Announcement

Collapse
No announcement yet.

Domain Admins Full Mailbox Access...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain Admins Full Mailbox Access...

    I have spent several hours and cannot figure out how to add the domain admins group to have full mailbox access. I want them to be able to login to any mailbox, read the email if necessary and send email. I have used the following commands with my information:

    Add-ADPermission -Identity "First Storage Group" -User "domain admins" -ExtendedRights Receive-As

    Add-ADPermission -Identity "First Storage Group" -User "domain admins" -ExtendedRights Send-As

    I've read that domain admins have an explicit deny which overrides my allow but I cannot for the life of me figure out how to remove the deny. I have tried the following:

    Remove-ADPermission -Identity "First Storage Group" -User "Domain Admins" -ExtendedRights Receive-As -deny

    I am greeted with the message:

    WARNING: An inherited access control entry has been specified: [Rights: ExtendedRight, ControlType: Deny] and was ignored on object "CN=First Storage Group....

    Any help would be greatly appeciated...

  • #2
    Re: Domain Admins Full Mailbox Access...

    I suggest you create a new user account which wil be used specifically to provide these services, and do not join that user account to the Domain Admins security group. It can however be a member of the Administrators security group.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

    Comment


    • #3
      Re: Domain Admins Full Mailbox Access...

      Yea I could do that. But I would really like to know how to remove that deny. Anyone have any ideas?

      Comment


      • #4
        Re: Domain Admins Full Mailbox Access...

        The short and sweet answer is that it can't and shouldn't be done. Here is a link to an MS article that explains it:

        http://support.microsoft.com/kb/907434

        The recommendation would be to create a user account for this purpose and use the Delegation wizard in ESM to give this user the rights they require to accomplish your goal.

        Comment


        • #5
          Re: Domain Admins Full Mailbox Access...

          Isn't ESM for Exchange 2003? I am dealing with Exchange 2007.

          Comment


          • #6
            Re: Domain Admins Full Mailbox Access...

            Regardless, you are going to have the same issue. The recommendation still stands.

            Comment

            Working...
            X