How to Grant Your Administrative Logon Account Temporary Rights to Read All Mailboxes in an Exchange Database


This topic explains how to grant your administrative logon account temporary rights to read all mailboxes in a Microsoft® Exchange Server 2003 database. Before you can insert data back into the original mailboxes, you must override the default administrative permissions denials on the target database.

By default, Microsoft Windows® accounts with administrative access are denied permission to read the content of ordinary Exchange mailboxes. For ExMerge to merge data with the original database, it must be able to open mailboxes in that database. Therefore, ExMerge cannot be used for this purpose by an administrator without first overriding the permissions denials. For more information, see Salvaging Data from the Recovery Storage Group in Exchange Server 2003.


To grant your administrative logon account temporary rights to read all mailboxes in an Exchange database

  1. Create a Windows Security Group, and name it something such as "Exchange Recovery Administrators".

  2. Add the Windows account you are using to run ExMerge to this group. This account should already be an Exchange administrator account and have local administrator permissions on the Exchange server(s) involved in the mailbox merge process.

  3. In Exchange System Manager, locate the target database and open its Properties dialog box. On the Security tab, add the Exchange Recovery Administrators group and grant this group Full Control permissions on the database.

    It may be necessary to wait up to 15 minutes for the permissions granted to take effect. Alternatively, you can reset cached permissions by stopping and restarting all Exchange services, the IIS Admin Service, and the Windows Management services. Because of this latency, you should grant necessary permissions as soon as you know you will need them, not just before you need to use them.


    As of this writing, only Receive As permission is essential for ExMerge to function properly with a database running in an ordinary storage group. You can therefore restrict the Exchange recovery administrators group to this permission rather than Full Control. If granting only Receive As permission does not work, you should then grant Full Control as an initial troubleshooting step.