There are many situations in which permissions to another user’s mailbox should be granted on Exchange Server. Sometimes it is for monitoring purposes, sometimes in order to send emails on behalf of someone else. Full access permissions give the highest level of access to a mailbox, and are necessary, for example, during a migration process. If you want to learn how to set full access permissions on Exchange 2007, Exchange 2010, Exchange 2013, Exchange 2016 or Exchange 2019 – you have come to the right place.
If you want to learn more about how to perform an Exchange server to Office 365 migration using native means, check this article.
In order to set those permissions for an account, you need to use an account which is a part of Organization Management group.
To do that with PowerShell, use this cmdlet:
Get-RoleGroup "Organization Management" | select membersIn case the given account is not a part of Organization Management group, the administrator needs to change that using this cmdlet:
Add-RoleGroupMember "Organization Management" -Member "<account name>"<account name> should stand for the name of the desired user.
The next step is granting full access permissions to mailboxes:
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User [email protected] -AccessRights fullaccess -InheritanceType all -AutoMapping:$falseThis will grant full access rights to all users for the account “[email protected]”. The last parameter, “‑AutoMapping:$false” is not necessary, but is worth considering. It enables you to turn the Auto-mapping feature off. By default, if you do not include the parameter at all, it is set to $true. If it is not deactivated, admin’s Outlook will try to open all mailboxes in the company. This is rarely desirable and in case there are a lot of mailboxes, performance issues are to be expected. What is more, in many scenarios, users have experienced that removing Auto-mapping later on might prove to be problematic. Remember that if you do not include
Alternative to PowerShell
Similar effect can be acquired by using Exchange Management Console (EMC). This is, however, not recommended, as auto-mapping cannot be switched off using EMC. What is more, in Exchange 2010 and newer versions, Exchange Control Panel (ECP – the descendant of EMC) cannot be used to manage mailbox permissions.
Therefore, it is recommended to use PowerShell throughout the whole process of granting full access to users’ mailboxes. This way, it is easier to avoid unnecessary problems and switches from one administrative tool to another.
Software tip
If you need any help with administration of your Exchange server or Office 365 tenant, check how CodeTwo can help you on this site. For example, we offer a helping hand if you want to migrate mailboxes to more recent version of Exchange server or Office 365 easily, or want to unify email signatures throughout your organization. There are also many useful freeware tools, so be sure to check them, too.
Great script and I’ve used it in the past – however my query is now “post migration” – how do you mass remove that permission from all mailboxes?
Thanks.
Hi Chris,
The easiest way would be to change Add-MailboxPermission to Remove-MailboxPermission, and remove
-automapping $falsewhich should revert the change. After running this script, you can check the state of permissions with the Get-MailboxPermission cmdlet.The Get-RoleGroup and Add-RoleGroupMember have been ran and ran successfully. I’m confused a little bit on the last larger query. Could you not just run the Add-MailboxPermission side by itself? Is the filtering needed at that point? Maybe I’m thinking about it incorrectly.
Hi Adrian,
You could run only the Add-MailboxPermission part, but then, you are missing the crucial piece of info – whose mailboxes are you giving full access to? The first part defines that and pipelines the result to the Add-MailboxPermission cmdlet.
Hello,
Virtually all google results for “how to add full rights” to an O365 account refer to “add-mailboxPermission” as the cmdlet to execute. However, in our instance of O365, while connected via a global admin account, the only cmdlet is “Add-MailboxFolderPremission”. I have to assume I’m doing something wrong because of the complete absence of any related info turning up searching the web for details. Any advice based on this observation?
Hello Terry,
Do you mean that when you run Get-Command, you do not see the Add-MailboxPermission? Have you tried running the script, nonetheless? If yes, what is the error text you get?
Please make sure you have connected to the Office 365 successfully and with no errors (How to start remote PowerShell session to Office 365). You can also run the Get-PSSnapin cmdlet and check whether Microsoft.Exchange.Management.PowerShell.SnapIn is included.
i want to grant a user full access to all conference rooms in a particular location using just one script using powershell, i need help with the script.
You can use the exact same script I have used above, only changing the first part (Get-Mailbox) so that it only lists Conference rooms. You can use the following filter:
get-mailbox -resultsize unlimited -filter {RecipientTypeDetails -eq 'RoomMailbox'}The rest of the script (Add-MailboxPermission) you can leave without any changes.