No announcement yet.

Full mailbox Access set at OU Level?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Full mailbox Access set at OU Level?

    I have an OU specifically for resource/shared mailboxes, I have delegated control for our Servicedesk to create accounts within this OU, this works fine.

    My problem is as part of creating the resource account a security group is created which is added to the mailbox to provide full mailbox access.

    The Servicedesk has permissions to create the security group but they don't have permissions to assign the security group full mailbox permissions on the resource account.

    We are in the process of transitioning to Exchange 2007 as well, all these mailboxes are currently on Exchange 2003.

    I have had some success in using the Add-MailboxPermission powershell and granting the change permissions and full access command but this is only on a per mailbox, I know I could pipe the command and gather all the mailboxes from an the OU, which would mean running the command on a schedule.

    The downside is if a new resource account was to be created the Servicedesk could create the account and security group, populate the members of the group and then pass the call over to me, to add the security group the full mailbox permission, it would be a lot easier if I could grant the Servicdesk complete control of the current resource accounts and mailbox permissions in this OU.

    I only want them to have complete control of the shared mailboxes in that OU and not every employees mailbox.

    Another benefit of the Servicedesk having full mailbox access is the can on open the mailbox and set the Auto reply (something which is required on every resource account)

    I would like to know if anyone has a solution to the above problem I have, or what they do in their organisation in terms of who creates the shared mailboxes and how they achieve it.

    Any advice welcome.

  • #2
    Re: Full mailbox Access set at OU Level?

    Imho the easiest solution for your problem would be to group the shared mailboxes in their own OU and give the servicedesk full access to this OU and all objects within.


    • #3
      Re: Full mailbox Access set at OU Level?

      Thanks for the reply,

      The Servicedesk have complete full control, but the Exchange Permissions can't be set in that method.


      • #4
        Re: Full mailbox Access set at OU Level?

        Which permissions are assigned in Exchange to the servicedesk?


        • #5
          Re: Full mailbox Access set at OU Level?

          I have just checked and they were only Exchange Read only administrators.

          Instead of messing with their permissions I have created a test user delegated control (via ESM) and given the user Exchange Full Administrator permissions. I have also on the test OU given the test account Full Control and set the permissions to flow to child objects.

          I have also given the account Exchange Recipient Administrator permissions.


          Thanks for your help

          I can now successfully amend the permissions, for every mailbox enabled user with the test account, which is good, however is it possible to restrict it just to an OU
          Last edited by Pdog; 11th January 2010, 20:04.