Wednesday, September 19, 2007

Granting Mailbox Security Management Permissions

I needed to enable the Help Desk to be able to modify permissions on mailboxes. I put the help desk security group in the Exchange Recipient Administrators group. That gives them the ability to modify Exchange attributes but would not allow them to modify permissions on a mailbox. The next available role was “Exchange Organization Administrator” but I couldn’t give them full access to Exchange. I opened a case with Microsoft and we came up with the following Powershell command:

Get-MailboxDatabase | Add-ADPermission -user "domain\group" -accessrights writeproperty -extendedrights "administer information store" -inheritancetype all

That gives them the necessary rights so that they can modify permissions on mailboxes. Any time a new database is created we will have to run the command against it to give the Help Desk the necessary permissions.

No comments: