How to set permissions for Quest Exchange service accounts (38171)

Quest agents keep failing with errors, log indicates that used account does not have sufficient permissions to log on to the mailbox. What is the best way to set the permissions correctly?

Best approach when configuring the service account would be:

1. In Active Directory, remove the used account from all groups, especially from Domain Admins and from Enterprise Admins as these groups are denied the send as / receive as right by default.

2. Use ADSI Edit or the Exchange System Manager GUI and add permissions for the service account explicitly

Quick Start Guide for EMW and QMM has following instructions:

Access to Exchange 2000/2003 Mailboxes

The Exchange Migration Wizard administrative account should have the Full Mailbox Access right in the Exchange 2003 organization, including the Send As and Receive As permissions. Note that by default you are not allowed to modify security on the organization object, and the Security tab is not displayed. To force the display of the Security tab on the organization, you must modify the Registry as described below.

An incorrectly modified registry cannot be undone and may cause serious problems with the operating system. We recommend that only advanced users modify the registry. If you do not want to modify the Registry, you can grant the account access to every single server of the target organization.

To grant the account the required permissions on the target organization, do the following:

1. Click Run on the Start Menu and type regedit to start Registry Editor.

2. Locate the following registry key on the local machine: HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin.

3. On the Edit menu, click Add Value, and then add the following registry value:
Value Name: ShowSecurityPage
Data Type: REG_DWORD
Value: 1

4. Quit Registry Editor. This change takes effect immediately; you do not need to restart Exchange System Manager if it is running. This change only affects the currently logged on user.

5. In Exchange 2003 System Manager, right-click the organization and click Properties.

6. On the Security tab, click Add and add the administrative account (in our case, EMW).

7. Give the account the Full Control right on the organization, including the Send As and the Receive As rights.

Access to Exchange 2007 Mailboxes

The EMW / QMM administrative account should have the Full Mailbox Access permission in the Exchange 2007 organization, including the Send As and Receive As permissions.

To grant the account the required permissions for the target organization, do the following:

1. From the Start menu, select Run...; and in the Run dialog type ADSIEdit.msc. Click OK.
ADSIEdit utility is a part of the Windows 2000/2003 Support Tools. To install the Support Tools run the Support\Tools\Suptools.msi file located on the Windows 2000/2003 CD.

2. In the ADSIEdit snap-in, browse to the DC=<...>, CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=<Exchange Organization Name>, CN=Administrative Groups container.

3. For the (FYDIBOHF23SPDLT) administrative group, complete the following steps:

Open the CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Servers container.

For each Exchange server in this container involved in migration, complete the following steps:

Right-click the server object and select Properties.
In the Properties dialog, switch to the Security tab.
In the Security tab, click Advanced.
In the Advanced Security Settings dialog, click Add...;
In the Select User, Computer or Group dialog, select the administrative account and click OK.
In the Permissions Entry for dialog, make sure This object and all child objects option is selected in the Apply to: list-box.
Allow Full Control permission for the administrative account including Send As and Receive As permissions.
Close the dialogs by clicking OK.

The Following Powershell Commands will properly permision all Mialboxes and message stores.

get-mailbox | add-mailboxpermission -user <DOMAIN\name> -Accessrights Fullaccess -InheritanceType all
Get-mailboxdatabase|Add-ADPermission -User <DOMAIN\name> -AccessRights GenericAll -ExtendedRights Send-As,Receive-As

Should you wish to only change a Specific Mailbox:
get-mailbox -identity <mailbox> | add-mailboxpermission -user <DOMAIN\name> -Accessrights Fullaccess -InheritanceType all

Or a Specific Mail store:
Get-mailboxdatabase <database name>|Add-ADPermission -User <DOMAIN\name> -AccessRights GenericAll -ExtendedRights Send-As,Receive-As

for Exchnage 2007, you can also use this proceedure:

1. From the Start menu, select Run... and in the Run dialog type ADSIEdit.msc. Click OK.

ADSIEdit utility is a part of the Windows 2000/2003 Support Tools. To install the Support Tools run the Support\Tools\Suptools.msi file located on the Windows 2000/2003 CD.

2. In the ADSIEdit snap-in, browse to the CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<...>,DC=<...> container.

-Right-click the server object and select Properties.
-In the Properties dialog, switch to the Security tab.
-In the Security tab, click Advanced.
-In the Advanced Security Settings dialog, click Add...
-In the Select User, Computer or Group dialog, select the administrative account and click OK.
-In the Permissions Entry for... dialog, make sure This object and all child objects option is selected in the Apply onto: list-box.
-Allow Full Control permission for the administrative account.
-Close the dialogs by clicking OK.