Monday, April 15, 2013

Delegate Permissions to Change Permissions on Mailboxes - Exchange 2007

I am currently in the process of a delegation project for one of my customers running Exchange Server 2007.  My customer requires that all service desk staff members have the ability to manage Exchange recipients but can make no other changes within Exchange.  Part of the Recipient Management requires the service desk staff must have the ability to:
  • Manage Full Access Permission
  • Manage Send As Permission
By default the Exchange 2007 Exchange Recipient Administrators group does not provide the ability to manage permissions on mailboxes however this can easily be granted.

To grant Exchange Recipient Administrators the ability to change permissions on mailboxes they must have the ExtendedRights "ms-Exch-Store-Admin" in Active Directory on the Configuration Partition.  This can be granted using the following powershell command:

Add-ADPermission -Identity "CN=Exchange Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local" -User "domain\Exchange Recipient Administrators" -ExtendedRights ms-Exch-Store-Admin -InheritanceType All
Ensure you change the Exchange Org to reflect your Exchange org and the domain\ to reflect your domain's NetBIOS name.

If the permissions are not set right you will get an error similar to:


Failed to commit the change on object "a757e5a9-64e0-49cb-ac90-acda685c7f1c" because access is denied.

MapiExceptionNoAccess: Unable to set mailbox SecurityDescriptor. (hr=0x80070005, ec=-2147024891)

Exchange Management Shell command attempted:
Add-MailboxPermission -Identity 'CN=Domain User,OU=People,DC=domain,DC=local' -User 'DOMAIN\' -AccessRights 'FullAccess'

Elapsed Time: 00:00:00

Failed to commit the change on object because access is denied.

Hope this post has been helpful.

No comments:

Post a Comment