Grant full mailbox access to Domain Admins in Exchange 2010, including all new mailboxes?
I am trying to grant the Domain Admins group full access to all mailboxes in Exchange 2010, including new ones created after this is implemented. Doing some reading, I came up with the following Powershell command:
Get-MailboxDatabase | Add-ADPermission -User "Domain Admins" -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As
This didn't work, however. How can I do this?
Thanks!
DISCLAIMER: be careful of legal implications of allowing administrators to access mailbox contents.
The easiest way to accomplish this is to remove the explicit Deny permissions for Send As and Receive As which are assigned to the Domain Admins and Enterprise Admins groups on the main Exchange Organization object in AD, and subsequently get inherited everywhere. These permissions are there exactly to block administrators from accessing mailbox contents, which otherwise they could access freely.
You can modify the permissions for the Organization object usind AD Sites and Services (just make sure to show the Services node).
I've continued to use this link ever since our Exchange 2010 deployment: http://msundis.wordpress.com/2011/06/21/manage-full-access-permissions-on-mailboxes-in-exchange-2010/
Specifically:
Get-Mailbox | Where { $_.Database –eq “” } | Add-MailboxPermission -User “Domain Admins” -AccessRights Fullaccess -InheritanceType all
And then this one for send as:
Get-Mailbox | Where { $_.Database –eq “” } | Add-AdPermission -User “Domain Admins” -AccessRights extendedright -ExtendedRights “send as
Create PS scripts for them and set them as scheduled nightly (or whatever) tasks and it will handle any new mailboxes too.
The whole explicit deny for enterprise admins and domain admins in Exchange causes all kinds of issues like this.