DSACLS syntax to restore Everyone permissions?


I can no longer see my mailbox in Exchange.  After much Googling I realised it's because I deleted or Denied the Everyone group from the Security tab.

So I am trying to restore it using DSACLS (ADSI Edit doesn't let me) but having trouble with the syntax:

dsacls "CN=Mailbox Store (SERVER),CN=First Storage Group,CN=InformationStore,CN=SBS2003,CN=Servers,CN=first administrative group,CN=Administrative Group,CN=DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=local,DC=Everyone:GA"

Obviously I am replacing domain and server with their correct names.

But it keeps coming back with:
The specified domain either does not exist or could not be contacted.

Any ideas anyone?

Thanks, Brad.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

How about?

dsacls "CN=Mailbox Store (SERVER),CN=First Storage Group,CN=InformationStore,CN=SBS2003,CN=Servers,CN=first administrative group,CN=Administrative Group,CN=DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=local" /G Everyone:GA
bflackAuthor Commented:
Thanks but it now comes back with:

The format of the specified domain name is inavlid.

I won't give you the exact domain name but say it was acme.local, I am putting in:

dsacls "CN=Mailbox Store (SERVER),CN=First Storage Group,CN=InformationStore,CN=SBS2003,CN=Servers,CN=first administrative group,CN=Administrative Group,CN=ACME,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=acme,DC=local" /G Everyone:GA
The following just worked fine for me using a test domain;

DSACLS "CN=Mailbox Store (EX2K7DC1),CN=First Storage Group,CN=InformationSto
re,CN=EX2K7DC1,CN=Servers,CN=First Administrative Group,CN=Administrative Groups
,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=OTH
ERDOMAIN,DC=Internal" /G Everyone:GA

If you are still having problems, look at the value of the "DistinguishedName" attribute on the "CN=Mailbox Store" object using ADSIEdit.msc. Just copy that in to the DSACLS command and it should work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

bflackAuthor Commented:
Can't actually get that attribute as it errors when I try to get the properties of CN=Mailbox Store (which is why I'm attepmting it throug DSALCS).

But I can over over it and see the distinguished name and I have put put it in exact as it is there.

Is there anything else I need to do - dismount the store, stop any services, logon as a different user etc?

Thanks, Brad.
What level of Administrator rights are you logged on with?

I was using an Enterprise Admin account in my test domain.
bflackAuthor Commented:
It has Domain and Enterprise Admin rights.
Hmmm I wonder if the tool can't see the object because the Everyone permission has been removed.

You could try running "domainprep" again. This resets permissions on Exchange related Active Directory objects.

Obviously make sure you have a backup of your AD before you do so :)
bflackAuthor Commented:
That would make sense but I thought that was the point of DSALCS; re-applying the permissions.

If I domain prep will that reset ALL permissions, not just on Exchange?  Ie on all shared folders etc - will I need to re-apply permissions on the mailboxes for every user?  What other implications are there?

It's an SBS box by the way, any other way of doing it?
If you are logged on using a Enterprise Administrator account and you still cannot view the object, then I would say that a "DomainPrep" command is the only way to go. You could try restoring the object from before the permission was removed, but I would try to "DomainPrep" command first.

The "DomainPrep" command will ONLY touch Exchange related objects in AD. It will not touch any shares or anything like that and, as far as I am aware, it doesn't remove any permissions. It just re-applies the default ones that were there the first time it was run.

I have had to run this command on my live domain some time ago because the RUS wasn't working properly. This didn't remove any of the custom permissions I had set anywhere.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.