Ontrack (formerly Kroll) PowerControls Mailbox Permissions
What is causing rights issues copying mailboxes in PowerControls?
All versions of PowerControls for Exchange.
Symptoms / Description
Inability to live connect to a mailbox and/or MAPI_E_FAILONEPROVIDER. When using Connect to all mailboxes on a server option PowerControls reports Connection to Mailbox mailbox name Failed. Mailboxes show red circle with a white line in interface.
Option 1 (recommended) Create a User with the correct permissions to write to mailboxes.
- Log in to your Exchange server using an Exchange Administrator account.
- Open a command prompt.
- Run WHOAMI to verify which account you're in.
- Run this in Exchange PowerShell:
Get-Mailbox | Add-MailboxPermission -User "account-returned-by-WHOAMI" -AccessRights fullaccess -InheritanceType all -Automapping $false
(Replace "account-returned-by-WHOAMI" with the actual account name, omitting quotation marks.)
Note: Adding permissions on a group level isn't enough, permissions must be granted directly to the user account using this process. For any new users added in Exchange, permissions should be granted following these instructions.
Option 2 Export the needed data to a PST file and provide it to the end user or load it via their logged in session.
If you are unable to create the required user permissions for a new user as described in option 1, simply leverage Ontrack for Exchange to export the needed recovery data to PST format. Provide this PST to the end user with instructions to mount it, or, directly assist the user through their logged-in session to do so.
Option 3 Assign the domain admin read/write permissions to other users mailboxes in exchange
It is possible inside Exchange to manually enable permissions for other users to access mailboxes explicitly, though it should be advised doing so may be considered a severe security and/or privacy violation in most environments. Use this option with caution, as it effectively grants an admin the ability to access another user's inbox bypassing security protections normally in place and potentially with limited or no auditing and could be a violation of security or privacy laws in your nation.
Because of the nature of these commands, if you are unable to use option 1 or 2 above, contact Unitrends Support who will discuss with you the nature of these commands. Unitrends Support however will not provide direct assistance in running them or perform these modifications in your exchange environment, and recommends against this option.
To write to a Mailbox, Ontrack requires Outlook MAPI connectivity to compatible versions of Exchange and require write permissions to the user mailbox. Though commonly assumed that Domain Admins have this right, in fact they are explicitly denied this right to all mailboxes other than their own.