Assigning service account access in Exchange 2007

Sometimes you actually want one account to have access to all the mailboxes in a database, on the store, or in an organization. In Exchange 5.5, you could just use the service account; in Exchange 2000 and Exchange 2003, you have to resort to various kinds of tomfoolery. In Exchange 2003, the Domain Admins and Enterprise Admins security groups (and the built-in Administrator account) actually have an explicit deny ACE that prevents you from using these accounts to gain service access. What about Exchange 2007?

You can use the add-ADPermission task to stamp permissions on pretty much any object. For example, you use it on send connectors to let an Edge and Hub server communicate, and you use it to allow anonymous access on receive connectors too. If you want to allow one user account to have access to all mailboxes on a store, you can easily do it like this:

Get-MailboxDatabase server1\mdb1 | add-adpermission -user yourUser -accessRights GenericRead, GenericWrite -extendedrights Send-As

About these ads

Comments Off

Filed under UC&C

Comments are closed.