Exchange Exchange
A community dedicated to Exchange and related technology.
Joel Stidley's Blog » Giving service account access to all mailboxes on an Exchange 2007 server
Giving service account access to all mailboxes on an Exchange 2007 server
Joel Stidley's Blog



News

  • Be sure to enter our contest by sending an e-mail with an idea for our next podcast to: podcast@exchangeexchange.com

Syndication

Recent Posts

Exchange Links

Tags

View more

Archives

If you need to give a service account access to all mailboxes on a specific Exchange 2007 server you can run the following command:

Get-mailboxserver <servername> | add-adpermission –user <service account> -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

This should give the appropriate permissions to be able to get access for third party mobility products  like Blackberry Enterprise Server against Exchange 2007.  Not all versions of BES will work against Exchange 2007, but the newer versions (BES 4.1 SP2 +) seem to work fine in my testing.  RIM will not fully support Exchange 2007 until BES 4.1 SP2.  You still need to install the Exhchange 2003 SP2 tools on the BES server if this is a new install.  Of note however Microsoft Exchange 2000 through 2007 do not use a traditional service accounts to run the services rather they leverage the Local System account of each of the Exchange servers.

Posted Sun, Dec 10 2006 9:05 PM by Joel Stidley
Filed under: , , , ,

Comments

john wrote re: Giving service account access to all mailboxes on an Exchange 2007 server
on Thu, Jan 4 2007 9:32 AM

Thanks for the info, however this does not give the <service account> user the required permissions to create top level public folders. Any idea how to do that?

Joel Stidley wrote re: Giving service account access to all mailboxes on an Exchange 2007 server
on Thu, Jan 4 2007 2:29 PM

In order to allow an email enabled account to be able to create a root folder you can run this:

Add-PublicFolderClientPermission -Identity "\" -User <service account> -AccessRights CreateItems

john wrote re: Giving service account access to all mailboxes on an Exchange 2007 server
on Thu, Jan 4 2007 5:42 PM

Thanks! however on my 32 bits test version of 2007 it refuses to do that with a { Failed to commit the change on object "\" because Access is denied. } message.

Joel Stidley wrote re: Giving service account access to all mailboxes on an Exchange 2007 server
on Fri, Jan 5 2007 12:28 AM

That command will work below the root, try this at the root:

Add-PublicFolderAdministrativePermission

\ -user <service account> -AccessRights AllExtendedRights

john wrote re: Giving service account access to all mailboxes on an Exchange 2007 server
on Fri, Jan 5 2007 2:44 AM

Thanks again, but that command does not change the status quo.

It finishes fine and grants the permission to the service account but the service account can not create a new top level public folder unless he is made member of the exchange organization administrators group in the AD.

I see the same behavior with the event sink that I am trying to install on this e2k7.

The eventsink script triggers ok on the onsave event of the service account's outlook calendar and passes the url over to the sink handler (com+) but when that tries to open a record to that user item it's also Access Denied. However, running the sink handler in debug mode, logged on as the service account works ok.

Joel Stidley wrote re: Giving service account access to all mailboxes on an Exchange 2007 server
on Fri, Jan 5 2007 10:05 AM

I got this from a contact at Microsoft:

add-adpermission –id <DN of the PF hierarcy> -user <service account> -ExtendedRights ms-exch-create-top-level-public-folder -AccessRights ReadProperty,GenericExecute.

This can also be done using ADSI Edit.

The DN would be something like: CN=Public Folders,CN=Folder Hierarchies,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=YourExchangeOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=YourDomain,DC=com

john wrote re: Giving service account access to all mailboxes on an Exchange 2007 server
on Fri, Jan 5 2007 10:16 AM

That's interesting! (can't say it's an improvement over 2003 though)

anyway

To find the PF DN there must me a smart way available which we can pipe into the command.

searching..

john wrote re: Giving service account access to all mailboxes on an Exchange 2007 server
on Fri, Jan 5 2007 10:30 AM

It accepts this command:

get-publicfolderdatabase | add-adpermission -user <service account> -ExtendedRights ms-exch-create-top-level-public-folder -AccessRights ReadProperty,GenericExecute

Tested that in the shell and it gives back that the service account has

those 3 permissions (without deny) on the database.

but sadly enough.. the serviceaccount STILL can't create top level public folders in outlook when I remove him from the {exchange organization admins} group.

So it is obviously not replicating the permissions down to the PF tree.  (I restarted the information store)

sadly enough

fantom wrote re: Giving service account access to all mailboxes on an Exchange 2007 server
on Thu, Aug 7 2008 3:58 AM

The command below works great but how do I have the permmision applied to all new users without running it again ?

Thanks.

Get-mailboxserver <servername> | add-adpermission –user <service account> -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

fantom wrote re: Giving service account access to all mailboxes on an Exchange 2007 server
on Thu, Aug 7 2008 4:01 AM

The command works great but how do I apply it to all new users without running it again ?  - Thanks

Get-mailboxserver <servername> | add-adpermission –user <service account> -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

Joel Stidley wrote re: Giving service account access to all mailboxes on an Exchange 2007 server
on Thu, Jan 15 2009 10:28 PM

You will need to run it again. You could setup a Scheduled Task to run the script periodically rather than having to do it manually.

© 2003-2009 NamedPipes Consulting. All other company and product names are property of their owners.
Powered by Community Server (Non-Commercial Edition), by Telligent Systems