Assigning Full Access to Service Accounts for On-Premise Exchange Servers
Applies to: Exchange 2007 or later, User Mailbox and Journal Mailbox
This procedure assigns full access to service accounts.
Disclaimer: This procedure is performed using the Microsoft ADSI Edit snap-in. The snap-in is subject to change without notice. Consult the Microsoft documentation before you perform this procedure.
Before You Begin
The service account must be a member of:
- The Local Administrator Group on the proxy servers.
If the agent is installed on an off-host proxy computer, the service account must be in the Local Administrator Group on the proxy computer.
- The Organization Management group (Exchange 2010 or later) or the Exchange Organization Administrators group (Exchange 2007).
- From the ADSIEDIT snap-in, connect to the domain controller.
- In Connection Settings, click Select a well known Naming Context and select Configuration from the list.
- Expand Services > Microsoft Exchange.
- Right-click the appropriate organization name, and then click Properties.
The Properties dialog box appears.
- Click the Security tab.
- Under Permissions, verify that all the permissions for the Organization Management group (Exchange 2010 or later) or the Organization Administrators group (Exchange 2007) are set to Allow.
Tip: Selecting the Allow for Full Control check box selects Allow for all the permissions. The Deny check box for all permissions must be cleared.
- Click OK, and then wait for replication.
- To grant Receive As permissions to the service account, open Exchange PowerShell, and then type the following cmdlet:
Get-MailboxDatabase | Add-ADPermission -user "<service account>" -ExtendedRights Receive-As
You must include the Receive As permissions to protect archive mailboxes.
Note: Run the Get-MailboxDatabase cmdlet each time you add a new database.
- Repeat this procedure for each service account for every Exchange server that you want to protect.