Security settings overwritten by AD
Posted on 2006-10-31
I have an issue which I have seen before but I just can't configure out how to fix it.
SBS2003 SP1 Exchange SP2 with IMF configured. Multiple email domains configured in Recepient Policy. E.G. abc.com, def.com and ghi.com. SMTP delivery, A and MX records all configured on hosting company site and ISP delievering mail fine.
User John had a logon account fully configured in AD with the primary SMTP mail address of abc.com
Two more accounts were created, john1 and john2 that had the respective def.com and ghi.com email address allocated to them.
In the security tab of john1 and john2, the original login account john was given full rights and within Outlook 2003 SP2 the FROM line was being used fine to send emails from abc.com, def.com and ghi.com
When John recieved emails they all went to his one Inbox and we could see which email account the external user had sent them through to: either as john, john1 or john2
Up until a week ago the following configurations were in place and working beautifully
CHANGE RESULTING in NON multi domain email SENDING ability
Installed Exchange SP2 and further released hotfixes. Configured IMF that now traps about 100Mb worth of SPAM weekly on all three domains - abc. def, ghi.
The security settings defined in the accounts john1 and john2 have disappeared and seem to have reveted back to a AD standard which includes a completely different user!
And so now John cannot send emails from any of the multi domains other than the primary one configured for his original logon account. He can continue to recieve all emails from all domains but when he replies and attempts to use the FROM field it results in a NDR unless he use his primary SMTP
WORK DONE TO RESOLVE
I have given john full control on accounts john1 and john2 but it doesn't stay. After an hour my settings disappear and reverts back to the standard.
Instead of applying Full Control, I have attempted to go into Advanced and just give Send as Permissions but this doesn't stay.
In john1 and john2 account when I go to the Security tab - Advanced - Effective Permissions and type in John, the effective permissions confirms that John does not have Full Control or Send As permissions.
I have seen this behaviour before and I believe a change is done in adsiedit.msc to ensure that the security settings stay in place but I am not sure. I once saw a Micrsoft guy fix it in dsadmin through the command prompt but have no idea of the syntax. I may be wrong on the solution.
Help on this would be very appreciative. I don't post many questions but on this one i'm stumped and my client is suffering as he cannot send emails from the other domains.
There are 5 users on site so I have the standard CAL that comes with SBS2003. I didn't suffer any CAL issues when I created the extra accounts john1 and john2 for mail delivery as no one was actually logging in with those identities although as a side question it would be nice to know whether I have 'device' or 'user' CAL's installed.
500 pointer - for urgency and effective fix.