Link to home
Start Free TrialLog in
Avatar of csandlin
csandlin

asked on

Can no longer add other users' mailboxes after upgrade to Exchange 2007

I recently installed three Exchange 2007 servers in our EX03 org. After the install, all the users in one OU (who happen to also be still on EX03) can no longer resolve other users' names if I try to add another user's mailbox in Outlook. The error says "The name cannot be resolved. The action cannot be completed." Other mailboxes that had been added to Outlook prior to the upgrade no longer worked and gave errors relating to Outlook not being able to access the mailboxes (when accepting appointments) although regular browsing through the mailbox worked fine.

Originally all domain admins had full Exchange rights to all mailboxes. After installing 2007 I had to remove the deny ACL's set by Exchange to allow this again. It seems like what is happening with the users is something similar, because if I give them Send/Receive As rights in AD they can then resolve the names.

Any ideas? If I go to the properties of a user and view effective permissions it seems as though everyone has rights...

Btw I'm not sure if the permissions problem really has anything to do with that OU, it's just a coincidence. Awhile back someone had experimented with configuring Exchange similar to a hosted config where each OU couldn't see the others. Could have something to do with that. All address lists seem to have proper permissions. I've hunted in ADSI forever and can't seem to find where the problem is. Any tips/direction here would be great.

Thanks!
Avatar of Exchange_Geek
Exchange_Geek
Flag of India image

"      I recently installed three Exchange 2007 servers in our EX03 org. After the install, all the users in one OU (who happen to also be still on EX03) can no longer resolve other users' names if I try to add another user's mailbox in Outlook. The error says "The name cannot be resolved. The action cannot be completed."

You mentioned on your Exchange 2003 everything was working perfectly fine before E2k7 was installed. If you remember the famous DST which hit everyone and particularly administrators across the globe had this famous KB 912918 and 926666 installed on their boxes as security patches. This patch would remove the rights of any built-in administrator to access other mailboxes. Your issue sounds similar.

"if I give them Send/Receive As rights in AD they can then resolve the names."
Ideally that is how it should be - are you saying these users were able to resolve names while adding others mailboxes without any permission. By default these users would have a deny on store at installation of E2k3 itself.

"Any tips/direction here would be great"
Yep, create a new OU - create a test mailbox - give it send / receive as permission at store level - and check if Mr New Test user can access all those mailboxes in the store.

Avatar of csandlin
csandlin

ASKER

Thank you for the reply. I do need to clarify something though. There are actually two separate issues, although they both happened at the same time so I listed them because they may be related. The first issue was that admins no longer had full mailbox access. This has been resolved. The issue I am posting about is that normal users cannot open shared mailboxes without giving the users Send/Receive As rights on the user who's mailbox is being shared. So in Outlook 2007 if I am logged in under a user in the one specific OU, and I go to File->Open->Other User's Folder, any name I type in cannot be resolved and gives the error message I listed in the original post. However the users do have access to thet GAL and can resolve the names entered in the TO: field of a new email.

Prior to 2007 all users were able to resolve mailbox names of any user--whether they had rights or not. The mailboxes would not actually open but they could still resolve the name.

I'll take a look at the permissions again.

Thanks!
I hope we are working with users in online mode OL.
They get the error regardless of online or cached but specifically I am testing with it in online mode.
ASKER CERTIFIED SOLUTION
Avatar of Exchange_Geek
Exchange_Geek
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry for getting back on this so late. There was an ACL set on that OU that was blocking permissions. Someone had been playing around with it in the past and the issue just now became a problem after EX2K7 re-ACL'd everything.