Applies to: Exchange 2007 or later, Journal Mailbox
This procedure assigns full access to service accounts.
Note
Disclaimer: This procedure is performed using the Microsoft ADSI Edit snap-in. The snap-in is subject to change without notice. Consult the Microsoft documentation before you perform this procedure.
Before You Begin
-
The service account must be a member of:
-
The Local Administrator Group on the access node servers.
-
The Organization Management group (Exchange 2010 or later) or the Exchange Organization Administrators group (Exchange 2007).
-
-
The service account must have local logon rights. Make sure that the local logon rights are not overridden by any group policies.
Procedure
-
From the ADSIEDIT snap-in, connect to the domain controller.
-
In Connection Settings, click Select a well known Naming Context and select Configuration from the list.
-
Expand Services > Microsoft Exchange.
-
Right-click the appropriate organization name, and then click Properties.
The Properties dialog box appears.
-
Click the Security tab.
-
Under Permissions, verify that all the permissions for the Organization Management group (Exchange 2010 or later) or the Organization Administrators group (Exchange 2007) are set to Allow.
Tip
Selecting the Allow for Full Control check box selects Allow for all the permissions. The Deny check box for all permissions must be cleared.
-
Click OK, and then wait for replication.
-
To grant Receive As permissions to the service account, open Exchange Management Shell (Exchange PowerShell), and then type the following cmdlet:
Get-MailboxDatabase | Add-ADPermission -user "<service account>" -ExtendedRights Receive-As
You must include the Receive As permissions to protect archive mailboxes.
-
Repeat this procedure for each service account for every Exchange server that you want to protect.
Note
-
If mailbox backup jobs are failing due to recent security patching from Microsoft, see Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020.
-
If archive jobs are failing for the existing service account you must remove the service account from the Organization Management group and then run the below script against the service account.
-
If the above solution does not work you must create a new service account and run the below script against the new service account without adding it to the Organization Management group. You must copy the script in notepad, save this file as filename.ps1, for example, .\FileName.ps1 -ServiceAccount "ServiceAccountMailboxName", and then execute this script from the Exchange management shell.
param(
[string] $ServiceAccount
)
$orgnDetails=get-organizationconfig
$distgName=$orgnDetails.DistinguishedName
add-adpermission -identity $distgName -user $ServiceAccount -AccessRights ReadProperty, GenericExecute -ExtendedRights "Receive-As" -InheritanceType All -erroraction:continue
add-adpermission -identity $distgName -user $ServiceAccount -AccessRights ReadProperty, GenericExecute -ExtendedRights "View Information Store Status" -InheritanceType All -erroraction:continue
add-adpermission -identity $distgName -user $ServiceAccount -AccessRights ReadProperty, GenericExecute -ExtendedRights "ms-Exch-Store-Create-Named-Properties" -InheritanceType All -erroraction:continue
add-adpermission -identity $distgName -user $ServiceAccount -AccessRights ReadProperty, GenericExecute -ExtendedRights "ms-Exch-Store-admin" -InheritanceType All -erroraction:continue