Can’t grant "full access" or "send as" permissions to an object by using Remote PowerShell in Office 365 dedicated/ITAR

Symptoms

When you try to grant "full access" or "send as" permissions to an object by using Remote PowerShell in Office 365 dedicated/ITAR, the operation is unsuccessful. The "full access" and "send as" permissions do not list the correct mailbox permissions.

Cause

The Office 365 dedicated/ITAR Exchange environment is a dedicated Microsoft Exchange environment (also known as a resource forest). In this configuration, the enabled user from the customer source forest is associated with a mailbox that's attached to a disabled user in the managed forest. If the security object from the customer source forest is not granted permissions explicitly, the permissions do not work as expected.

Resolution

When you grant permissions by using Remote PowerShell in the Office 365 dedicated/ITAR managed environment, you should use the Domain\SamAccountName format to specify the enabled user to be granted the permissions. For example:

Add-MailboxPermission kirk -AccessRights fullaccess -User  DomainName \ UserName 
This command will grant the enabled user from the customer source forest the appropriate permissions.

If the user exists in a managed environment, you can typically identify his or her Domain\SamAccountName information by looking at the LinkedMasterAccount field that's displayed when you run the Get-Mailbox cmdlet. For example:

Get-Mailbox  UserName | ft LinkedMasterAccount
LinkedMasterAccount : DomainName \ UserName

Note Tools such as Customer Management Portal (CMP) and Exchange Admin Center (EAC) automatically grant permissions for an enabled user object that's linked to a managed object.
プロパティ

文書番号:2958853 - 最終更新日: 2016/03/10 - リビジョン: 1

フィードバック