Assigning Full Access to Service Accounts for On-Premise Exchange Servers

Applies to: Exchange 2007 or later, User Mailbox and Journal Mailbox

This procedure assigns full access to service accounts.

Disclaimer: This procedure is performed using the Microsoft ADSI Edit snap-in. The snap-in is subject to change without notice. Consult the Microsoft documentation before you perform this procedure.

Before You Begin

The service account must be a member of:

  • The Local Administrator Group on the proxy servers.

    If the agent is installed on an off-host proxy computer, the service account must be in the Local Administrator Group on the proxy computer.

  • The Organization Management group (Exchange 2010 or later) or the Exchange Organization Administrators group (Exchange 2007).


  1. From the ADSIEDIT snap-in, connect to the domain controller.
  2. In Connection Settings, click Select a well known Naming Context and select Configuration from the list.
  3. Expand Services > Microsoft Exchange.
  4. Right-click the appropriate organization name, and then click Properties.

    The Properties dialog box appears.

  5. Click the Security tab.
  6. Under Permissions, verify that all the permissions for the Organization Management group (Exchange 2010 or later) or the Organization Administrators group (Exchange 2007) are set to Allow.

    Tip: Selecting the Allow for Full Control check box selects Allow for all the permissions. The Deny check box for all permissions must be cleared.

  7. Click OK, and then wait for replication.
  8. To grant Receive As permissions to the service account, open Exchange PowerShell, and then type the following cmdlet:

    Get-MailboxDatabase | Add-ADPermission -user "<service account>" -ExtendedRights Receive-As

    You must include the Receive As permissions to protect archive mailboxes.

    Note: Run the Get-MailboxDatabase cmdlet each time you add a new database.

  9. Repeat this procedure for each service account for every Exchange server that you want to protect.