?
Solved

Can no longer add other users' mailboxes after upgrade to Exchange 2007

Posted on 2008-11-05
6
Medium Priority
?
685 Views
Last Modified: 2012-06-27
I recently installed three Exchange 2007 servers in our EX03 org. After the install, all the users in one OU (who happen to also be still on EX03) can no longer resolve other users' names if I try to add another user's mailbox in Outlook. The error says "The name cannot be resolved. The action cannot be completed." Other mailboxes that had been added to Outlook prior to the upgrade no longer worked and gave errors relating to Outlook not being able to access the mailboxes (when accepting appointments) although regular browsing through the mailbox worked fine.

Originally all domain admins had full Exchange rights to all mailboxes. After installing 2007 I had to remove the deny ACL's set by Exchange to allow this again. It seems like what is happening with the users is something similar, because if I give them Send/Receive As rights in AD they can then resolve the names.

Any ideas? If I go to the properties of a user and view effective permissions it seems as though everyone has rights...

Btw I'm not sure if the permissions problem really has anything to do with that OU, it's just a coincidence. Awhile back someone had experimented with configuring Exchange similar to a hosted config where each OU couldn't see the others. Could have something to do with that. All address lists seem to have proper permissions. I've hunted in ADSI forever and can't seem to find where the problem is. Any tips/direction here would be great.

Thanks!
0
Comment
Question by:csandlin
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22893984
"      I recently installed three Exchange 2007 servers in our EX03 org. After the install, all the users in one OU (who happen to also be still on EX03) can no longer resolve other users' names if I try to add another user's mailbox in Outlook. The error says "The name cannot be resolved. The action cannot be completed."

You mentioned on your Exchange 2003 everything was working perfectly fine before E2k7 was installed. If you remember the famous DST which hit everyone and particularly administrators across the globe had this famous KB 912918 and 926666 installed on their boxes as security patches. This patch would remove the rights of any built-in administrator to access other mailboxes. Your issue sounds similar.

"if I give them Send/Receive As rights in AD they can then resolve the names."
Ideally that is how it should be - are you saying these users were able to resolve names while adding others mailboxes without any permission. By default these users would have a deny on store at installation of E2k3 itself.

"Any tips/direction here would be great"
Yep, create a new OU - create a test mailbox - give it send / receive as permission at store level - and check if Mr New Test user can access all those mailboxes in the store.

0
 
LVL 1

Author Comment

by:csandlin
ID: 22895016
Thank you for the reply. I do need to clarify something though. There are actually two separate issues, although they both happened at the same time so I listed them because they may be related. The first issue was that admins no longer had full mailbox access. This has been resolved. The issue I am posting about is that normal users cannot open shared mailboxes without giving the users Send/Receive As rights on the user who's mailbox is being shared. So in Outlook 2007 if I am logged in under a user in the one specific OU, and I go to File->Open->Other User's Folder, any name I type in cannot be resolved and gives the error message I listed in the original post. However the users do have access to thet GAL and can resolve the names entered in the TO: field of a new email.

Prior to 2007 all users were able to resolve mailbox names of any user--whether they had rights or not. The mailboxes would not actually open but they could still resolve the name.

I'll take a look at the permissions again.

Thanks!
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22896197
I hope we are working with users in online mode OL.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 1

Author Comment

by:csandlin
ID: 22901481
They get the error regardless of online or cached but specifically I am testing with it in online mode.
0
 
LVL 33

Accepted Solution

by:
Exchange_Geek earned 2000 total points
ID: 22902371
"So in Outlook 2007 if I am logged in under a user in the one specific OU, and I go to File->Open->Other User's Folder, any name I type in cannot be resolved and gives the error message I listed in the original post. However the users do have access to thet GAL and can resolve the names entered in the TO: field of a new email."

I would assume if you move the user outside that OU - things work fine ??
0
 
LVL 1

Author Comment

by:csandlin
ID: 23491526
Sorry for getting back on this so late. There was an ACL set on that OU that was blocking permissions. Someone had been playing around with it in the past and the issue just now became a problem after EX2K7 re-ACL'd everything.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question