Unable to Grant Domain Local Groups Full Access Permission to a Exchange 2010 Mailbox using the GUI

John Doe is a user in your Active Directory environment (Windows Server 2008 R2 Forest Function Level) with a mailbox on the email server (Exchange Server 2010 with SP2):

You want to grant a domain local group named “Test Group” the full access permission to John Doe’s mailbox:

You attempt to grant this permission by selecting “Manage Full Access Permission” from the Exchange 2010 Management Console:

When you click add and search for the group, it doesn’t appear:

PowerShell to the Rescue! The only way I’ve figured out how to accomplish this (work-around for this issue) is to use the  “Exchange Management Shell” (PowerShell). In this scenario, use the following PowerShell script:

Even though the syntax uses the parameter name “-User”, you can specify a group name.

The full access permission for John Doe’s mailbox is now assigned to the “Test Group”:



  1. Alex Johnson

    Mike, do you accept guest blog posts?

    • Mike F Robbins

      Possibly, although I wouldn’t be able to provide any sort of monetary value for your blog article. If you’re still interested, connect to me on LinkedIn so I can verify you’re a technology professional and we’ll discuss further.

  2. WMY

    Hi Mike,

    first thanks for the work around , still dont understand why Microsoft didnt change it , because your are able to select domain local security groups when grant send-as permissions.
    But i got a small other issue with exchange 2010, i am using the domain local security group to set grant permissions to a shared mailbox. for a unknow reason the attribute msExchDelegateListLink of the shared mailbox does not get filled in. so users who are member of that group does not get the shared mailbox automatically in their outlook 2010. if i add the permissions per user the attribute get filledin within a few minutes and trhe users sees the shared mailbox in their outlook after 3 min.

    any help is greatley appriciated

  3. Kaptain Kirk

    After a while we came across a message board thread for Exchange 2007 that involved an ADSIEdit which worked for us on an Exchange 2010 system:

    1. Open ADSIEdit and browse to the group object

    2. Open the group object and find the attribute msExchRecipientDisplayType

    3. Open the attribute and clear the value

    You should then notice that the deny icon has disappeared. Those who are operating in cached mode in Outlook may need to update and download the offline address book


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: