Script Repository

Grant full mailbox access to user

February 24, 2021

The script checks whether a specific user has full access to the Exchange mailbox the script is executed on. If the user doesn't have the access, the script adds it.

To grant full access on demand, create a custom command that runs the script on a mailbox. To add the script to your command, use the Run a program or PowerShell script action. To update the permission on a regular basis, create a scheduled task.


  • $fullAccessUserDN - Specifies the Distinguished Name (DN) of the user who should have access to the mailbox.
Edit Remove
$fullAccessUserDN = "CN=John Smith,OU=Users,DC=Domain,DC=com" # TODO: modify me

# Get SID of full access user
$fullAccessUser = $Context.BindToObjectByDN($fullAccessUserDN)
$fullAccessUserSid = New-Object "Softerra.Adaxes.Adsi.Sid" @($fullAccessUser.Get("ObjectSid"), 0)

# Get mailbox parameters
$mailboxParams = $Context.TargetObject.GetMailParameters()

# Get full access trustees
$fullAccess = $mailboxParams.MailboxRights.GetTrusteesGrantedRights(

foreach ($object in $fullAccess)
    $sidString = $object.ObjectSid
    if ([System.String]::IsNullOrEmpty($sidString))
    elseIf ([Softerra.Adaxes.Utils.WellKnownSecurityPrincipalInfo]::IsWellKnown($sidString))
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" $sidString
    if ($sid -eq $fullAccessUserSid)
        return # The user already has full access

# Grant full access
# Specify trustee
$objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
$objReference.ObjectDN = $fullAccessUserDN

# Specify permission
$permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
$permission.Trustee = $objReference

# Append to existing permissions
$permissionModification = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
$permissionModification.Operation = "ADS_PROPERTY_APPEND"
$permissionModification.Permission = $permission

# Update mailbox settings
$mailboxRights = $mailboxParams.MailboxRights
$mailboxParams.MailboxRights = $mailboxRights

# Save the changes
$Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")
See Also: Check whether specific user account has full access to mailbox

Comments ( 0 )
No results found.
Leave a comment