| Have your Exchange server installed, maintained or upgraded by Amset IT Solutions. Exchange 2000, 2003, 2003 SBS, 2007 More Information (UK only) |
Broadband - Exchange
Login Scripts - Net Admin
Outlook - Windows Mobile
Windows
Exchange and a
Dynamic IP Address
Global Mailbox Folder
Permissions from Server
Internal Email Address
for External People
Options when a Staff Member
Leaves
Prerequisites for Exchange
System Tools
Switching From POP3
to SMTP Delivery
| ||||||||||||
Author: Simon Butler, Exchange MVP, MCSE
Last Page Review: 02/05/2007
Sometimes it is necessary to make changes to a wide number of mailboxes, or grant an account access to the entire mailbox store. However with Exchange 200x administrators are explicitly denied access, so granting access via one of the administration type groups doesn't always work.
You may also have concerns over auditing of the access to ensure that the access isn't abused.
Therefore it is a good idea to have a special account that has its permissions locked down that is used for mass mailbox access.
Typical uses of an account of this type include:
- Application or service (Blackberry for example)
- EXMERGE
- Mass mailbox manipulation (using set perm / admodify - details)
The account should be created with just the permissions it needs so that the deny permission on high level accounts doesn't cause a problem.
This is NOT a service account, or a way to grant yourself access to all mailboxes. An Exchange administrator does not require access to all mailboxes by default to do their job.
Account Creation
- Create the account in the usual way, using ADUC on the Exchange server. Be sure to set up the account with a strong password and a mailbox.
- Do not add the user to any groups. This will ensure that there are no problems with inherited deny permissions.
This includes (but not limited to) Administrators and Domain Admins. The account should only be a member of Domain Users. - Open Exchange System Manager. At the top of the tree, right click and choose Delegate Control. Run through the wizard and grant the account Exchange View Only permission.
- Download and use admodify.net to grant the "Full Mailbox Access" permission. Do not grant any other permission to the account.
Workstation Setup
If you are doing an import/export for data using exmerge, then you need to setup a workstation. This makes it easier to run exmerge than trying to deal with permissions on the server itself.
- Add the special account created above account to the local administrator group - not domain admin or any group on the domain.
- Install Exchange Management Tools (requirements listed here) and Outlook.
- Configure Outlook to use the account.
- Download exmerge from Microsoft.com and extract the contents of the zip file in to C:\Program Files\Exchsrvr\bin
You should now be able to run exmerge correctly from this workstation without any permission errors.
If you have forgotten a stage and haven't set the permissions correctly, remember that Exchange will cache permissions, so do not expect a change in permission to take effect immediately. The best practise is to presume that you have NOT got the permission and check before attempting the task. Then if you need to change the permission it will be available immediately because Exchange hasn't read the invalid permissions and cached them.
02/05/2007
Back to the Top
Contact Us - Advertise on amset.info
Exchange Index - Home Page
Broadband - Exchange - Login Scripts - Network Admin - Outlook - Windows Mobile - Windows
© Amset IT Solutions Ltd. 1998 - 2008. All rights reserved. Reproduction of any content on this web site is prohibited without express written consent. Use of this web site is subject to our terms and conditions. All trademarks and registered trademarks are property of their respective owners. This site is not endorsed or recommended by any company or organisation mentioned on this site. This site is to provide guidance only and as such we cannot be held responsible for any consequences of following the advice given.