Manage Full Access Permissions

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-11-12

Use the Manage Full Access Permission wizard to grant Full Access permissions to users or groups for a selected mailbox. You can also use this wizard to remove Full Access permissions from users or groups.

When you grant the Full Access permission to another user for a mailbox, that user becomes able to log on to the mailbox and access its entire contents.

Important:
In Microsoft Exchange Server 2010 Service Pack 1 (SP1), Outlook 2010 and Outlook 2007 clients automatically map to any mailbox to which a user has Full Access permissions. If a user is granted Full Access permissions to another user's mailbox or to a shared mailbox, Autodiscover automatically loads all mailboxes to which the user has full access. If the user has full access to a large number of mailboxes, performance issues may occur when starting Outlook. For example, in some Exchange organizations, administrators have full access to all the mailboxes in the organization. In this case, upon starting, Outlook tries to open all mailboxes in the organization. In Microsoft Exchange Server 2010, users can’t control this behavior and can’t turn it off. In Microsoft Exchange Server 2010 Service Pack 2 (SP2), administrators can turn off the auto-mapping feature. For more information, see the third Exchange Management Shell example in this topic or read Disable Outlook Auto-Mapping with Full Access Mailboxes.

Important:

In Microsoft Exchange Server 2010 Service Pack 1 (SP1), Outlook 2010 and Outlook 2007 clients automatically map to any mailbox to which a user has Full Access permissions. If a user is granted Full Access permissions to another user's mailbox or to a shared mailbox, Autodiscover automatically loads all mailboxes to which the user has full access. If the user has full access to a large number of mailboxes, performance issues may occur when starting Outlook. For example, in some Exchange organizations, administrators have full access to all the mailboxes in the organization. In this case, upon starting, Outlook tries to open all mailboxes in the organization.

In Microsoft Exchange Server 2010, users can’t control this behavior and can’t turn it off. In Microsoft Exchange Server 2010 Service Pack 2 (SP2), administrators can turn off the auto-mapping feature. For more information, see the third Exchange Management Shell example in this topic or read Disable Outlook Auto-Mapping with Full Access Mailboxes.

Granting Full Access permissions doesn't grant the right to send mail as the selected mailbox. To grant Send As permissions, see the following topics:

Looking for other management tasks related to mailbox permissions? Check out Permissions to Manage Mailbox Servers.

What Do You Want to Do?

Use the EMC to manage full access permissions for a mailbox
Use the Shell to manage full access permissions for a mailbox

Use the EMC to manage full access permissions for a mailbox

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Permissions and delegation" entry in the Mailbox Permissions topic.

In the console tree, click Recipient Configuration.
In the result pane, select a recipient. You can manage Full Access permissions for the following recipient types:
- Discovery mailboxes
- User mailboxes
- Resource mailboxes
In the action pane, click Manage Full Access Permission.

On the Manage Full Access Permission page, select the users or groups to which you want to grant the Full Access permission or from which you want to remove the permission. Select one of the following options:

Add Click this button to open the Select User or Group dialog box. Use this dialog box to select the users or groups to which you want to grant the Full Access permission.

Select a user or group, and then click this button to remove the Full Access permission from that user or group.

Important:
By default, every mailbox has the security principal NT AUTHORITY\SELF listed. This security principal represents the mailbox owner. If you revoke the Full Access permission from this security principal, the mailbox owner is no longer able to log on to the mailbox.

On the Completion page, verify whether the command was completed successfully.
- A status of Completed indicates that the wizard completed the task successfully.
- A status of Failed indicates that the task was not completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.
Click Finish close the wizard.

Use the Shell to manage full access permissions for a mailbox

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Permissions and delegation" entry in the Mailbox Permissions topic.

This example grants Raymond Sam Full Access permissions to Terry Adams’ mailbox.

	Copy Code
Add-MailboxPermission -Identity "Terry Adams" -User RaySam -AccessRights Fullaccess -InheritanceType all

This example removes Jim Hance’s Full Access permissions to Ayla Kol's mailbox.

	Copy Code
Remove-MailboxPermission -Identity Ayla -User 'JHance' -AccessRights FullAccess -InheritanceType All

This example grants Mark Steele Full Access permissions to Jeroen Cool’s mailbox and disables the auto-mapping feature.

	Copy Code
Add-MailboxPermission -Identity JeroenC -User 'Mark Steele' -AccessRights FullAccess -InheritanceType All -Automapping $false

For detailed syntax and parameter information, see Add-MailboxPermission.