Avatar of fest45
fest45 asked on

Deny access rights for domain admin, Exchange organization Administrators on Exchange 2007 mailbox.

We have an Exchange organization with Exchange 2003 and Exchange 2007 servers.

But we can notice a strange problem on exchange 2007 user mailboxs.
All Exchange Security groups, domain admins have explicit FullAccess rights DENY on all user mailbox.
An this deny appear to be inherited.
So every test-mapiconnectivity commands failed when you are loggon with a domain admin account.
We don't know how to remove these explicit deny rights.

Here is an extract of a test mailbox permissions obtain by the get-mailboxpermission command :
Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] True All HABERRY\Exchange Organization Administrators haberry.com/Users/test2k7 True True Unchanged
Microsoft.Exchange.Management.RecipientTasks.MailboxRights[] False All HABERRY\Exchange Organization Administrators haberry.com/Users/test2k7 True True Unchanged

Thank you for your help.
Exchange

Avatar of undefined
Last Comment
iaexpexchange

8/22/2022 - Mon
SOLUTION
Veerappan Sundaram

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
fest45

In fact, the first problem I have seen is that I can't retrieve ActiveSync statistics from the Exchange management console -> "Manage Mobile Devices", when I was log as a domain administrator.
I obtain the error messages in attachments.

How can I add access rights to my domain administrator account ?

get-activeSyncStats.bmp
ASKER
fest45

In fact all Exchange administrator roles have denied access on storage groups :
I can see this message on the event logs of the mailbox server :
Source : MSExchangeIS Mailbox
ID  : 1022
Logon Failure on database "First Storage Group\Mailbox Database"  
for all users that have a one of the Exchange administrator roles.

But it's ok for normal users.
ASKER
fest45

Please !
Any help on my problem ?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
fest45

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
iaexpexchange

A beter sollution is to use adsi edit to remove the deny rights for a specific group or user object.
Go to the configuration container and browse to the  CN=Information Store and edit the storagegroup(s) and stop the allow inheritable permissions, choose "Copy" and remove the specific deny rights.

Kind regards,

Patrick Kouwen
Exchange Specialist Interaccess