Assigning Full Access to Service Accounts for On-Premises Exchange Servers
Applies to: Exchange 2007 and more recent versions (User Mailbox)
This procedure assigns full access to service accounts by using the Microsoft ADSI Edit snap-in. The snap-in is subject to change without notice. Consult the Microsoft documentation before you perform this procedure.
Before You Begin
- The service account must be a member of:
- The Local Administrator Group on the access node servers.
- The Organization Management group (Exchange 2010 or later) or the Exchange Organization Administrators group (Exchange 2007).
- The service account must have local logon rights. Make sure that the local logon rights are not overridden by any group policies.
- The service account must have a mailbox.
- For public folders, service account should have owner permission at the root level (all public folder).
- For public folder backup and restore, the service account must have impersonation and view-only permissions.
- From the ADSIEDIT snap-in, connect to the domain controller.
- In Connection Settings, click Select a well known Naming Context and select Configuration from the list.
- Expand Services > Microsoft Exchange.
- Right-click the appropriate organization name, and then click Properties.
The Properties dialog box appears.
- Click the Security tab.
- Under Permissions, verify that all the permissions for the Organization Management group (Exchange 2010 or later) or the Organization Administrators group (Exchange 2007) are set to Allow.
Tip: Selecting the Allow for Full Control check box selects Allow for all the permissions. The Deny check box for all permissions must be cleared.
- Click OK, and then wait for replication.
- To grant Receive As permissions to the service account, open Exchange Management Shell (Exchange PowerShell), and then type the following cmdlet:
Get-MailboxDatabase | Add-ADPermission -user "<service account>" -ExtendedRights Receive-As
You must include the Receive As permissions to protect archive mailboxes.
- Repeat this procedure for each service account for every Exchange server that you want to protect.
- If archive jobs are failing for the existing service account you must remove the service account from the Organization Management group and then run the script against the service account.
- If the above solution does not work you must create a new service account and run the script against the new service account without adding it to the Organization Management group.
What to Do Next
Last modified: 12/1/2020 4:24:44 PM