I am trying to grant the Domain Admins group full access to all mailboxes in Exchange 2010, including new ones created after this is implemented. Doing some reading, I came up with the following Powershell command:
Get-MailboxDatabase | Add-ADPermission -User "Domain Admins" -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As
This didn't work, however. How can I do this?
Thanks!
The easiest way to accomplish this is to remove the explicit Deny permissions for Send As and Receive As which are assigned to the Domain Admins and Enterprise Admins groups on the main Exchange Organization object in AD, and subsequently get inherited everywhere. These permissions are there exactly to block administrators from accessing mailbox contents, which otherwise they could access freely.
You can modify the permissions for the Organization object usind AD Sites and Services (just make sure to show the Services node).
I've continued to use this link ever since our Exchange 2010 deployment: http://msundis.wordpress.com/2011/06/21/manage-full-access-permissions-on-mailboxes-in-exchange-2010/
Specifically:
Create PS scripts for them and set them as scheduled nightly (or whatever) tasks and it will handle any new mailboxes too.
The whole explicit deny for enterprise admins and domain admins in Exchange causes all kinds of issues like this.
Only way I've found is to:
I'm hopeful someone's got a better way though, since that's not quite ideal. Having permissions inherit down to mailboxes from the mailstore or database level sure would be nice...
You need the Scripting Agent! This executes a PowerShell script every time a mailbox is created.
We use it to assign the mailbox cleanup policy and set the user's language and time zone so they are not prompted when logging in to OWA. Here's our script: