If this is your first time using Add2Exchange or you are upgrading or migrating, post here.

5/12/2010 3:30:57 PM
Gravatar
Total Posts 53
Use the links in the footer below to keep up to date via our newsfeed or Facebook.

Add2Exchange Enterprise 365/Add2Outlook installation with reduced/modified permissions

For Add2Exchange Enterprise 2016 and O365, see the granular scripts below.

Many people want to "granularly" add permissions rather than run the Preinstaller, which gives the A2E service account permissions to the stores.  This may be necessary as part of Hiipa compliance.  Which permissions can you modify and "ratchet down"?

First of all, the Add2Exchange Service account is a powerful account and its login and password should be highly guarded because of the permissions, no matter if you reduce the permissions.  If this account were relegated in this way, the power it has is safe.  In fact, much of this power is required for it to do the job it does and there are some things we can’t get around.  

Why does the Add2Exchange Service account need to be part of the Built-in Administrators Group?  Not if you are using Outlook as the communication protocol.  It may not have to be if you allow for the permissions you are gaining by adding it to the group. The Add2Exchange Service account normally is part of the local administrators group of the machine it is installed on (to install software, run services) and if using Outlook as the communication protocol, does not have to be part of the local Administrator's group of any exchange server it connects or that server replicates to. This is normally handled by being part of the Administrators Group, but not the Domain Admins Group.   This can be modified by granularly specifying in allow the A2E Service Account to log on to the replication server, start and stop a service (interact with operating system).  This is not necessary to the Exchange server(s) if using Outlook, but does if using CDO.  TIP: Be careful assigning these kinds of permissions because once specified, the default permissions do not apply anymore.  Be sure to add other Administrator accounts and Service accounts which enjoy these permissions "by default".

The second requirement is you need to create a security group and add the service account to that group (Exchange 2003). In Exchange 2007 and 2010, we use the Preinstaller command shell scripts - but again, this isn't necessary if using Outlook.  In the manual, we suggest adding the security group to the top of the store so it makes it easy to add other relationships, but you don’t have to.  In 2007 and 2010, the script adds it to the top of the public folders and mailbox stores, but you can add it the individual mailboxes and public folders instead of to the entire store for administrative permissions.  For Exchange 2016, Office 365, using Outlook. In all environments it is required that you give the Service account ownership and folder contact on any public folders.

For Granular access to users mailbox, Connect to your domain with powershell

 

To grant just default Calendar Access use the scripts below and change the service account name zadd2exchange to whatever service account we use to sync.  For Contact Sync, replace Contacts where is says Calendar.  If creating a subfolder, Add2Exchange will do it automatically, if given owner the the parent folder.

 

$mb=get-mailbox

foreach ($m in $MB){Add-MailboxFolderPermission -Identity $m.identity -User zadd2exchange@Domain.com -AccessRights FolderVisible}

 

$fl2 = ":\Calendar"

foreach ($m in $MB){Add-MailboxFolderPermission -Identity ([string]::Concat($m.PrimarySmtpaddress,$fl2)) -User zadd2exchange@Domain.com -AccessRights Owner}

 

Individual scripts

  

Add-MailboxFolderPermission -Identity user1@Domain.com -User zadd2exchange@Domain.com -AccessRights FolderVisible

Add-MailboxFolderPermission -identity user1@Domain.com:\Calendar -User zadd2exchange@Domain.com -AccessRights Owner

 

As always, if advanced help is needed, we can handle this kind of granular permissions as a "Level 5" Premier Support which is 4 hours  - never expire until you use them.  Buy Now

 

Live Help for Exchange Sync