Assigning Permissions to Online Service Accounts
Applies to: Exchange 2007 or later, User Mailbox
This procedure assigns full access to service accounts.
Disclaimer: This procedure is performed using the Microsoft ADSI Edit snap-in. The snap-in is subject to change without notice. Consult the Microsoft documentation before you perform this procedure.
Before You Begin
- The service account must be a member of:
- The Local Administrator Group on the access node servers.
- The Organization Management group (Exchange 2010 or later) or the Exchange Organization Administrators group (Exchange 2007).
- The service account must have local logon rights. Make sure that the local logon rights are not overridden by any group policies.
- The service account must have a mailbox.
- For public folders, service account should have owner permission at the root level (all public folder).
- For public folder backup and restore, the service account must have impersonation and view-only permissions.
- From the ADSIEDIT snap-in, connect to the domain controller.
- In Connection Settings, click Select a well known Naming Context and select Configuration from the list.
- Expand Services > Microsoft Exchange.
- Right-click the appropriate organization name, and then click Properties.
The Properties dialog box appears.
- Click the Security tab.
- Under Permissions, verify that all the permissions for the Organization Management group (Exchange 2010 or later) or the Organization Administrators group (Exchange 2007) are set to Allow.
Tip: Selecting the Allow for Full Control check box selects Allow for all the permissions. The Deny check box for all permissions must be cleared.
- Click OK, and then wait for replication.
- To grant Receive As permissions to the service account, open Exchange Management Shell (Exchange PowerShell), and then type the following cmdlet:
Get-MailboxDatabase | Add-ADPermission -user "<service account>" -ExtendedRights Receive-As
You must include the Receive As permissions to protect archive mailboxes.
- Repeat this procedure for each service account for every Exchange server that you want to protect.
What to Do Next
Last modified: 12/1/2020 4:26:35 PM