Problem moving mailbox 'You do not have permission to log on'

Posted on 2006-11-14
Last Modified: 2008-01-09
I moved a test mailbox from one exchange 2K server to another and now I am having problems opening the new mailbox. I can open the mailbox with outlook if I login as the owner of the mailbox, but what I am unable to do (but was before the move) is login as a domain admin and open that same mailbox. The error I get when I try to open the mail box is 'you do not have permission to log on'. But the domain admin account I am using has full access to the mailbox in question.

Is this behavior typical, and shouldn't I be able to access the mailbox if I am logged in as an admin with mailbox rights?

Thanks is Advance
Question by:gbarcalow
  • 2
  • 2
LVL 39

Accepted Solution

redseatechnologies earned 250 total points
ID: 17941991
Hi gbarcalow,

This is somewhat typical (my Exchange 2000 knowledge is fading fast).

I know Exchange 2003 is like this, and vaguely remember 2000 to be the same;

If you want full admin access, follow this ->

Just reading that article again, it states that 2000 was also this way by default

Hope that helps,


Author Comment

ID: 17942167
Well that was interesting. Why would the access for domain admins be granted by default on the original server?

Assisted Solution

lollygagr earned 50 total points
ID: 17942174
Only one caveat about the article referenced above - the first two procedures will work great, but the third one (applying perms at the server level) has a big "gotcha".  It will work at first, but as you make moves and changes to mailboxes and stores, you will find that the inherited rights will mysteriously stop working on a growing number of mailboxes.  This is due to the fact that Exchange stores aren't Active Directory objects and don't inherit rights in the same way as accounts, groups, etc.  The only way to apply these rights and be sure new/moved mailboxes will inherit them consistently to work is to do it at the store level.

I found this one out the hard way a while back. :-)
LVL 39

Expert Comment

ID: 17942279
Someone would have made the changes initially on the existing server, which is why it was working, but now doesnt

By default, domain admins are explicitly denied access to users folders


Expert Comment

ID: 17944340
Actually that's a good example of the difference between Exchange permissions and Active Directory permissions.  The rule in AD is that deny entries in the ACL trump all other permissions.  The rule for Exchange objects like stores and mailboxes is that deny USUALLY trumps, EXCEPT when the deny is inherited and the allow permissions are explicitly defined at a lower level.  Active Directory and Exchange have to play in the same sandbox, but they don't play by the same rules.

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now