Exchange - Net Admin - Outlook
Windows Mobile - Windows

Contact - Director's Blog

Exchange Server Home

Exchange Consultancy

Exchange Resources

Microsoft Exchange
Amazon Store

Basic Email Gateway Server

Company wide Contact List

Disabled User Account

Distribution Lists

DNS Configuration

Exchange and a
Dynamic IP Address

Event ID 1221

Filter Unknown Users

Global Mailbox Folder
Permissions from Server

Intelligent Message Filter

Internal Email Address
for External People

Mailbox and Management
Account

Message Tracking

Migrating to a new server

Multiple Domains

Offline Address Book Errors

Options when a Staff Member
Leaves

Outlook Web Access

PDAs, OMA and EAS

Permissions Best Practises

Post Install Configuration

Public Folders

Prerequisites for Exchange
System Tools

RPC over HTTPS

Secure your SMTP Relay

Shutdown Script

SMTP Services and Exchange

SMTP Diagnostics

Spam Cleanup

Switching From POP3
to SMTP Delivery

Telnet Test

Username Change

Exchange Server Compatibility Information Exchange Server Version Compatibility 5.5 No 2000 Yes 2003 Yes 2007 Yes

Mailbox Management and Access Account
Author: Simon Butler, Exchange MVP, MCSE

Sometimes it is necessary to make changes to a wide number of mailboxes, or grant an account access to the entire mailbox store. However with Exchange 200x administrators are explicitly denied access, so granting access via one of the administration type groups doesn't always work.

You may also have concerns over auditing of the access to ensure that the access isn't abused.

Therefore it is a good idea to have a special account that has its permissions locked down that is used for mass mailbox access.

Typical uses of an account of this type include:

• Application or service (Blackberry for example)
• EXMERGE or Import-Mailbox (Exchange 2007)
• Mass mailbox manipulation (using set perm / admodify - details)

The account should be created with just the permissions it needs so that the deny permission on high level accounts doesn't cause a problem.

This is NOT a service account, or a way to grant yourself access to all mailboxes. An Exchange administrator does not require access to all mailboxes by default to do their job.

Account Creation

1. Create the account in the usual way, using ADUC on the Exchange server or the Exchange Management Console. Be sure to set up the account with a strong password and a mailbox.
2. Do not add the user to any groups. This will ensure that there are no problems with inherited deny permissions.
   This includes (but not limited to) Administrators and Domain Admins. The account should only be a member of Domain Users.
3. Open Exchange System Manager. At the top of the tree, right click and choose Delegate Control. Run through the wizard and grant the account Exchange View Only permission.
   In Exchange 2007, open the Exchange Management Console, expand Organisation Configuration. Right click on Organisation configuration and chosoe Add Exchange Administrator. Run through the wizard to grant the account Exchange View Only Administrator.
4. Download and use admodify.net to grant the "Full Mailbox Access" permission. Do not grant any other permission to the account.

Workstation Setup

If you are doing an import/export for data using exmerge or Import-Mailbox, then you need to setup a workstation. This makes it easier to run exmerge than trying to deal with permissions on the server itself.

1. Add the special account created above account to the local administrator group - not domain admin or any group on the domain.
2. Install Exchange Management Tools (Exchange 2003 requirements listed here, Exchange 2007 here) and Outlook.
3. Configure Outlook to use the account.
4. For Exchange 2003, download exmerge from Microsoft.com and extract the contents of the zip file in to C:\Program Files\Exchsrvr\bin
   For Exchange 2007, Powershell should already have the import-mailbox command built in.

You should now be able to run exmerge or import-mailbox correctly from this workstation without any permission errors.

If you have forgotten a stage and haven't set the permissions correctly, remember that Exchange will cache permissions, so do not expect a change in permission to take effect immediately. The best practise is to presume that you have NOT got the permission and check before attempting the task. Then if you need to change the permission it will be available immediately because Exchange hasn't read the invalid permissions and cached them. To get the change to take effect immediately you need to restart the System Attendant service, which will restart the store as well.