Solved

Security settings overwritten by AD

Posted on 2006-10-31
1
206 Views
Last Modified: 2008-02-01

Hi
I have an issue which I have seen before but I just can't configure out how to fix it.

BASELINE
SBS2003 SP1 Exchange SP2 with IMF configured. Multiple email domains configured in Recepient Policy. E.G. abc.com, def.com and ghi.com. SMTP delivery, A and MX records all configured on hosting company site and ISP delievering mail fine.
User John had a logon account fully configured in AD with the primary SMTP mail address of abc.com
Two more accounts were created, john1 and john2 that had the respective def.com and ghi.com email address allocated to them.
In the security tab of john1 and john2, the original login account john was given full rights and within Outlook 2003 SP2 the FROM line was being used fine to send emails from abc.com, def.com and ghi.com
When John recieved emails they all went to his one Inbox and we could see which email account the external user had sent them through to: either as john, john1 or john2
Up until a week ago the following configurations were in place and working beautifully

CHANGE RESULTING in NON multi domain email SENDING ability
Installed Exchange SP2 and further released hotfixes. Configured IMF that now traps about 100Mb worth of SPAM weekly on all three domains - abc. def, ghi.
The security settings defined in the accounts john1 and john2 have disappeared and seem to have reveted back to a AD standard which includes a completely different user!
And so now John cannot send emails from any of the multi domains other than the primary one configured for his original logon account. He can continue to recieve all emails from all domains but when he replies and attempts to use the FROM field it results in a NDR unless he use his primary SMTP

WORK DONE TO RESOLVE
I have given john full control on accounts john1 and john2 but it doesn't stay. After an hour my settings disappear and reverts back to the standard.
Instead of applying Full Control, I have attempted to go into Advanced and just give Send as Permissions but this doesn't stay.
In john1 and john2 account when I go to the Security tab - Advanced - Effective Permissions and type in John, the effective permissions confirms that John does not have Full Control or Send As permissions.
I have seen this behaviour before and I believe a change is done in adsiedit.msc to ensure that the security settings stay in place but I am not sure. I once saw a Micrsoft guy fix it in dsadmin through the command prompt but have no idea of the syntax. I may be wrong on the solution.

Help on this would be very appreciative. I don't post many questions but on this one i'm stumped and my client is suffering as he cannot send emails from the other domains.

There are 5 users on site so I have the standard CAL that comes with SBS2003. I didn't suffer any CAL issues when I created the extra accounts john1 and john2 for mail delivery as no one was actually logging in with those identities although as a side question it would be nice to know whether I have 'device' or 'user' CAL's installed.

500 pointer - for urgency and effective fix.

Kind Regards
Robin
0
Comment
Question by:RobKanj
1 Comment
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 17847216
It's a rather complicated issue... but essentially SP2 changed the way the "Send as.." permissions are handled by shared resources.

You'll find a complete description and the solution here:  http://support.microsoft.com/kb/912918

Jeff
TechSoEasy
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now