Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1893
  • Last Modified:

Cannot remove deny access to mailbox rights.

I have an Exchange 2003 server. I am trying to get rights to terminated user mailboxes in order to export to PST. The rights for Full Mailbox Access is grayed out. I have tried the Delegate Control wizard, etc. to no avail. I do get messages that I need to be in the local machine's administrators group. One thing to mention, whoever setup this server prior to me made the Exchange box a DC. How do I get myself to be a local admin? Not sure how to deal with this one.

Thanks
0
BHForum
Asked:
BHForum
  • 4
  • 3
1 Solution
 
firemanf29Commented:
You'll need to be a domain admin.  Then make sure your account is an exchange full administrator.   Grant you account Full and Read permission on each mailbox in question. http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm
0
 
BHForumAuthor Commented:
The domain administrator account already has Exchange Full Administrator rights. I go into ADUC to change permissions, but cannot. I have tried with my own account to remove in order to add again with full permissions, but cannot due to inherited rights. How can I remove the inherited rights in order to remove myself and re add?
0
 
Exchange_GeekCommented:
"I have an Exchange 2003 server. I am trying to get rights to terminated user mailboxes in order to export to PST. The rights for Full Mailbox Access is grayed out. I have tried the Delegate Control wizard, etc. to no avail. I do get messages that I need to be in the local machine's administrators group. One thing to mention, whoever setup this server prior to me made the Exchange box a DC. How do I get myself to be a local admin? Not sure how to deal with this one."

Question1) How many users are there whose mailboxes needs to be emptied to PST
Question2) If you are a domain admin and this is a DC - open gpedit.msc and follow the picture given below.
Question3) What you are trying to achieve using Full Mailbox Access - is the wrong method, to work with Ex Merge you need to give yourself send as and receive as rights on the store NOT on the mailbox

Suggestion: If your answer to question1 is less than 5 - why not associate those mailboxes with normal dummy user accounts (who do not have mailboxes) - open their mailbox in OL - take out PST - why such a big hassle.
GPEDIT.bmp
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
BHForumAuthor Commented:
Exchange_Geek: Your final solution was what I was trying to get to. I was trying to set it up to allow my account to open the email and export to PST, but it wouldn't allow me to remove the "deny". I have a dummy account setup, but was also trying to figure out and resolve why I was unable to have any administrator accounts change this access. With regards to your picture above, that would allow me to log on locally...but does not necessarily add to the local administrators group does it? I can award the points as this is a work around, but would like to try to find out why domain administrator accounts are unable to modify this attribute.

Thanks.
0
 
Exchange_GeekCommented:
Is this deny being explicitely given at the store level or do you see it greyed out - since if at the store you see this greyed out - by default from Microsoft Exchange organization container this permission gets inherited, so if you are so persistent to remove it - un check inheritance and remove it.

I gave this picture thinking your Exchange is on a DC. And yes giving rights at this point does give you log on locally rights on DC.

Thanks for asking these questions, im glad to clear my thoughts on my earlier views.
0
 
BHForumAuthor Commented:
Okay, I have logged in as the dummy account and cannot open the default folders for the accounts in question.

For the domain\administrator account: Within the System Manager, everything shows that full rights are there, inheritance is off. In ADUC, the deny is checked and grayed out for Full Mailbox Access.

For the dummy account: Within the System Manager AND ADUC, everything shows that full rights are there. Still unable to open default folders.

Domain Administrators group was already given Log On Locally rights as a domain controller GPO.

I am stumped.

0
 
Exchange_GeekCommented:
I can help you better but please make me understand what this line means.

"Okay, I have logged in as the dummy account and cannot open the default folders for the accounts in question."

Which folders are you trying to expand - using OL / ExMerge / Exchange System Manager.

Let me get some things clear about the troubleshooting step.

1) You ONLY need Send As and Receive As rights on the security tab of the mailbox store

2) Once given please please please allow AD to replicate this on to every mailbox (users in AD)
and 2hrs for mailbox cache to get cleared.

3) If time is given properly to replicate - you should be able to open any one mailbox (choose a mailbox which has an enabled user account) in Outlook. Choose File - Open - Other User's Folder - choose the mailbox and its inbox / calendar / etc.

4) The reason why the log on locally permission was given (since i had assumed Exchange was on DC)

Please check if the above steps help you.
0
 
BHForumAuthor Commented:
Sorry bout that.

Dummy account = An account setup just to get into the mailboxes. The reason I set this up is because my own account and the domain\administrator account cannot access the mailboxes. The default mail folders are the folders that could not be accessed when opening up Outlook and trying to access the mailboxes in question. (which, by the way are now opening as I did not allow sufficient time for the permissions to replicate.) I will accept this as the resolution. Still unsure of why I cannot get the deny Full Mailbox Access off within the AD account, but as long as I have a work around, everything looks appropriate for accounts moving forward.

Thanks Exchange_Geek

0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now