Exchange 2007 Client Permissions - Domain Admins removed

Teh actual error would help (stack trace). I had something similar and this solved it for me:

This exception may occur if the Allow inheritable permissions check box is not selected on the user object or on the OU container in Active Directory Users and Computers.

Article: http://technet.microsoft.com/en-us/library/bb885050.aspx

OK... I have added a Word document with the full error.

Exactly what permission did you remove?
"Full Access" does not grant permissions to the mailbox content. There are only two permissions that do that - Full Mailbox Access which would be listed in the User properties within the EMC or Send As/Receive As permissions.

Simon.

I removed the AD Group Domain Admins. Don't ask how it got there, clearly not all mailboxes have this group with Full Access permissions. What I noticed is that is why I was able to open the mailbox with my Outlook client or via OWA. Yes, I logged into OWA under my account and opened the other mailbox within OWA, successfully. I do not have explicit permissions under my own AD user account. This must have been from me being a member of the AD Domain Admins group. Clearly this person does not anyone else aside from themselves within thier mailbox. So I removed the group. However, he no longer had access once I did it. I was under tha assumption that within the EMC Full Permissions wizard, the security authority NT AUTHORITY\SELF allowed him to have his own access.

What I meant was, what permission name was it? Was it "Full Control", "Full Mailbox Access", something else?

Checking my own system, I have two accounts with Full Mailbox Access:

Self
Domain\Exchange Domain Servers.

If you have added Self in to the permissions, then do be aware that a permission change can take two hours to take effect, due to the way that the permissions are cached by Exchange.

Simon.

It was to remove the Full Access permission via the EMC.
I see that we have a bunch... like 16. Most of them are OK in my eyes but are probably more than needed.

I noticed the group, Domain Admins, so I removed it. Prior to that the mailbox functioned just fine. Once I replaced it, it functions fine as well.

The permission of  NT AUTHORITY\SELF was already there...

Attached is the detailed error message...
Stack-Error.doc

In my opinion and own analysis, it appears that this is a permissions issue.
Is there anything I can do to view detailed permissions for this mailbox? I can see the ones via EMC.
But is there anything I can run within the Exchange Management Shell?

I believe something is being denied and possibly Domain Admin rights override it?

Domain Admins should be on the list of permissions for all mailboxes, just with some deny permissions set. Therefore the first thing I would do is put domain admins back in to the list and then look at a working user and recreate the exact permission structure. Be aware of the cache issue above.

No idea what the attachment says, I don't open .docs on this site as they could contain a payload.

Simon.

Adding Domain Admins back into the mailbox permissions works, however this clearly allows additional members with full access to this mailbox. This is not good security practice, nor would be approved by the owner of this mailbox. This is not a widespread issue as I have only identified one other mailbox to where I can replicate this issue with. Is there any way to see the Deny permissions for this mailbox? If I look at a working user, they do not have the Domain Admins group added, all other groups appear to be the same as they relate to permissions...

Here is what was contained within the .doc file....

So, I will try and make the changes and wait 2 hours? Is that normal? If I yank the Domain Admins group, they response is almost immediate. If I add, it, here too, it is almost immediate...

Exception
Exception type: Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException
Exception message: Cannot open mailbox /O=******/OU=***** /cn=Recipients/cn=**********.

Call stack
Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)
Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)
Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString)
Microsoft.Exchange.Data.Storage.MailboxSession.Initialize(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags)
Microsoft.Exchange.Data.Storage.MailboxSession.CreateMailboxSession(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString)
Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString)
Microsoft.Exchange.Clients.Owa.Core.OwaWindowsIdentity.CreateMailboxSession(ExchangePrincipal exchangePrincipal, CultureInfo cultureInfo)
Microsoft.Exchange.Clients.Owa.Core.UserContext.Load(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.CreateUserContext(OwaContext owaContext, UserContextKey userContextKey, UserContext& userContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception
Exception type: Microsoft.Mapi.MapiExceptionLogonFailed
Exception message: MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=1010) Diagnostic context: Lid: 18969 EcDoRpcExt2 called [length=431] Lid: 27161 EcDoRpcExt2 returned [ec=0x0][length=124][latency=0] Lid: 23226 --- ROP Parse Start --- Lid: 27962 ROP: ropLogon [254] Lid: 17082 ROP Error: 0x3F2 Lid: 26937 Lid: 21921 StoreEc: 0x3F2 Lid: 27962 ROP: ropExtendedError [250] Lid: 1494 ---- Remote Context Beg ---- Lid: 26426 ROP: ropLogon [254] Lid: 4740 StoreEc: 0x80070005 Lid: 30409 StoreEc: 0x80070005 Lid: 19145 StoreEc: 0x3F2 Lid: 23241 StoreEc: 0x3F2 Lid: 32186 Lid: 8620 StoreEc: 0x3F2 Lid: 1750 ---- Remote Context End ---- Lid: 26849 Lid: 21817 ROP Failure: 0x3F2 Lid: 26297 Lid: 16585 StoreEc: 0x3F2 Lid: 32441 Lid: 1706 StoreEc: 0x3F2 Lid: 24761 Lid: 20665 StoreEc: 0x3F2 Lid: 25785 Lid: 29881 StoreEc: 0x3F2

Call stack
Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, Int32 ec, DiagnosticContext diagCtx)
Microsoft.Mapi.ExRpcConnection.OpenMsgStore(OpenStoreFlag storeFlags, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, MapiStore msgStorePrivate, String& correctServerDn, ClientIdentityInfo clientIdentityAs, String userDnAs, String applicationId, CultureInfo cultureInfo)
Microsoft.Mapi.ConnectionCache.OpenMapiStore(String mailboxDn, Guid mailboxGuid, Guid mdbGuid, ClientIdentityInfo clientIdentity, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId)
Microsoft.Mapi.ConnectionCache.OpenMailbox(String mailboxDn, Guid mailboxGuid, Guid mdbGuid, WindowsIdentity windowsIdentityAs, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId)
Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)

Sorry, correct me if I am wrong here, but this is an Exchange 2007 environment. Domain Admins does not have permissions to the mailbox by default. If a Domain Admin were to need access to a mailbox, it must be exclusively done.
Where is the security tab that you are referring to? We manage Exchange permission via EMC. Two options... Full Access or Send as...

Where can I see the deny permissions?

Thanks,
Chris

Even though you are using Exchange 2007, permissions are still stored in AD.

Therefore some permissions are also set through ADUC on the Security tab. You can see the security tab choose View, Advanced Features and then opening the properties of the User Account again.

So in EMC under Full Mailbox Access you shouldn't see Domain Admins, but you will see them listed on the Security tab in ADUC.

Simon.

OK...
This helps sooo much more. So, here in ADUC, it is the SELF ID that grants the permissions for that particular user to acces his/her mailbox, correct? It is that one that I believe that I should be the most concerned with. Should I just enable Full Access for it?

Looking at some of my systems Self does not have full control. The advice I gave above still applies - look at a working user and replicate the permissions exactly - looking in Advanced permissions as well.

Simon.

Yes, this was resolved... I do not have a 100% definition on exactly what was needed, but it appears that there was some excessive groups and most likely a deny or two permission that blocked it.