Grant Full Access to All Mailboxes in Exchange 2010

Categories: Microsoft Exchange, Tips, Unified Messaging, Windows Server


Here’s a little time-saving tip for working with mailboxes in Exchange 2010.  Normally if you need full access to another user’s mailbox in Exchange 2007/2010 you would highlight their mailbox in the Exchange Management Console and the choose “Manage Full Access…” from the action pane.  You would have to do this individually for each mailbox that you wanted to manage full access permissions for.


Here’s an easier way to grant full access to a user for every mailbox in a mailbox database.  Just edit the bracketed fields below and paste the cmdlet in the Exchange Command Shell:

Get-MailboxDatabase -identity “[mailbox database name]” | Add-ADPermission -user [username] -AccessRights GenericAll

Voila!  You now have full access to all mailboxes in the selected database.  This even applies to new accounts created after you run the cmdlet.

  • Hello,
    We moved our CFO mailbox from exchange 2003 to exchange 2010 and his secy had full permission for the mailbox. Now, after the move though she is being shown as having full access but it is not working and through EMC, when I try to manage her permission, i am getting the error
    “Some controls are not valid. changes in the user/group list are required or remove permissions.”
    Any thoughts

  • I occasionally run into issues like these, in which the user account in question may have previously been a member of a protected group on the domain, which in effect disables security permission inheritance on the account. After the upgrade, the account has not inherited the new Exchange 2007/2010 permissions. My suggestion would be to check both your CFO's and their secy's accounts and ensure that they are configured to inherit permissions in ADUC.

    For more info, check this out:

  • Does not work for me..
    Opening mailboxes with outlook works, but if i try to open the mbx via another tool (in this case: single mailbox recovery) the access is denied.

    Any suggestions?

  • Can you tell me where to find the Mailbox Database Name? thank you

  • get-mailboxdatabase will show you any availible mailboxdatabase

  • To remove the SSL requirement from the default site for exchange 2010 OWA,

    when we try to access http://local host, Got error http error 403.4 – Forbidden.

    Go to So we create a custom error Default web Site then Error Pages then Click on Add.

    Status Code: 403.4 and select Respond with a 302 Redirect

    When you try to access through http, you got error 403.4 and redirected to your Https site.

  • That will work too, and that is exactly how I configure the redirection for Exchange 2003. With Server 2008, the redirection is much simpler to configure and works faster.

  • How would I remove these permissions? I ran the above command, but now need to remove myself from everyones mailbox… Would I just run the above command with Remove-ADPermission instead?

  • How would I remove these permissions? I ran the above command, but now need to remove myself from everyones mailbox… Would I just run the above command with Remove-ADPermission instead?

  • Hiii,
    I faced a problem after i ran the script. It showed a dialog box displaying a message that The SSL Webserver is blocking the connection to the mail-box. Please try again. What should i do? Thanks in advance.

  • I don’t think this works anymore.  I set it, but I can’t open mailboxes even though I have full access.  Does this still work for anyone?

  • This one should do the trick:

    Get-MailboxDatabase | Add-ADPermission -user
    “USER/GROUP” -ExtendedRights Receive-as, ms-Exch-Store-Admin -InheritanceType All

    If you still don’t get access, remove any permissions you’ve set before. If you set too many permissions your access will be denied.

    Be sure that the account you are going to open has no AdminSDHolder attribute set. (AdminCount >1). If it’s set inherited permissions won’t be applied.

  • This command partially works for me. After running the command for my user account, I can open any mailbox in that store from Outlook by File>Open>Other Users Folder. But what I am unable to do is create and open a new outlook profile of another user while I’m logged on. To be clear, the profile is created but when I try to launch it, I get prompted for credentials so I type my creds and they are rejected.

  • I just tried this on a new Exchange 2010 SP1 installation and it worked perfectly:

    1. create a new user group, e.g. “Exchange Database Administrators”
    2. grant mailbox access:

    Get-MailboxDatabase | Add-ADPermission -user
    “Exchange Database Administrators” -ExtendedRights Send-As,
    Receive-as, ms-Exch-Store-Admin -InheritanceType All

    3. add user to the group
    4. open any users mailbox via OWA, Outlook File>Open>Other Users Folder or by creating a new primary outlook profile, just as you like.

  • Do you have an explanation for exactly what Full Access gives someone?  I read that id doesn’t give them Send As, but can they add/delete/move items?

  • Matt, were you able to remove these permissions? And if yes, how did you do this?