Assigning Full Access to Service Accounts for On-Premises Exchange Servers
Applies to: Exchange 2007 or later, Journal Mailbox
This procedure assigns full access to service accounts.
Disclaimer: This procedure is performed using the Microsoft ADSI Edit snap-in. The snap-in is subject to change without notice. Consult the Microsoft documentation before you perform this procedure.
Before You Begin
- The service account must be a member of:
- The Local Administrator Group on the access node servers.
- The Organization Management group (Exchange 2010 or later) or the Exchange Organization Administrators group (Exchange 2007).
- The service account must have local logon rights. Make sure that the local logon rights are not overridden by any group policies.
- From the ADSIEDIT snap-in, connect to the domain controller.
- In Connection Settings, click Select a well known Naming Context and select Configuration from the list.
- Expand Services > Microsoft Exchange.
- Right-click the appropriate organization name, and then click Properties.
The Properties dialog box appears.
- Click the Security tab.
- Under Permissions, verify that all the permissions for the Organization Management group (Exchange 2010 or later) or the Organization Administrators group (Exchange 2007) are set to Allow.
Tip: Selecting the Allow for Full Control check box selects Allow for all the permissions. The Deny check box for all permissions must be cleared.
- Click OK, and then wait for replication.
- To grant Receive As permissions to the service account, open Exchange Management Shell (Exchange PowerShell), and then type the following cmdlet:
Get-MailboxDatabase | Add-ADPermission -user "<service account>" -ExtendedRights Receive-As
You must include the Receive As permissions to protect archive mailboxes.
- Repeat this procedure for each service account for every Exchange server that you want to protect.
- If archive jobs are failing for the existing service account you must remove the service account from the Organization Management group and then run the script against the service account.
- If the above solution does not work you must create a new service account and run the script against the new service account without adding it to the Organization Management group.
What to Do Next
Last modified: 6/19/2020 3:10:37 AM