Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 640
  • Last Modified:

Insufficient Permissions?

Environment is single Exch 5.5 server on Win2k member server in a win2k domain.

I am unable to change anything under my address book views. Any change gives the error: DS_E_INSUFFICIENT_ACCESS_RIGHTS.

If I check the properties of the address book view container I have the following permissions:

Inherited:
domain\service account = service account admin
domain\domain admins = permissions admin

Defined:
domain\domain users = search

I am logging on locally using the service account. The service account belongs to both the local & domain admin groups. I have complete access over all other objects in the directory.  

Any ideas what I could be missing?  any other way to change the settings?






0
Storewebmaster1
Asked:
Storewebmaster1
  • 4
  • 3
  • 2
  • +1
2 Solutions
 
GUEENCommented:
Do you belong to the 'Exchange Administrator' group?  You have to be a member of that group to get full perms.
0
 
GUEENCommented:
that would be above and beyond being an administrator or domain administrator - you also have to be an exchange administrator.
0
 
Storewebmaster1Author Commented:
Both the domain administrator and exchange service account are members of the Exchange administrators group and still the same.  I have access to all other objects in the exchange administrator except the address book views.  I can view the settings for the address book views, but cannot change anything.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
GUEENCommented:
What service pack level?  If you have sp4 then try this:

1. Backup Dir.edb

2. Stop exchange directory service.( We strongly recommend
making offline backup of )

3. Rename DSAMain.exe file to DSAMain.old, and then    paste DSAMain.exe file from Service Pack 3 into the same folder as the renamed DSAMain.

4. Restart exchange directory service.

5. Open Exchange Administrator and open top-level Address Book View and add service account. Give service account administrative permissions.

6. Stop exchange directory service again.

7. Delete SP3 version of DSAMain.exe, and then rename SP4 version of DSAMain.old back to DSAMain.exe

8. Restart MS Exchange services.

0
 
Storewebmaster1Author Commented:
We are running SP4. I will try this at my first opportunity. We have only one Exchange server, so I need to get a chance outside of normal business hours to take the server offline.

As a temporary work around to allow users to access the full GAL, I was able to give everyone search permissions on the site container.  Not the most secure thing, but it works for now.
0
 
xanthrasCommented:
I am having the same problem. The solution presented above did not change anything for me. ARe there any other options?

I am running Exchange 5.5 SP4 on Winnt 4 SP6.
0
 
GUEENCommented:
Are you able to login with the site service account or do you get the same errors with the SSA?
0
 
xanthrasCommented:
I can log in with the service account.
I can change some things in Ex Admin but certain things i get this error on. Such as permission changes on some items, and changing the primary NT account for a mailbox. This Server was inherited, i am not sure what they have done to it.

I have built an identical server just for testing purposes that i restored from backup on a test domain ( the test domain is the same is the production domain, it was created with a BDC we took offline )

I am up to try anything on my test server. It is showing the same issues as the production server.
0
 
xanthrasCommented:
I got it working. Looks like a previous ADministrator changed the perms to admin. Rights for the service account need to be the following:

Have Full rights (Service Account Administrator rights) on the organization, site, and configuration objects in the Exchange Server directory database on each server.

I logged on as a Permssions Admin and made my changes.
0
 
jboubCommented:
Please note that SP4 for Exchange 5.5 changes the huristic bit which affects the permission settings on the site, which affects the address book.
See article Q282184. Need to log into Exchange Admin as the Exchange account with /r for raw mode.  exchsrvr\bin\admin.exe /r.
Once in, go to the address book and select raw properties. From there select "ALL" for attrib types, then select huristic. Place a 1 in as the value.

Seems that the sp4 reversed the value

Good luck
Jon Boub
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now