A common request of Exchange Server administrators is granting a person access to another mailbox. The Add-MailboxPermission cmdlet lets you grant permissions to a mailbox. There are three parameters to use:

  • Identity – the mailbox you are adding the permissions to
  • User – the user you are granting the permissions to
  • AccessRights – the level of access you are granting

For example, to grant Sarah Jones full access to Alan Reid’s mailbox we would run this command.

[PS] C:\>Add-MailboxPermission -Identity Alan.Reid -User Sarah.Jones -AccessRights FullAccess

To remove the access we would use Remove-MailboxPermission instead.

[PS] C:\>Remove-MailboxPermission -Identity Alan.Reid -User Sarah.Jones -AccessRights FullAccess

Handling Auto-Mapping for Full Access to Mailboxes

When you grant full access to a mailbox you may notice that the mailbox automatically appears in the user’s Outlook, either immediately or after a short wait. exchange-2013-mailbox-full-access This is due to a feature called auto-mapping. In some cases this auto-mapping behaviour is not desirable. To prevent auto-mapping we need to add -AutoMapping:$false to the Add-MailboxPermission command. If access has already been granted you must first remove it. Then run Add-MailboxPermission again with auto-mapping disabled.

[PS] C:\>Add-MailboxPermission -Identity Alan.Reid -User Sarah.Jones -AccessRights FullAccess -AutoMapping:$false

If you only want to grant read-only access to the mailbox refer to this article: How to Grant Read-Only Access to an Exchange Mailbox

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Paul

    Hi Paul,
    wanted to run a question by you,
    we are running a Hybrid exchange where mailboxes coexist on both platforms.
    one of the requirements team’s delegations to work is when you add members to a user’s mailbox, it needs to be marked as a delegate. I have tried the add-mailbox via PowerShell permissions on a brand new user mailbox, and it works fine. Doing the following on an existing mailbox that is in exchange 2013, doesn’t work fine. even if the user had editors rights already to the mailbox in question, still wouldn’t, any surgestions?
    Thanks
    Regards
    Paul

  2. Kishore sharma

    Hey Paul,

    I Have gone through many of the comments, most of them are benifiting from your article, is it possible to Grant a leaver Mailbox access to some one. As there are customer reply need to provide on behalf of some one who left the organisation ?

  3. SANKARASUBRAMAN PARAMESWARAN

    hi,

    when we try to add the user to the all the mailboxes as full access it failed with time out. Please let us know how we can integrate sleep command

  4. Karst van der Lei

    If I give permissions to a mailbox, the mailbox is visible with or without automapping in Outlook. When I want to send a new e-mail I can choose the from field. The new added mailbox is visible directly in the from field. Can I disable this? I only want to send on behalf. I can choose this with another mailbox field and choose the field here. I want to get rid of the send as field when I choose the from field in Outlook

  5. Tom Fox

    Regarding disabling automapping for a mailbox in Exchange 2010, how can I view which users with Exchange Full Mailbox Access have automapping disabled and which have automapping enabled.?

  6. Samir Barsoum

    Question.. Is it possible to grant certain group the ability to manage recipients and create mailboxes without being able to grant full mailbox access? Which role to be assigned in RBAC?

    Thanks,
    Samir

  7. Joel Rightler

    Question.. We use a 3rd party travel agent as many of our users travel for business. We do all of our booking through their website and they have the ability to add/remove travel itineraries using a delegate calendar thru EWS.

    We have created an account for this purpose, how can I apply only add/remove calendar permissions to every user in my org, from this account? (i’m sure I made that as clear as mud..)

  8. Kev Hames

    I’m having issues with the full access. For some reason the person we’re giving full access to can only see one folder. Any ideas?

  9. Gustavo Fuchs

    Is there a Powershell script that would allow me to grant one particular user Full access rights to 300 + mailboxes? Do I need to import the list to a .csv file?

    Regards,
    Gus.

  10. rino19ny

    hi. does granting of permission on a mailbox works for any type mailbox? like IMAP?

  11. Fadi

    Dear Paul,
    after migration from ex 2007 to 2013
    we are not able to access to room mailbox even we grant fullaccess permission from powershell or ECP

    You don’t have permission to open this mailbox.
    X-ClientId: KGAM – PXRT – UVJE – ZIJVDAG
    X-OWA-Error: SDServerErr;Microsoft.Exchange.Clients.Owa2.Server.Core.OwaExplicitLogonException
    X-OWA-Version: 15.0.1044.25
    X-FEServer: XXX-XXXX
    X-BEServer: XXX-XXXX.XXX.local
    Date: 4/27/2015 12:55:01 PM

    is there any way to fix that please ?

  12. SomoIT

    Hi Paul!
    Great blog! Solved many migration problems by consulting your web.

    One simple question: Is it possible to assign full mailbox access permissions to a security group via EAC? Or is it only possible by powershell?

    Thanks!

  13. Virish Kundoo

    Hello,

    I am doing email hosting for different companies in different databases on Exchange 2013. I would like to assign each company an administrator who can create/delete/modify mailboxes in their specific databases.
    how is this possible?
    It seems that I have to go through ADSIEDIT to achieve same, but I would like to get the specific steps.

    Thanks

  14. Chris

    Hi thanks,

    but I get an Error User or Group “…..” wasn’t found ….

    The Group is an USG, the mailbox is a shared Mailbox

    Bye

  15. Susan

    Hi Paul,
    Is there a script to give certain people full permissions to a department mailbox but they cannot delete anything from the mailbox? They will need to move emails from their mailbox into the department mailbox. They will need to be able to create folders in the department mailbox.

    Thanks
    Susan

    1. Avatar photo
  16. Chris

    Hi,

    i have the same issue, i got an shell error using an usg, “user or Group “…….” wasn’t found.
    Please make sure you’ve typed it correctly….

    Thanks

    1. Avatar photo

      What is the command you’re running? I just ran this and it worked. Payroll is the mailbox, Payroll Team Leaders is the Universal Security Group.

      [PS] C:>Add-MailboxPermission -Identity Payroll -User “Payroll Team Leaders” -AccessRights FullAccess

  17. Hossein

    Dear Paul,
    I mean the mailbox didn’t add to the outlook. i don’t know what should i do and security management team is pushing me to fix it soon, i have another question, can i use RBAC in this regard?

    1. Avatar photo
  18. Hossein

    Hi Paul,
    would you please explain how i can grant access to the shared mailboxes by domain local security group? because it can be manged centralize and there is no need to change permission via mailbox, this is so important.
    thanks in advanced

      1. Hossein

        Hi Paul,
        unfortunately nothing happened, and I’m under pressure to fix it because the organization wants to manage the shared mailboxes management by group and individual access is not accepted. I’ll appreciate to help me to implement this request.

  19. Allan Anderson

    Can a colleague be given full access to your mailbox but be restricted to not seeing the ‘Sent Items’?

    Thanks

    1. Avatar photo
  20. Trev

    Hi Paul
    We have Exchange 2013 and I am wanting to give an employee with a Shared Mailbox account Full access to another standard email account. The Shared email account does not show when searching for it ( no Shared Mailbox accounts show ).
    Is it possible to do this?
    Thank you.
    Trev

    1. Avatar photo

      Employees should not have Shared mailboxes. A Shared mailbox is a special mailbox type associated with a disabled user object. The employees should be logging on with their own accounts. That is the account you should grant the permissions to.

  21. Florian Baumann

    Hey,
    in Exchange 2010 I gave Full Access and rights to “Send on behalf” to a mailbox and it worked fine. The users could access the mailbox and send mails on behalf.

    How do I get this to work with Exchange 2013?

    When I grant Full Access to a mailbox, “send on behalf” doesn’t work. If I just grant “send on behalf” without Full Acess it works, but the user cannot access the mailbox which makes not really sense.
    “Send As” works but it isn’t really an option, since there is no way to see which user was the sender, if multiple users have the right to send, not even in the header of the mail. Or is there a way to see the sender with “Send As”?

    Thanks in advance.
    Florian

    1. Bainrow

      Hello Florian,

      I’ve did the following for us here:

      Add-MailboxPermission -Identity $Mailbox -User $User -AccessRights FullAccess inheritanceType All -Automapping:$false

      Add-RecipientPermission $Mailbox -AccessRights SendAs -Trustee $User -Confirm:$false

      So I set first mailbox permissions and then the SendAs rights through the RecipientPermissions.

      I hope this helps you

      1. Florian Baumann

        Hi Bainrow,

        thanks for the reply, but the Add-RecipientPermission works only for Exchange Online, not on premise Exchange 2013. And the command looks like it grants “Send As” which I don’t want.

        I just found out that “Full Access” plus “Send on behalf” is working just fine in OWA but NOT in Outlook (2010/2013)?!?!? Now I’m really confused..

        1. Nirav Joshi

          Hi Florian,

          Did you get solution for this?

          I am on right now Microsoft 365 and having same issue.
          Automapping is disabled with full mailbox access and also Send of Behalf given.
          User can access the mailbox from both OWA and Outlook.
          User can send of behalf from OWA but not from Outlook.

          Thanks in advance
          Nirav

          1. Nirav Joshi

            Mailbox is not hidden on GAL.

  22. Derek

    Hi Paul,
    Thanks for this informative post. I’m having trouble implementing it in my Ex2013 env, however. First, am I right to assume this is how you’d grant permissions for OWA access as well? It worked for Ex2007 (I used the same Add-MailboxPermission cmd as you have above). However, in Ex2013, when I’m logged in as the master account and go to “Open another mailbox..”, type in the slave mailbox, I get the “No match was found” error.
    Have you run across this before? Thanks in advance.

  23. Matt Willey

    In case it is necessary, you can find all mailboxes that a user has automapped by the msExchDelegateListBL property.

    If you run a PS command to get a user, select expandproperty msExchDelegateListBL, this will show distinguished name for every mailbox that will map in outlook. Then it is easy to removere-add permissions with a foreach loop.

  24. Willis

    Paul,

    This ‘how-to’ is just what I was looking for. Set out to provide myself and all the other domain admins Full Access to all mailboxes, but after reading the discussion and getting your ‘drift’ that it may not be in our best interest to have these rights all the time. When needed, apply and then retract.

    However, do you still feel the same about Resource Mailboxes? Is there a command that would allow me to set full access on all those?

    Thank you,

    Willis

  25. Claudio

    Good morning,

    I don’t know if this falls into this category, but I have 1 account with “full access” to all mailboxes, which is used by my backup software (commvault) to do granular backups and restores.

    All backups work perfectly fine, however if I want to open someone else’s mailbox from OWA or Outlook I am unable:

    Something went wrong
    You don’t have permission to open this mailbox.
    X-ClientId: KGAM – PXRT – UVJE – ZIJVDAG
    X-OWA-Error: SDServerErr;Microsoft.Exchange.Clients.Owa2.Server.Core.OwaExplicitLogonException
    X-OWA-Version: 15.0.1044.25
    X-FEServer: XXX-XXXX
    X-BEServer: XXX-XXXX.XXX.local
    Date: 4/27/2015 12:55:01 PM

    Is there any way to fix this so this specific account can open any and all mailboxes with OWA or Outlook?

    Thank you.

  26. Marcel

    Hi Paul,

    I already tried to find out an solution via browsing the web, but unfortunately, I did not find out any solution, maybe you can help:

    Current situation:

    We are migrating from Lotus Notes 7.04 to Exchange 2010 with Outlook 2010. User migration already finished.
    Next task is the migration of “TeamMailbox” (Notes Domino) to “SharedMailbox” (Exchange).
    We did already complete more than 90 SM and facing now the problem, that there is an AD group with users, who don’t have an Exchange account, because it’s not needed on local site (Warehouse tecnicians). Mentioned tecnicians used Lotus Notes TeamMailbox by group accessing (no personal Lotus Notes account), that was working fine, because only the distribution group was member of that specific team mailbox.
    Now I face the situation that I can not found these AD users in emc (Exchange) while trying to assign “full access” access.
    No personal exchange account means no chance to be assigned by permissions to any other mailbox e.g. SharedMailbox? Or is there any way to grant them access even if they don’t have an personal exchange account?

    Thanks in advance.

    Regards
    Marcel

  27. Bram van den Berg

    Hello Paul,

    thanks for sharing this info with us.
    I made a pretty nice “management” script for our O365 environment with these commands.

    However it seems I’m running in a small issue here.
    I made a script so my colleagues here can easily manage O365 through powershell without any powershell know how. I’ve made several option but in this case it’s about 2 options, one for adding full access rights to shared mailbox WITH automap

    Code that adds permission looks like this:
    Add-MailboxPermission -Identity $Mailbox -User $User -AccessRights ‘FullAccess’

    and one for adding full access rights to shared mailbox WITHOUT automap.

    Code that adds permission looks like this:
    Add-MailboxPermission -Identity $Mailbox -User $User -AccessRights FullAccess -Automapping:$false

    It all seems to be working fine, I’ve added few mailboxes with automap and a few without automap. However now I’m testing on my own account and after I added one mailbox without automap I’m unable to add any with automap. I do get the access rights but automapping is not working anymore for any user that was once given access without automap.

    Is this a known issue??

    I’ve searched everywhere but can’t find any information about this.
    I’ve added the access through the regular O365 management interface, I can add the mailbox…however automapping still doesn’t do a thing.

    It’s strange that everything is working fine untill you add rights without automap.

    Thanks for any help in advance.

    Kind regards,

    Bram

  28. Dave

    Paul,

    Another request came up from HR today that management approved. They want the receptionist to have read access to all of our employee’s calendars. I’ve found a couple powershell commands on the Internet. Are you familiar with either of these two? Will one of these grant access to all mailboxes or do you have a better powershell command to use for this situation?

    (Get-Mailbox).identity | foreach {Add-MailboxFolderPermission $_”:calendar” -User UserName -AccessRights reviewer}

    get-mailbox | foreach-object {add-MailboxFolderPermission $_”:Calendar” -User UserName -AccessRights Reviewer}

    1. Avatar photo

      Those are both basically the same thing.

      Whether they work or not… they look okay, but the only way to tell for sure is to test them.

      Generally speaking if someone offers you a PowerShell command that you’re not sure about then your first step should be to go read the TechNet pages for the cmdlets, eg Get-Mailbox, Add-MailboxFolderPermission. Look at the parameters so that you understand what they mean, look at the examples they give for different usage scenarios.

      Then you can test. Get-Mailbox will return all mailboxes in your org. So obviously you don’t want to test against all mailboxes. So instead you can narrow the scope of the Get-Mailbox results, such as “Get-Mailbox | the rest of the command”. That will give you a chance to see whether you get the desired outcome against that one mailbox before you run the command to modify all mailboxes.

      Finally there is the -WhatIf, which allows you to test a command for correct syntax before you run it. Note that this does not test the actual outcome, just whether the command you’re running is likely to throw an error or not.

      Hope that helps.

  29. Dave

    Paul,

    we would be doing this on a daily basis for multiple employees. Another thing that HR has to do everyday is configure email forwarding for every employee that is out, they do this using the exchange management console as well. I wish there was an easier way but this takes up quite a bit of their time. They are part of the Exchange Recipient Adminstrators group. The only other solution I can think of is having IT do this for HR daily. We tried rules with employee OoF Settings but employees change teams regularly and forgot to update their rules, or employees would call in sick and obviously cant enable their OoF status. It was configured this way years before I worked for this company. If you have a better solution for HR to do both of these functions without giving them some exchange privileges id love to hear them.

    Dave

    1. Avatar photo

      Configuring email forwarding doesn’t require them to have full access to the mailbox itself.

      You can make HR folks recipient admins if you like. But giving anyone permanent full access to the entire organization’s mailbox contents is an auditing mess and a security risk.

      Granting access on a case by case basis, only when required for a specific task, and then removing it afterwards, is a trivial administrative effort that leaves a valuable audit trail. It also avoids the auditing and security risks associated with persistent blanket access.

  30. Dave

    How else can I allow HR to have the ability to set out of office messages for our employees? We pride ourselves on customer service and when an employee has to unexpectedly take time off we want to update their out of office message so that our clients know. Any suggestions?

    1. John

      Contact your IT department and ask them to do it? You might need to log it as a support call, depending on how your service desk operates, or you might get someone nice, who will just do it!

  31. Dave

    Paul,

    I would like to grant our HR department full mailbox access to all mailboxes in every database on our Exchange 2013 server. They had the same rights in our Exchange 2007 server. They need this access so they can check email for employees that are suspicious of using work email for too much personal email, but mostly so they can open the employee’s mailbox via OWA and set/update out of office messages. I used to use the following command in 2007, it works in 2013 but when I create a new mailbox, the full mailbox rights are not inherited to the new mailbox for the HR user.

    Get-Mailboxdatabase –identity database>” | add-adpermission –user -accessrights genericall

    Am I missing something?

    Thanks,

    Dave

    1. Avatar photo
  32. Gaurav

    Hi Paul,

    Thanks for all the wonderful articles that you share with us 😀

    I’m running into a problem and would appreciate any and all the help that i can get 🙂

    I’m trying to remove ‘Full Access’ permissions of all the previous administrators from our Exchange 2010 mailboxes. After reading multiple articles, I’ve come up with a command which is:

    Get-Mailbox | Remove-MailboxPermission -User XYZ -AccessRights Fullaccess -InheritanceType all

    To test this command, I modified it to remove the permissions from one particular mailbox and the command that I executes was:

    Remove-MailboxPermission -Identity “ABC” -User XYZ -AccessRights Fullaccess -InheritanceType all

    When I executed this command, I received a warning in exchange shell. The warning was:

    WARNING: An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Allow] and was ignored on object “CN=ABC 1,OU=Test Users & Computers,DC=123,DC=456,DC=com”.

    I waited for over 45 minutes for the command to take effect but nothing happened. Can you please tell me what’s missing from my commands?

    Regards,
    Gaurav

  33. T

    Hi, I’ve got acces to a share email at work that a few ppl access and use… When they reply it comes from that shared email address and not there personal email, but mine comes through with my personal email making customer directly come to me doubling my work load, how do I set up outlook to send it with the share email like everyone else does?

  34. one

    thanks bro, it’s very helpfull

  35. Sun Sopheary

    I know that it is a wrong topic to be asked here. But I don’t know where to post my question for your help. I was wondering why my MS Outlook 2013 could not display “Online archive”? the version of my office is 2013 professional plus and I already enabled archive from exchange 2013 for that mailbox. The archive mailbox is displayed when i use OWA. Please help and thank you in advance.

  36. Tim Kuhnell

    Thanks, Paul. If I want to add the group members individually in one command, how do I do? This does not work:

    [PS] C:Windowssystem32>get-adgroupmember groupname|add-mailboxpermission sharedmbx@dom.com -accessrights fullaccess -confirm:$False

  37. Tim Kuhnell

    Paul,

    Would assigning permissions for a distribution group to a user mailbox make the mailbox show up in the dist-group members’ mailboxes – or must the mailbox be added in Outlook for each member of the group?

    Regards,

    Tim

  38. Michael

    Hi Paul,

    In a multitenant exchange 2013 environment that contains different domain addresses. Some of the user with a specific domain exemple.com needs to disable auto-mapping feature but other domain users don’t need to stop this.
    Can this be done for a specific domain? if yes whats the exchange commands for this process.
    Thank you.

    Regards,
    Michael

      1. Michael

        I am trying to disable the auto-mapping on only one domain in a multi-tenant environment.

  39. frederic Roblin

    Hello Mister Cunningham, Thanks a lot for all you do for us !
    I have a question about “full access mailbox rights and automapping”
    I have a mailbox and i give her with a full access right with automapping $false for a user. When this user connect this mailbox on a owa session, he may send email (like send As) without that we give him the right to do that. (AD 2008R2 and Exchange 2013 CU2)
    Have you ever met this case ?
    thank you for your help
    Frederic Roblin

    1. Herydis

      The -AutoMapping:$false parameter does not remove the Full Access permission on the mailbox. Check the mailbox permissions with the cmdlet Get-MailboxPermission | fl .
      Il you don’t need the user has permissions on that mailbox, you have to remove the mail mailboxpermissions.

  40. Calvin

    if i grant access to a user who is no longer with the company, how do i access it on Outlook 2011? I go to add account and delegate, but the user does not show up since they are no longer with the company and account is disabled.

  41. Rocky

    How I would add full access mailbox rights (open, export, import mailboxes) for all mailboxes in a database or entire Organization to a user or group?

    1. Avatar photo

      This sort of permanent, blanket permission is a terrible idea from a security and auditing point of view and I don’t recommend doing it.

      Permissions can be set at database level and inherit to all mailboxes in that database.

      Import/export rights are assigned using RBAC.

      1. Zeidan

        Permissions can be set at database level and inherit to all mailboxes in that database.

        How ?

Leave a Reply