Add-MailboxPermission for Exchange 2010 SP1 /hosting - Give Full Access to Mailbox to Another User

Printer-friendly versionPDF version
Exchange 2010

If I remember correctly when /hosting came out you could use the Add-MailboxPermission as the domain administrator. It seems now with a later rollup [correct me if I'm wrong] you can no longer use this command because it gives you errors such as:

 The operation on mailbox "host.local/Microsoft Exchange Hosted Organizations/****/user01" failed because it's out of the current user's write scope. The object 'host.local/Microsoft Exchange Hosted Organizations/****/user01' must be within the read scope before and after it's modified. Can't perform the save operation.

    + CategoryInfo          : NotSpecified: (host.local/Micr...S/checkrequests:ADObjectId) [Add-MailboxPermission], TaskInvalidOperationException
    + FullyQualifiedErrorId :7F410251,Microsoft.Exchange.Management.RecipientTasks.AddMailboxPermission

   To fix this issue you must run the powershell as the organization administrator instead of the domain administrator.

Below is how you can accomplish this using remote powershell:

  • Launch Exchange Shell / Powershell
  • Run:

$c = Get-Credential

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http:///powershell -Credential $c

Import-PSSession $session -AllowClobber

Get-Mailbox user01@domain.com | Add-MailboxPermission -AccessRights FullAccess -User

Basically what we are doing is running the powershell as the organization administrator. When you do this you will notice you only have access to mailboxes in that organization. So you will not be able to grant a user in another organization rights to a different organizations mailbox.

If you know a better way to do this please share! (or just move to Exchange 2010 SP2 lol)

Hi, I am using Ex2010 SP2/hosting. I found it is not working for me. Do I have to grand org admin to use powershell first??

Thanks!

Simply want to say your article is as astounding.
The clarity in your post is just great and i can assume you're an expert on this subject. Fine with your permission allow me to grab your RSS feed to keep up to date with forthcoming post. Thanks a million and please keep up the gratifying work.

I have an Exchange 2010 SP1 /hosting server. When trying to execute the command to change user permissions under power shell I keep getting a username and password error. Could you provide an example when prompled for credentials. I believe the username is the administrator@domain.com?? Thanks for any help with this. I really need to get this working.

The problem with this is, that it can be possible that the exchange administrator does not know the password for the tenant administrator.

We have worked around with this:

New-Mailbox -Organizaion "tenant #1" -Name "temp tenant administrator" -alias "temptenantadmin" -userprincipalname "temptenantadmin@domain.local" (convertto-securestring "UserPassword123!!" -asplaintext -force) -Confirm:$false

New-ManagementRoleAssignment –organization "tenant #1" -name "mail recipients-temp tenant administrator" -role "mail recipients" -user "temptenantadmin" -RecipientOrganizationalUnitScope "hex.hosting/Microsoft Exchange Hosted Organizations/tenant #1"

then your script:

$c_pass = convertto-securestring "UserPassword123!!" -asplaintext -force
$c = new-object -typename System.Management.Automation.PSCredential -argumentlist "temptenantadmin@domain.local",$c_pass

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri h_t_t_p://server.domain.local/powershell -Credential $c
Import-PSSession $session -AllowClobber
Add-MailboxPermission -identity "mailbox" -AccessRights "FullAccess" -User "Username"

after all permission are set you can remove the temporary mailbox:
Remove-mailbox -identity "tenant #1\temptenantadmin"

If you need to set permissions to an entire hosted organization you can use cmdlet above, but instead of using the Get-Mailbox user01@domain.com | Add-MailboxPermission -AccessRights FullAccess -User you would use the following

Get-Mailbox -OrganizationalUnit "domain.local/Microsoft Exchange Hosted Organizations/HostedOrganizaitonOU" -ResultSize Unlimited| Add-MailboxPermission -User 'user@hostedorganizaton.com' -AccessRights 'FullAccess'

Post new comment