http://exchangeexchange.com/blogs/joel.stidley/archive/2006/12/10/giving-service-account-access-to-all-mailboxes-on-exchange-2007-server.aspxIf you need to give a service account access to all mailboxes on a specific Exchange 2007 server you can run the following command: Get-mailboxserver &lt;servername&gt; | add-adpermission –user &lt;service account&gt; -accessrights GenericRead, GenericWriteenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://exchangeexchange.com/blogs/joel.stidley/archive/2006/12/10/giving-service-account-access-to-all-mailboxes-on-exchange-2007-server.aspx#1276Fri, 16 Jan 2009 04:28:16 GMT44d5531b-108b-4aea-a889-7316a6b4a5fa:1276Joel Stidley<p>You will need to run it again. You could setup a Scheduled Task to run the script periodically rather than having to do it manually.</p> <div style="clear:both;"></div><img src="http://exchangeexchange.com/aggbug.aspx?PostID=1276" width="1" height="1">http://exchangeexchange.com/blogs/joel.stidley/archive/2006/12/10/giving-service-account-access-to-all-mailboxes-on-exchange-2007-server.aspx#1206Thu, 07 Aug 2008 09:01:20 GMT44d5531b-108b-4aea-a889-7316a6b4a5fa:1206fantom<p>The command works great but how do I apply it to all new users without running it again ? &nbsp;- Thanks</p> <p>Get-mailboxserver &lt;servername&gt; | add-adpermission –user &lt;service account&gt; -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin</p> <div style="clear:both;"></div><img src="http://exchangeexchange.com/aggbug.aspx?PostID=1206" width="1" height="1">http://exchangeexchange.com/blogs/joel.stidley/archive/2006/12/10/giving-service-account-access-to-all-mailboxes-on-exchange-2007-server.aspx#1205Thu, 07 Aug 2008 08:58:08 GMT44d5531b-108b-4aea-a889-7316a6b4a5fa:1205fantom<p>The command below works great but how do I have the permmision applied to all new users without running it again ?</p> <p>Thanks.</p> <p>Get-mailboxserver &lt;servername&gt; | add-adpermission –user &lt;service account&gt; -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin</p> <div style="clear:both;"></div><img src="http://exchangeexchange.com/aggbug.aspx?PostID=1205" width="1" height="1">http://exchangeexchange.com/blogs/joel.stidley/archive/2006/12/10/giving-service-account-access-to-all-mailboxes-on-exchange-2007-server.aspx#574Fri, 05 Jan 2007 16:30:27 GMT44d5531b-108b-4aea-a889-7316a6b4a5fa:574john<p>It accepts this command:</p> <p>get-publicfolderdatabase | add-adpermission -user &lt;service account&gt; -ExtendedRights ms-exch-create-top-level-public-folder -AccessRights ReadProperty,GenericExecute</p> <p>Tested that in the shell and it gives back that the service account has</p> <p>those 3 permissions (without deny) on the database.</p> <p>but sadly enough.. the serviceaccount STILL can't create top level public folders in outlook when I remove him from the {exchange organization admins} group.</p> <p>So it is obviously not replicating the permissions down to the PF tree. &nbsp;(I restarted the information store)</p> <p>sadly enough</p> <div style="clear:both;"></div><img src="http://exchangeexchange.com/aggbug.aspx?PostID=574" width="1" height="1">http://exchangeexchange.com/blogs/joel.stidley/archive/2006/12/10/giving-service-account-access-to-all-mailboxes-on-exchange-2007-server.aspx#573Fri, 05 Jan 2007 16:16:39 GMT44d5531b-108b-4aea-a889-7316a6b4a5fa:573john<p>That's interesting! (can't say it's an improvement over 2003 though)</p> <p>anyway</p> <p>To find the PF DN there must me a smart way available which we can pipe into the command. </p> <p>searching..</p> <div style="clear:both;"></div><img src="http://exchangeexchange.com/aggbug.aspx?PostID=573" width="1" height="1">http://exchangeexchange.com/blogs/joel.stidley/archive/2006/12/10/giving-service-account-access-to-all-mailboxes-on-exchange-2007-server.aspx#572Fri, 05 Jan 2007 16:05:03 GMT44d5531b-108b-4aea-a889-7316a6b4a5fa:572Joel Stidley<P>I got this from a contact at Microsoft:</P> <P>add-adpermission –id &lt;DN of the PF hierarcy&gt; -user &lt;service account&gt; -ExtendedRights ms-exch-create-top-level-public-folder -AccessRights ReadProperty,GenericExecute.</P> <P>This can also be done using ADSI Edit.</P> <P>The DN would be something like: CN=Public Folders,CN=Folder Hierarchies,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=YourExchangeOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=YourDomain,DC=com</P><div style="clear:both;"></div><img src="http://exchangeexchange.com/aggbug.aspx?PostID=572" width="1" height="1">http://exchangeexchange.com/blogs/joel.stidley/archive/2006/12/10/giving-service-account-access-to-all-mailboxes-on-exchange-2007-server.aspx#571Fri, 05 Jan 2007 08:44:19 GMT44d5531b-108b-4aea-a889-7316a6b4a5fa:571john<p>Thanks again, but that command does not change the status quo.</p> <p>It finishes fine and grants the permission to the service account but the service account can not create a new top level public folder unless he is made member of the exchange organization administrators group in the AD.</p> <p>I see the same behavior with the event sink that I am trying to install on this e2k7.</p> <p>The eventsink script triggers ok on the onsave event of the service account's outlook calendar and passes the url over to the sink handler (com+) but when that tries to open a record to that user item it's also Access Denied. However, running the sink handler in debug mode, logged on as the service account works ok.</p> <div style="clear:both;"></div><img src="http://exchangeexchange.com/aggbug.aspx?PostID=571" width="1" height="1">http://exchangeexchange.com/blogs/joel.stidley/archive/2006/12/10/giving-service-account-access-to-all-mailboxes-on-exchange-2007-server.aspx#570Fri, 05 Jan 2007 06:28:40 GMT44d5531b-108b-4aea-a889-7316a6b4a5fa:570Joel Stidley<p>That command will work below the root, try this at the root:</p> <p>Add-PublicFolderAdministrativePermission</p> <p> \ -user &lt;service account&gt; -AccessRights AllExtendedRights</p> <div style="clear:both;"></div><img src="http://exchangeexchange.com/aggbug.aspx?PostID=570" width="1" height="1">http://exchangeexchange.com/blogs/joel.stidley/archive/2006/12/10/giving-service-account-access-to-all-mailboxes-on-exchange-2007-server.aspx#569Thu, 04 Jan 2007 23:42:47 GMT44d5531b-108b-4aea-a889-7316a6b4a5fa:569john<p>Thanks! however on my 32 bits test version of 2007 it refuses to do that with a { Failed to commit the change on object &quot;\&quot; because Access is denied. } message.</p> <div style="clear:both;"></div><img src="http://exchangeexchange.com/aggbug.aspx?PostID=569" width="1" height="1">http://exchangeexchange.com/blogs/joel.stidley/archive/2006/12/10/giving-service-account-access-to-all-mailboxes-on-exchange-2007-server.aspx#566Thu, 04 Jan 2007 20:29:49 GMT44d5531b-108b-4aea-a889-7316a6b4a5fa:566Joel Stidley<p>In order to allow an email enabled account to be able to create a root folder you can run this:</p> <p>Add-PublicFolderClientPermission -Identity &quot;\&quot; -User &lt;service account&gt; -AccessRights CreateItems</p> <div style="clear:both;"></div><img src="http://exchangeexchange.com/aggbug.aspx?PostID=566" width="1" height="1">http://exchangeexchange.com/blogs/joel.stidley/archive/2006/12/10/giving-service-account-access-to-all-mailboxes-on-exchange-2007-server.aspx#563Thu, 04 Jan 2007 15:32:55 GMT44d5531b-108b-4aea-a889-7316a6b4a5fa:563john<p>Thanks for the info, however this does not give the &lt;service account&gt; user the required permissions to create top level public folders. Any idea how to do that?</p> <div style="clear:both;"></div><img src="http://exchangeexchange.com/aggbug.aspx?PostID=563" width="1" height="1">