How to assign Full Access Permissions to Multiple Mailboxes in Exchange 2007/2010

Recently I was required to modify several dozen mailboxes in Exchange 2007 to give a user Full Access administrative rights on those mailboxes.

The Exchange Management Console limits you whereby you can only grant those permissions on one mailbox at a time.  I wanted to find a way to script it to speed the process along and make it more interesting.

The first thing I had to figure out was how to filter out just a certain set of users.  Adding them to a security group was easy enough using DSMOD (previous Blog post), but unfortunately the Exchange Shell doesn’t let you specify a security group when assigning permissions.  It does, however, allow you to specify a Custom Attribute.

In order to set one of the CustomAttribute settings in Active Directory to something unique, I used one of my favorite utilities… ADModify.Net.  Once ADModify.Net is launched, you’ll want to filter your users down by using the following LDAP Query:


(&(objectCategory=person)(memberOf=CN=Group,CN=OU,DC=domain,DC=local))

Once they are filtered out, you can the select all of the users that appear from the query and proceed to the next screen, and go to the Custom tab.  Under the attribute name field, type in extentionAttribute# substituting the “#” for any number between 1-15.  Make absolutely sure it is not currently in use.

Under the attribute value field, type in whatever you want in order to find your set of users easily.

Hit Go! and once everything is finished, proceed to the Exchange Management Shell.

Use the following command in the shell to add Full Access to a specific user for all of your users with the Custom Attribute set to the value you specified.  You’ll need to change the labels in bold to fit your environment.


Get-mailbox –filter {CustomAttribute1 –eq “VALUE”} | Add-MailboxPermission -User "TrustedUser" -AccessRights FullAccess

Use the following command in the shell to add only Receive As access rights to a specific user for all of your users with the Custom Attribute set to the value you specified.  You’ll need to change the labels in bold to fit your environment.


Get-mailbox –filter {CustomAttribute1 –eq “VALUE”} | Add-ADPermission -User "TrustedUser" -ExtendedRights Receive-As

That’s it.  Technically giving a user Full Access will also give the Receive As rights, but I like to be thorough.

Good luck! : )

About Rebecca Harness

Rebecca Harness is a Business Information Security Officer (BISO) for a publicly-traded, global information solutions company. As BISO, she champions security initiatives and recommends strategies to mitigate risk, facilitating innovation and new product development. She’s also responsible for representing the business unit’s security program in client facing engagements, conferences, and industry forums. Prior to her current role, she was an influential cybersecurity leader for one of the world’s largest transportation providers, known for transforming information security efforts into well-orchestrated programs. There, she developed an innovative methodology for delivering key information security priorities as a service model, leading to quicker adoption enterprise-wide while significantly reducing operational costs. She also led and modernized their global, multi-brand PCI Assessment and other compliance initiatives. In the early 2000’s, Rebecca developed one of St. Louis' leading Managed Services Providers from a startup in a spare bedroom into a mature consulting company with 30+ employees and 150+ clients in the Greater St. Louis Area. Rebecca holds many certifications, including; ISACA Certified Information Systems Auditor (CISA); ISC2 Certified Information Systems Security Professional (CISSP); and GIAC Security Leadership Certified (GSLC). She’s also a proud alumni of Hastings College and a longtime member of the Society of American Magicians.

One Response to “How to assign Full Access Permissions to Multiple Mailboxes in Exchange 2007/2010”

  1. How would you modify this if you wanted to do it per OU?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s