Solved

Cannot remove deny access to mailbox rights.

Posted on 2008-10-23
8
1,877 Views
Last Modified: 2012-05-05
I have an Exchange 2003 server. I am trying to get rights to terminated user mailboxes in order to export to PST. The rights for Full Mailbox Access is grayed out. I have tried the Delegate Control wizard, etc. to no avail. I do get messages that I need to be in the local machine's administrators group. One thing to mention, whoever setup this server prior to me made the Exchange box a DC. How do I get myself to be a local admin? Not sure how to deal with this one.

Thanks
0
Comment
Question by:BHForum
  • 4
  • 3
8 Comments
 
LVL 7

Expert Comment

by:firemanf29
ID: 22789003
You'll need to be a domain admin.  Then make sure your account is an exchange full administrator.   Grant you account Full and Read permission on each mailbox in question. http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm
0
 

Author Comment

by:BHForum
ID: 22789093
The domain administrator account already has Exchange Full Administrator rights. I go into ADUC to change permissions, but cannot. I have tried with my own account to remove in order to add again with full permissions, but cannot due to inherited rights. How can I remove the inherited rights in order to remove myself and re add?
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22790026
"I have an Exchange 2003 server. I am trying to get rights to terminated user mailboxes in order to export to PST. The rights for Full Mailbox Access is grayed out. I have tried the Delegate Control wizard, etc. to no avail. I do get messages that I need to be in the local machine's administrators group. One thing to mention, whoever setup this server prior to me made the Exchange box a DC. How do I get myself to be a local admin? Not sure how to deal with this one."

Question1) How many users are there whose mailboxes needs to be emptied to PST
Question2) If you are a domain admin and this is a DC - open gpedit.msc and follow the picture given below.
Question3) What you are trying to achieve using Full Mailbox Access - is the wrong method, to work with Ex Merge you need to give yourself send as and receive as rights on the store NOT on the mailbox

Suggestion: If your answer to question1 is less than 5 - why not associate those mailboxes with normal dummy user accounts (who do not have mailboxes) - open their mailbox in OL - take out PST - why such a big hassle.
GPEDIT.bmp
0
 

Author Comment

by:BHForum
ID: 22791901
Exchange_Geek: Your final solution was what I was trying to get to. I was trying to set it up to allow my account to open the email and export to PST, but it wouldn't allow me to remove the "deny". I have a dummy account setup, but was also trying to figure out and resolve why I was unable to have any administrator accounts change this access. With regards to your picture above, that would allow me to log on locally...but does not necessarily add to the local administrators group does it? I can award the points as this is a work around, but would like to try to find out why domain administrator accounts are unable to modify this attribute.

Thanks.
0
Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22792096
Is this deny being explicitely given at the store level or do you see it greyed out - since if at the store you see this greyed out - by default from Microsoft Exchange organization container this permission gets inherited, so if you are so persistent to remove it - un check inheritance and remove it.

I gave this picture thinking your Exchange is on a DC. And yes giving rights at this point does give you log on locally rights on DC.

Thanks for asking these questions, im glad to clear my thoughts on my earlier views.
0
 

Author Comment

by:BHForum
ID: 22813724
Okay, I have logged in as the dummy account and cannot open the default folders for the accounts in question.

For the domain\administrator account: Within the System Manager, everything shows that full rights are there, inheritance is off. In ADUC, the deny is checked and grayed out for Full Mailbox Access.

For the dummy account: Within the System Manager AND ADUC, everything shows that full rights are there. Still unable to open default folders.

Domain Administrators group was already given Log On Locally rights as a domain controller GPO.

I am stumped.

0
 
LVL 33

Accepted Solution

by:
Exchange_Geek earned 500 total points
ID: 22814056
I can help you better but please make me understand what this line means.

"Okay, I have logged in as the dummy account and cannot open the default folders for the accounts in question."

Which folders are you trying to expand - using OL / ExMerge / Exchange System Manager.

Let me get some things clear about the troubleshooting step.

1) You ONLY need Send As and Receive As rights on the security tab of the mailbox store

2) Once given please please please allow AD to replicate this on to every mailbox (users in AD)
and 2hrs for mailbox cache to get cleared.

3) If time is given properly to replicate - you should be able to open any one mailbox (choose a mailbox which has an enabled user account) in Outlook. Choose File - Open - Other User's Folder - choose the mailbox and its inbox / calendar / etc.

4) The reason why the log on locally permission was given (since i had assumed Exchange was on DC)

Please check if the above steps help you.
0
 

Author Comment

by:BHForum
ID: 22814262
Sorry bout that.

Dummy account = An account setup just to get into the mailboxes. The reason I set this up is because my own account and the domain\administrator account cannot access the mailboxes. The default mail folders are the folders that could not be accessed when opening up Outlook and trying to access the mailboxes in question. (which, by the way are now opening as I did not allow sufficient time for the permissions to replicate.) I will accept this as the resolution. Still unsure of why I cannot get the deny Full Mailbox Access off within the AD account, but as long as I have a work around, everything looks appropriate for accounts moving forward.

Thanks Exchange_Geek

0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
how to add IIS SMTP to handle application/Scanner relays into office 365.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now