers.

Comments

 

john said:

Thanks for the info, however this does not give the <service account> user the required permissions to create top level public folders. Any idea how to do that?

January 4, 2007 9:32 AM
 

Joel Stidley said:

In order to allow an email enabled account to be able to create a root folder you can run this:

Add-PublicFolderClientPermission -Identity "\" -User <service account> -AccessRights CreateItems

January 4, 2007 2:29 PM
 

john said:

Thanks! however on my 32 bits test version of 2007 it refuses to do that with a { Failed to commit the change on object "\" because Access is denied. } message.

January 4, 2007 5:42 PM
 

Joel Stidley said:

That command will work below the root, try this at the root:

Add-PublicFolderAdministrativePermission

\ -user <service account> -AccessRights AllExtendedRights

January 5, 2007 12:28 AM
 

john said:

Thanks again, but that command does not change the status quo.

It finishes fine and grants the permission to the service account but the service account can not create a new top level public folder unless he is made member of the exchange organization administrators group in the AD.

I see the same behavior with the event sink that I am trying to install on this e2k7.

The eventsink script triggers ok on the onsave event of the service account's outlook calendar and passes the url over to the sink handler (com+) but when that tries to open a record to that user item it's also Access Denied. However, running the sink handler in debug mode, logged on as the service account works ok.

January 5, 2007 2:44 AM
 

Joel Stidley said:

I got this from a contact at Microsoft:

add-adpermission –id <DN of the PF hierarcy> -user <service account> -ExtendedRights ms-exch-create-top-level-public-folder -AccessRights ReadProperty,GenericExecute.

This can also be done using ADSI Edit.

The DN would be something like: CN=Public Folders,CN=Folder Hierarchies,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=YourExchangeOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=YourDomain,DC=com

January 5, 2007 10:05 AM
 

john said:

That's interesting! (can't say it's an improvement over 2003 though)

anyway

To find the PF DN there must me a smart way available which we can pipe into the command.

searching..

January 5, 2007 10:16 AM
 

john said:

It accepts this command:

get-publicfolderdatabase | add-adpermission -user <service account> -ExtendedRights ms-exch-create-top-level-public-folder -AccessRights ReadProperty,GenericExecute

Tested that in the shell and it gives back that the service account has

those 3 permissions (without deny) on the database.

but sadly enough.. the serviceaccount STILL can't create top level public folders in outlook when I remove him from the {exchange organization admins} group.

So it is obviously not replicating the permissions down to the PF tree.  (I restarted the information store)

sadly enough

January 5, 2007 10:30 AM
 

fantom said:

The command works great but how do I apply it to all new users without running it again ?  - Thanks

Get-mailboxserver <servername> | add-adpermission –user <service account> -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

August 7, 2008 4:01 AM
© 2003-2008 NamedPipes Consulting. All other company and product names are property of their owners.
Powered by Community Server (Commercial Edition), by Telligent Systems