fest45
asked on
Deny access rights for domain admin, Exchange organization Administrators on Exchange 2007 mailbox.
We have an Exchange organization with Exchange 2003 and Exchange 2007 servers.
But we can notice a strange problem on exchange 2007 user mailboxs.
All Exchange Security groups, domain admins have explicit FullAccess rights DENY on all user mailbox.
An this deny appear to be inherited.
So every test-mapiconnectivity commands failed when you are loggon with a domain admin account.
We don't know how to remove these explicit deny rights.
Here is an extract of a test mailbox permissions obtain by the get-mailboxpermission command :
Microsoft.Exchange.Managem
Microsoft.Exchange.Managem
Thank you for your help.
But we can notice a strange problem on exchange 2007 user mailboxs.
All Exchange Security groups, domain admins have explicit FullAccess rights DENY on all user mailbox.
An this deny appear to be inherited.
So every test-mapiconnectivity commands failed when you are loggon with a domain admin account.
We don't know how to remove these explicit deny rights.
Here is an extract of a test mailbox permissions obtain by the get-mailboxpermission command :
Microsoft.Exchange.Managem
Microsoft.Exchange.Managem
Thank you for your help.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In fact all Exchange administrator roles have denied access on storage groups :
I can see this message on the event logs of the mailbox server :
Source : MSExchangeIS Mailbox
ID : 1022
Logon Failure on database "First Storage Group\Mailbox Database"
for all users that have a one of the Exchange administrator roles.
But it's ok for normal users.
I can see this message on the event logs of the mailbox server :
Source : MSExchangeIS Mailbox
ID : 1022
Logon Failure on database "First Storage Group\Mailbox Database"
for all users that have a one of the Exchange administrator roles.
But it's ok for normal users.
ASKER
Please !
Any help on my problem ?
Any help on my problem ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A beter sollution is to use adsi edit to remove the deny rights for a specific group or user object.
Go to the configuration container and browse to the CN=Information Store and edit the storagegroup(s) and stop the allow inheritable permissions, choose "Copy" and remove the specific deny rights.
Kind regards,
Patrick Kouwen
Exchange Specialist Interaccess
Go to the configuration container and browse to the CN=Information Store and edit the storagegroup(s) and stop the allow inheritable permissions, choose "Copy" and remove the specific deny rights.
Kind regards,
Patrick Kouwen
Exchange Specialist Interaccess
ASKER
I obtain the error messages in attachments.
How can I add access rights to my domain administrator account ?
get-activeSyncStats.bmp