Applies to: Exchange Server 2007
Topic Last Modified: 2007-06-11

Use the Add-ADPermission cmdlet to add permissions to an Active Directory directory service object.

Syntax

Add-ADPermission -Identity <ADRawEntryIdParameter> -User <SecurityPrincipalIdParameter> [-AccessRights <ActiveDirectoryRights[]>] [-ChildObjectTypes <ADSchemaObjectIdParameter[]>] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-ExtendedRights <ExtendedRightIdParameter[]>] [-InheritanceType <None | All | Descendents | SelfAndChildren | Children>] [-InheritedObjectType <ADSchemaObjectIdParameter>] [-Properties <ADSchemaObjectIdParameter[]>]
Add-ADPermission -Identity <ADRawEntryIdParameter> -Owner <SecurityPrincipalIdParameter> [-DomainController <Fqdn>]
Add-ADPermission [-Identity <ADRawEntryIdParameter>] -Instance <ADAcePresentationObject> [-AccessRights <ActiveDirectoryRights[]>] [-ChildObjectTypes <ADSchemaObjectIdParameter[]>] [-Deny <SwitchParameter>] [-DomainController <Fqdn>] [-ExtendedRights <ExtendedRightIdParameter[]>] [-InheritanceType <None | All | Descendents | SelfAndChildren | Children>] [-InheritedObjectType <ADSchemaObjectIdParameter>] [-Properties <ADSchemaObjectIdParameter[]>] [-User <SecurityPrincipalIdParameter>]

Parameters

Parameter Required Type Description

Identity

Required

Microsoft.Exchange.Configuration.Tasks.ADRawEntryIdParameter

The Identity parameter specifies the identity of the object that is getting permissions added.

Note:
The Identity parameter requires the full name of the user in quotation marks.

Instance

Required

Microsoft.Exchange.Management.RecipientTasks.ADAcePresentationObject

The Instance parameter enables you to pass an entire object to the command to be processed. It is mainly used in scripts where an entire object must be passed to the command.

Owner

Required

Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter

The Owner parameter specifies the owner of the Active Directory object.

User

Required

Microsoft.Exchange.Configuration.Tasks.SecurityPrincipalIdParameter

The User parameter specifies the user mailbox that the permissions are being granted to on the other mailbox.

AccessRights

Optional

System.DirectoryServices.ActiveDirectoryRights[]

The AccessRights parameter specifies the rights needed to perform the operation. Valid values include:

  • CreateChild

  • DeleteChild

  • ListChildren

  • Self

  • ReadProperty

  • WriteProperty

  • DeleteTree

  • ListObject

  • ExtendedRight

  • Delete

  • ReadControl

  • GenericExecute

  • GenericWrite

  • GenericRead

  • WriteDacl

  • WriteOwner

  • GenericAll

  • Synchronize

  • AccessSystemSecurity

ChildObjectTypes

Optional

Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter[]

The ChildObjectTypes parameter specifies what type of object the permission is with.

Deny

Optional

System.Management.Automation.SwitchParameter

The Deny parameter denies permissions to the user on the Active Directory object.

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

To specify the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory, include the DomainController parameter in the command.

ExtendedRights

Optional

Microsoft.Exchange.Configuration.Tasks.ExtendedRightIdParameter[]

The ExtendedRights parameter specifies the extended rights needed to perform the operation. Valid values include:

  • Send-As

  • Receive-As

  • View Information Store status

InheritanceType

Optional

System.DirectoryServices.ActiveDirectorySecurityInheritance

The InheritanceType parameter specifies whether permissions are inherited.

InheritedObjectType

Optional

Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter

The InheritedObjectType parameter specifies what kind of object inherits this ACE.

Properties

Optional

Microsoft.Exchange.Configuration.Tasks.ADSchemaObjectIdParameter[]

The Properties parameter specifies what properties the object contains.

Detailed Description

The Add-ADPermission cmdlet grants permissions to an Active Directory object, for example, modifying an access control entry (ACE) on a server object.

To run the Add-ADPermission cmdlet, the account you use must be delegated the following:

  • Exchange Recipient Administrator role

  • Account Operator role for the applicable Active Directory containers

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

For more information about extended rights, see Permissions.

Input Types

Return Types

Errors

Error Description

Exceptions

Exceptions Description

Example

This example will grant send as permissions for Ted Bremer to Ellen Adam's mailbox.

Note:
The Identity parameter requires the full name of the user in quotation marks.
Copy Code
Add-ADPermission -Identity "Ellen Adams" -User TedBrem -AccessRights extendedright -ExtendedRights "send as"