The ms-Exch-Store-Admin permission

In last week's blog post, Exchange 2010 Gotcha  - #1, I use the Add-AdPermission PowerShell cmdlet to add a set of permissions to each mailbox database. One of those permissions was the ms-Exch-Store-Admin permission.

If you've ever installed any BlackBerry software before, or ever installed Cisco's Unity line of products before, you've seen this permission mentioned. This permission was introduced in Exchange 2000 and provides the capability of "administering an information store". That's a pretty non-specific permission, but that's really all the available Microsoft documentation says about it. See, for example, here.

It's worthwhile to note that, by itself, this permission does little. But when combined with the View-Only Organization Management permission (for example) and the Send-As permission, it allows a grantee the capability of doing a Send-As for any user within an information store for which they have that right - without knowing the password of the user who owns the mailbox. When combined with the Modify Permission permission, it allows the grantee to change Full Control assignments for a given mailbox, etc. When combined with the Server Administrator permission, it allows the grantee the capability of mounting and dismounting databases, moving mailboxes, etc.

That is, the ms-Exch-Store-Admin permission has some pretty hefty powers and should not be granted lightly.

Unfortunately, there is no available public documentation that fully defines this permission and/or what capabilities it may allow. Suffice it to say that you should carefully consider whether granting this permission is an appropriate choice for any arbitrary user account or group. The answer is "probably not".

Thanks to Ross Smith, IV and Bill Long for answering a question of mine that led to this post.

Until next time...

If there are things you would like to see written about, please let me know.

Published Wednesday, April 07, 2010 2:12 PM by michael
Filed under: ,

Comments

Friday, April 09, 2010 8:01 AM by Active Directory News 4/9/2010 - The Experts Community

# Active Directory News 4/9/2010 - The Experts Community

Pingback from  Active Directory News 4/9/2010 - The Experts Community