Delegating Ability to assign Full Access permissions on mailboxes in Exchange 2007

We had assigned the Helpdesk security group some basic AD delegations and the Recipient Administrator rights in Exchange (which grants very basic rights and some broad rights depending on what other permissions are assigned).

However, this did not allow the ability to grant Full Access permissions on individual mailboxes (though Send As was OK via basic AD permissions).

When trying to grant Full Access rights our helpdesk was getting an error similar to:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00

DOMAIN\USER
Failed

Error:
Failed to commit the change on object “XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX” because access is denied.

MapiExceptionNoAccess: Unable to set mailbox SecurityDescriptor. (hr=0x80070005, ec=-2147024891)

Exchange Management Shell command attempted:
Add-MailboxPermission -Identity ‘CN=FOO[…]DC=LOCAL’ -User ‘DOMAIN\USER’ -AccessRights ‘FullAccess’

Elapsed Time: 00:00:00

The key lies in the somewhat undocumented ms-Exch-Store-Admin right.

e.g.

 

Leave a Reply

Your email address will not be published. Required fields are marked *