Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Microsoft Exchange Server 2013 : Mailbox management - Setting mailbox permissions (part 2) - Managing Full Access permission

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
9/5/2014 4:27:47 AM

Managing Full Access permission

Assigning Send As permission for a mailbox enables a user to impersonate someone else, but apart from being able to create and send messages, the Send As permission does not grant any further access to mailbox contents. You need Full Access permission to open a mailbox and peruse its contents. To assign Full Access to a mailbox, select the mailbox to which you want to assign permission and edit its properties. Open the Mailbox Delegation section (Figure 3) and scroll to the bottom part of the screen, where you can choose the accounts or groups that need the permission. Notice that the Exchange Servers and Exchange Trusted Subsystem groups are already included in the list of users and groups. This is to allow Exchange access to the discovery mailbox so that it can store search results in it.

A screen shot showing how EAC allows Full Access to be assigned to a mailbox through the Mailbox Delegation properties. In this case, a user has been assigned access to another user’s mailbox.

Figure 3. Assigning Full Access permission for a mailbox

You can add the names of individual users or the names of security groups, whichever is the more convenient way to assign permissions to mailboxes that need to be shared. You cannot assign permissions to normal distribution groups or dynamic distribution groups because these groups do not possess a Windows security principal. After you’ve entered the full set of users and groups to receive Full Access, click Save.

Behind the scenes: When EAC assigns permissions

Behind the scenes, the Add-MailboxPermission cmdlet makes the assignment. This cmdlet requires you to pass the name of the mailbox to which you want to assign Full Access. You can use any of the valid identifiers for this purpose. When EAC assigns permissions, it uses the fully distinguished name of the mailbox. The advantage of using a distinguished name is that you can be absolutely certain that you are working with the correct mailbox, which is always important when you deal with permissions. The disadvantage is that you have to be very careful about typing a distinguished name because it can be quite verbose or complicated. (For instance, the distinguished name for the default discovery mailbox is pretty long.)

One obvious example of when users need this facility is when they perform eDiscovery searches . Because Exchange places the output from these searches in discovery mailboxes (selected individually for each search), the investigators have to open them to review the results. Before the investigators can open the discovery mailbox, an administrator has to assign them Full Access permission to the discovery mailbox. Exchange assigns the necessary permission for the default discovery mailbox by allowing anyone who is a member of the Discovery Management RBAC group to open the mailbox.

If you set up additional discovery mailboxes, it’s likely that you will give them names that are a little less obscure than the default one Exchange creates and should therefore be easier to enter. In this example, assign Full Access permission for a new discovery mailbox to the members of the Discovery Management group with this command:

Add-MailboxPermission -Identity 'CN=Legal Action Discovery Mailbox'
-User 'Discovery Management' -AccessRights 'FullAccess'

When you assign permissions to multiple mailboxes or groups, you have to use multiple Add-MailboxPermission commands. After all the permissions are assigned, you can check the permissions on the mailbox as follows. This output shows what you expect. The Discovery Management group is in the list of permissions, and you can see that an account called LegalTeam has been assigned access also. A user who receives Full Access permission can then open the mailbox with Outlook Web App.

Get-Mailbox –Identity 'Legal Action Discovery Mailbox' | Get-MailboxPermission | ? {$_.AccessRights –Like "FullAccess"} 
| Sort-Object Deny | Format-Table User, AccessRights, Deny, IsInherited –AutoSize
User                               AccessRights   Deny    IsInherited
------ ----------- ------ -----------
CONTOSO\Exchange Servers {FullAccess} False True
CONTOSO\Discovery Management {FullAccess} False False
CONTOSO\LegalTeam {FullAccess} False False
CONTOSO\Enterprise Admins {FullAccess} True True
CONTOSO\Domain Admins {FullAccess} True True
CONTOSO\Organization Management {FullAccess} True True

Apart from the need to open and access content in discovery mailboxes, Full Access permission is commonly required in other scenarios such as when several users share a functional mailbox. For example, if you want to allow a group of users to open a mailbox belonging to a help desk so that they can see the problems and other issues reported to the help desk, you need to assign Full Access permission for the help desk mailbox to each user who needs access. Granting access to a group rather than individual user accounts makes this process a lot easier to manage.

What does Full Access really mean?

Full Access permission allows users to access all the content in a mailbox, including the ability to create and save draft messages or add other content to the mailbox. However, Full Access permission does not allow the holder to assume the identity of the mailbox and use it to send messages because someone could access a shared mailbox and use his permissions to send insulting or otherwise inappropriate messages that could not be traced back to an individual. The term “Full Access” often creates an expectation that you can do everything with a mailbox that its owner can, but the reality is that you need to hold the Send As permission to send messages by using the mailbox’s identity.

Remember that the Information Store caches permissions for mailboxes to improve performance. This means that it could take up to an hour before a permission change to allow Full Access or Send As for a mailbox becomes effective. Unfortunately, there are only two ways around this problem. You can restart the Information Store service to force it to reload its cache, or you can reduce the interval the Store uses to reload its cache. The first solution forces all clients to disconnect and isn’t good to do during the working day; the second imposes an extra performance penalty on the server when it reloads the cache. Although some experienced administrators have reported good results when they reduced the logon cache interval to between 15 and 20 minutes, neither option is particularly attractive. The best idea might be to wait for Exchange to take its own good time to discover the amended permissions before attempting to use them—or, if possible, update permissions at a time such as midnight, when the delay enforced by caching won’t affect users.

Other -----------------
- Microsoft Exchange Server 2013 : Mailbox management - Health mailboxes
- Microsoft Exchange Server 2013 : Mailbox management - Discovery mailboxes - Creating additional discovery mailboxes
- Windows Server 2012 : Administering Active Directory using Windows PowerShell (part 3) - Performing an advanced Active Directory administration task
- Windows Server 2012 : Administering Active Directory using Windows PowerShell (part 2) - Finding Active Directory administration cmdlets
- Windows Server 2012 : Administering Active Directory using Windows PowerShell (part 1) - Managing user accounts with Windows PowerShell
- Windows Server 2012 : Enabling advanced features using ADAC (part 3) - Creating fine-grained password policies
- Windows Server 2012 : Enabling advanced features using ADAC (part 2) - Configuring fine-grained password policies
- Windows Server 2012 : Enabling advanced features using ADAC (part 1) - Enabling and using the Active Directory Recycle Bin
- SQL Server 2012 : Latch Contention Examples - UP Latches in tempdb, Spinlock Contention in Name Resolution
- SQL Server 2012 : Latch Contention Examples - Queuing
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server