Applies to: Exchange Server 2007
Topic Last Modified: 2007-06-11

Use the Add-ADPermission cmdlet to add permissions to an Active Directory directory service object.

Syntax


`Add-ADPermission -Identity <ADRawEntryIdParameter> -User <SecurityPrincipalIdParameter> [-AccessRights <ActiveDirectoryRights[]>] [-ChildObjectTypes <ADSchemaObjectIdParameter[]>] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-ExtendedRights <ExtendedRightIdParameter[]>] [-InheritanceType <None \| All \| Descendents \| SelfAndChildren \| Children>] [-InheritedObjectType <ADSchemaObjectIdParameter>] [-Properties <ADSchemaObjectIdParameter[]>]`

Add-ADPermission -Identity <ADRawEntryIdParameter>
-User <SecurityPrincipalIdParameter> [-AccessRights
<ActiveDirectoryRights[]>] [-ChildObjectTypes
<ADSchemaObjectIdParameter[]>] [-Deny
<SwitchParameter>] [-DomainController <Fqdn>]
[-ExtendedRights <ExtendedRightIdParameter[]>]
[-InheritanceType <None | All | Descendents | SelfAndChildren |
Children>] [-InheritedObjectType
<ADSchemaObjectIdParameter>] [-Properties
<ADSchemaObjectIdParameter[]>]


`Add-ADPermission -Identity <ADRawEntryIdParameter> -Owner <SecurityPrincipalIdParameter> [-DomainController <Fqdn>]`


`Add-ADPermission [-Identity <ADRawEntryIdParameter>] -Instance <ADAcePresentationObject> [-AccessRights <ActiveDirectoryRights[]>] [-ChildObjectTypes <ADSchemaObjectIdParameter[]>] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-ExtendedRights <ExtendedRightIdParameter[]>] [-InheritanceType <None \| All \| Descendents \| SelfAndChildren \| Children>] [-InheritedObjectType <ADSchemaObjectIdParameter>] [-Properties <ADSchemaObjectIdParameter[]>] [-User <SecurityPrincipalIdParameter>]`

Add-ADPermission [-Identity
<ADRawEntryIdParameter>] -Instance
<ADAcePresentationObject> [-AccessRights
<ActiveDirectoryRights[]>] [-ChildObjectTypes
<ADSchemaObjectIdParameter[]>] [-Deny
<SwitchParameter>] [-DomainController <Fqdn>]
[-ExtendedRights <ExtendedRightIdParameter[]>]
[-InheritanceType <None | All | Descendents | SelfAndChildren |
Children>] [-InheritedObjectType
<ADSchemaObjectIdParameter>] [-Properties
<ADSchemaObjectIdParameter[]>] [-User
<SecurityPrincipalIdParameter>]

Parameters

Parameter

Required

Type

Description

Identity

Required

Microsoft.Exchange.Configuration.Tasks.ADRawEntryIdParameter

The Identity parameter specifies the identity of the object that is getting permissions added.

Note:
The Identity parameter requires the full name of the user in quotation marks.

Instance

Required

Microsoft.Exchange.Management.RecipientTasks.ADAcePresentationObject

The Instance parameter enables you to pass an entire object to the command to be processed. It is mainly used in scripts where an entire object must be passed to the command.

Owner

Required

Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter

The Owner parameter specifies the owner of the Active Directory object.

User

Required

Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter

The User parameter specifies the user mailbox that the permissions are being granted to on the other mailbox.

AccessRights

Optional

System.DirectoryServices.ActiveDirectoryRights[]

The AccessRights parameter specifies the rights needed to perform the operation. Valid values include:

CreateChild
DeleteChild
ListChildren
Self
ReadProperty
WriteProperty
DeleteTree
ListObject
ExtendedRight
Delete
ReadControl
GenericExecute
GenericWrite
GenericRead
WriteDacl
WriteOwner
GenericAll
Synchronize
AccessSystemSecurity

ChildObjectTypes

Optional

Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter[]

The ChildObjectTypes parameter specifies what type of object the permission is with.

Deny

Optional

System.Management.Automation.SwitchParameter

The Deny parameter denies permissions to the user on the Active Directory object.

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

To specify the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory, include the DomainController parameter in the command.

ExtendedRights

Optional

Microsoft.Exchange.Configuration.Tasks.ExtendedRightIdParameter[]

The ExtendedRights parameter specifies the extended rights needed to perform the operation. Valid values include:

Send-As
Receive-As
View Information Store status

InheritanceType

Optional

System.DirectoryServices.ActiveDirectorySecurityInheritance

The InheritanceType parameter specifies whether permissions are inherited.

InheritedObjectType

Optional

Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter

The InheritedObjectType parameter specifies what kind of object inherits this ACE.

Properties

Optional

Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter[]

The Properties parameter specifies what properties the object contains.

Detailed Description

The Add-ADPermission cmdlet grants permissions to an Active Directory object, for example, modifying an access control entry (ACE) on a server object.

To run the Add-ADPermission cmdlet, the account you use must be delegated the following:

Exchange Recipient Administrator role
Account Operator role for the applicable Active Directory containers

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

For more information about extended rights, see Permissions.

Input Types

Return Types

Errors

Error	Description

Exceptions

Exceptions	Description

Example

This example will grant send as permissions for Ted Bremer to Ellen Adam's mailbox.

Note:
The Identity parameter requires the full name of the user in quotation marks.

	Copy Code
Add-ADPermission -Identity "Ellen Adams" -User TedBrem -AccessRights extendedright -ExtendedRights "send as"