Sometimes, admins need access to user mailboxes. This may be for HR to investigate issues, or simply adding an out of office for a user that forgot to do so themselves. When the mailbox is created, no accounts other than the user themselves will have full access to the mailbox. By default, all admin groups have full access with a deny on the organisation level in Active Directory, and so as a result any account that is a member of those groups will be unable to access the mailbox.

The first way you can do this is simply giving user accounts access to the mailboxes. However, it’s best practice to run an admin account model whereby each admin has a regular user account and a separate admin accounts for tasks that require elevated permissions. For this reason, we wouldn’t recommend adding in regular accounts for the permissions.

The second way you can achieve this is by lifting the deny permissions on an organisation level. Although this would give all admin accounts access to all mailboxes, you’re lifting the deny on absolutely everything. It’s always best to control what you want people to have access to, rather than what you don’t want them to have access to. For this reason, we recommend against this method as well.

The best way to go about giving all admin accounts permissions to all mailboxes is to apply them to each mailbox directly. By applying them directly, the permissions become non-inherited and so they take precedence over the deny permissions that are being inherited from the organisation. In an ideal world, we’d like to be able to apply mailbox permissions on a database level, which would mean that the permissions are inherited for whenever a new mailbox is created. However, since they are inherited the deny permissions will still take priority. Unfortunately, this is the only way to do this cleanly in Exchange 2013 and 2016.

To give specific admin accounts full access to all mailboxes, run the below script, adding your own users into the $admingroup array on line 2.

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

$admingroup = “domain\user1″,”domain\user2″,”domain\user3”

$mailboxes = Get-Mailbox -Resultsize unlimited

foreach ($mailbox in $mailboxes) {

foreach ($admin in $admingroup) {

Add-MailboxPermission -Identity $mailbox -User $admin -AccessRights FullAccess -InheritanceType All -Automapping $false

}

}

NOTE: Unfortunately, you are unable to put groups in here.

If you want the admin accounts to be able to send as each mailbox, then you need to add the below code into the foreach.

Add-ADPermission -Identity $mailbox -User $admin -AccessRights ExtendedRight -ExtendedRights “Send As”

Also, if you want the admin accounts to be able to send on behalf of each mailbox, then you need to add the below line of code into the foreach as well.

Set-Mailbox -Identity $mailbox -GrantSendOnBehalfTo $admin

This script can be re-run manually or set on a scheduled task to add the permissions on a regular basis to factor in all new mailboxes.

Hope this helps anyone struggling with Exchange Permissions ?

About the author