Permissions Required for Search-Mailbox and DeleteContent

Recent versions of Exchange provide advanced functionality through the “Exchange Management Shell” (EMS) which is a special instance of Windows Powershell with added commands for Microsoft Exchange. This article is specific to Exchange 2013, but some of the principles may apply to other recent releases.

Microsoft has added special Role-Based Access Controls (RBAC) to management capabilities within Exchange. These controls restrict access to commands that might be an abuse of power or harmful when used improperly. These controls can be confusing because much of the functionality requires additional roles to be assigned for access. Out-of-box the default Organization Management group does not have full access to all management capabilities – this is by design to preserve the integrity of user data and the system configuration.

One important function that you might need is the ability to search for specific messages with the option to delete those if required by your organization policy compliance team. These capabilities are provided by the Search-Mailbox with the optional -DeleteContent parameter. Two permissions (roles) are required within Exchange for this functionality.

  • The “Search-Mailbox” cmdlet is only available to users with the Exchange role “Mailbox Search”. By default this role is granted to all users of the Active Directory group “Discovery Management”
  • The “-DeleteContent” for Search-Mailbox is only available to users with the Exchange role “Mailbox Import Export”. There is no default group granted this role. You can assign it to individuals, or create a new Active Directory group for the role with a name like “MailboxImportExport”. Because of the risk to data, I recommend against assigning this role to any of the default Exchange Role-Groups. It is best to keep the users assigned to this role to a minimum.

Here are some sample Exchange Management Shell commands to view neccesary role assignments and grant these roles if needed.

# View users with access to the Search-Management cmdlet via the Discovery Management group
Get-ADGroupMember "Discovery Management"
# Add a user to the Discovery Management group, USE A REAL USERNAME!
Add-ADGroupMember "Discovery Management" "USERNAME"
# View users assigned the Mailbox Import Export role
Get-ManagementRoleAssignment -Role "Mailbox Import Export" -Delegating $false
# Assign the Mailbox Import Export role to a user, USE A REAL USERNAME!
New-ManagementRoleAssignment –Role "Mailbox Import Export" –User "USERNAME"

The new role assignments will NOT be active UNTIL the user logs off and then logs back on to the Exchange Server. These role memberships seem to be determined and cached for each login session – a clean logout and login will force a fresh load of user role membership. If changes have been made in a remote site, you may need to wait for your Active Directory replication interval to complete before the role memberships will be available to user sessions on the Exchange Servers within your site.

Note: In Exchange 2013, the “Organization Management” group is assigned the “Mailbox Import Export” role for Delegating ONLY. This means that members of the Organization Management group do not have access to use the -DeleteContent parameter but they can assign this role to users or groups as needed. The following Microsoft articles provide some more details on assigning the Mailbox Import Export role.

This post was inspired in part by “Exporting and Importing Mailboxes with Exchange Server 2010” (Markus Klein, Thanks to Markus for the excellent article.


About notesbytom

Keeping technology notes on to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in System Administration and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s