Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Exchange 2007 Client Permissions - Domain Admins removed

Posted on 2009-04-23
16
Medium Priority
?
1,059 Views
Last Modified: 2012-05-06
OK... It was noticed that Domain Admins had the ability to access a specific mailbox. This was discovered since the AD Group - Domain Admins had Full Access permissions to that specific mailbox. OK... so what did I do, I removed the Domain Admins permission from that mailbox, problem solved, right? Wrong... Now that particular user cannot access his mailbox via Outlook or OWA. The only solution was to add the Domain Admin group back in with Full Access. Is this user a member of the Domain Admin group you ask...? Yes, in fact he is... OK, so remove the DA group and add the specific user account, right...? Wrong... That did not work either. After further searching, it appears that one other Exchange Mailbox has this same issue, MINE...

Not sure what else to try, but it clearly spells out some sort of permissions issue. When the DA group is removed, OWA  says "Outlook Web Access could not connect to Microsoft Exchange. If the problem continues, contact technical support for your organization."  Outlook states that the Exchange Server is unavailable.... What? Really? I just connected to it prior to the ripping out of the DA group in Exchange Management... I could ping it...

Help...
0
Comment
Question by:CEvans72
  • 9
  • 6
16 Comments
 
LVL 6

Expert Comment

by:mvgeertruyen
ID: 24216860
Teh actual error would help (stack trace). I had something similar and this solved it for me:

This exception may occur if the Allow inheritable permissions check box is not selected on the user object or on the OU container in Active Directory Users and Computers.

Article: http://technet.microsoft.com/en-us/library/bb885050.aspx
0
 

Author Comment

by:CEvans72
ID: 24216889
OK... I have added a Word document with the full error.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24217006
Exactly what permission did you remove?
"Full Access" does not grant permissions to the mailbox content. There are only two permissions that do that - Full Mailbox Access which would be listed in the User properties within the EMC or Send As/Receive As permissions.

Simon.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:CEvans72
ID: 24217102
I removed the AD Group Domain Admins. Don't ask how it got there, clearly not all mailboxes have this group with Full Access permissions. What I noticed is that is why I was able to open the mailbox with my Outlook client or via OWA. Yes, I logged into OWA under my account and opened the other mailbox within OWA, successfully. I do not have explicit permissions under my own AD user account. This must have been from me being a member of the AD Domain Admins group. Clearly this person does not anyone else aside from themselves within thier mailbox. So I removed the group. However, he no longer had access once I did it. I was under tha assumption that within the EMC Full Permissions wizard, the security authority NT AUTHORITY\SELF allowed him to have his own access.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24218114
What I meant was, what permission name was it? Was it "Full Control", "Full Mailbox Access", something else?

Checking my own system, I have two accounts with Full Mailbox Access:

Self
Domain\Exchange Domain Servers.

If you have added Self in to the permissions, then do be aware that a permission change can take two hours to take effect, due to the way that the permissions are cached by Exchange.

Simon.
0
 

Author Comment

by:CEvans72
ID: 24218747
It was to remove the Full Access permission via the EMC.
I see that we have a bunch... like 16. Most of them are OK in my eyes but are probably more than needed.

I noticed the group, Domain Admins, so I removed it. Prior to that the mailbox functioned just fine. Once I replaced it, it functions fine as well.

The permission of  NT AUTHORITY\SELF was already there...
0
 

Author Comment

by:CEvans72
ID: 24218793
Attached is the detailed error message...
Stack-Error.doc
0
 

Author Comment

by:CEvans72
ID: 24219716
In my opinion and own analysis, it appears that this is a permissions issue.
Is there anything I can do to view detailed permissions for this mailbox? I can see the ones via EMC.
But is there anything I can run within the Exchange Management Shell?

I believe something is being denied and possibly Domain Admin rights override it?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24220732
Domain Admins should be on the list of permissions for all mailboxes, just with some deny permissions set. Therefore the first thing I would do is put domain admins back in to the list and then look at a working user and recreate the exact permission structure. Be aware of the cache issue above.

No idea what the attachment says, I don't open .docs on this site as they could contain a payload.

Simon.
0
 

Author Comment

by:CEvans72
ID: 24226583
Adding Domain Admins back into the mailbox permissions works, however this clearly allows additional members with full access to this mailbox. This is not good security practice, nor would be approved by the owner of this mailbox. This is not a widespread issue as I have only identified one other mailbox to where I can replicate this issue with. Is there any way to see the Deny permissions for this mailbox? If I look at a working user, they do not have the Domain Admins group added, all other groups appear to be the same as they relate to permissions...

Here is what was contained within the .doc file....

So, I will try and make the changes and wait 2 hours? Is that normal? If I yank the Domain Admins group, they response is almost immediate. If I add, it, here too, it is almost immediate...

Exception
Exception type: Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException
Exception message: Cannot open mailbox /O=******/OU=***** /cn=Recipients/cn=**********.

Call stack
Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)
Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)
Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString)
Microsoft.Exchange.Data.Storage.MailboxSession.Initialize(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags)
Microsoft.Exchange.Data.Storage.MailboxSession.CreateMailboxSession(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString)
Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString)
Microsoft.Exchange.Clients.Owa.Core.OwaWindowsIdentity.CreateMailboxSession(ExchangePrincipal exchangePrincipal, CultureInfo cultureInfo)
Microsoft.Exchange.Clients.Owa.Core.UserContext.Load(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.CreateUserContext(OwaContext owaContext, UserContextKey userContextKey, UserContext& userContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception
Exception type: Microsoft.Mapi.MapiExceptionLogonFailed
Exception message: MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=1010) Diagnostic context: Lid: 18969 EcDoRpcExt2 called [length=431] Lid: 27161 EcDoRpcExt2 returned [ec=0x0][length=124][latency=0] Lid: 23226 --- ROP Parse Start --- Lid: 27962 ROP: ropLogon [254] Lid: 17082 ROP Error: 0x3F2 Lid: 26937 Lid: 21921 StoreEc: 0x3F2 Lid: 27962 ROP: ropExtendedError [250] Lid: 1494 ---- Remote Context Beg ---- Lid: 26426 ROP: ropLogon [254] Lid: 4740 StoreEc: 0x80070005 Lid: 30409 StoreEc: 0x80070005 Lid: 19145 StoreEc: 0x3F2 Lid: 23241 StoreEc: 0x3F2 Lid: 32186 Lid: 8620 StoreEc: 0x3F2 Lid: 1750 ---- Remote Context End ---- Lid: 26849 Lid: 21817 ROP Failure: 0x3F2 Lid: 26297 Lid: 16585 StoreEc: 0x3F2 Lid: 32441 Lid: 1706 StoreEc: 0x3F2 Lid: 24761 Lid: 20665 StoreEc: 0x3F2 Lid: 25785 Lid: 29881 StoreEc: 0x3F2

Call stack
Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, Int32 ec, DiagnosticContext diagCtx)
Microsoft.Mapi.ExRpcConnection.OpenMsgStore(OpenStoreFlag storeFlags, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, MapiStore msgStorePrivate, String& correctServerDn, ClientIdentityInfo clientIdentityAs, String userDnAs, String applicationId, CultureInfo cultureInfo)
Microsoft.Mapi.ConnectionCache.OpenMapiStore(String mailboxDn, Guid mailboxGuid, Guid mdbGuid, ClientIdentityInfo clientIdentity, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId)
Microsoft.Mapi.ConnectionCache.OpenMailbox(String mailboxDn, Guid mailboxGuid, Guid mdbGuid, WindowsIdentity windowsIdentityAs, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId)
Microsoft.Exchange.Data.Storage.ConnectionCachePool.OpenMailbox(String serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)

0
 
LVL 65

Accepted Solution

by:
Mestha earned 300 total points
ID: 24226827
Domain Admins should have permissions on the mailbox, by default, so adding it back in is fine. Remember permissions that you see on the security tab are not just for the mailbox, but they are for the AD object as well - and domain admins have full control over those objects by default.

However there should be some deny permissions for that group on Full Mailbox access and others - which is what you should see if you look at another correctly working user.

Exchange caches some permissions, so there is a two hour delay for the permission change to take full effect - or you can restart the information store.

Simon.
0
 

Author Comment

by:CEvans72
ID: 24226879
Sorry, correct me if I am wrong here, but this is an Exchange 2007 environment. Domain Admins does not have permissions to the mailbox by default. If a Domain Admin were to need access to a mailbox, it must be exclusively done.
Where is the security tab that you are referring to? We manage Exchange permission via EMC. Two options... Full Access or Send as...

Where can I see the deny permissions?

Thanks,
Chris
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24226939
Even though you are using Exchange 2007, permissions are still stored in AD.

Therefore some permissions are also set through ADUC on the Security tab. You can see the security tab choose View, Advanced Features and then opening the properties of the User Account again.

So in EMC under Full Mailbox Access you shouldn't see Domain Admins, but you will see them listed on the Security tab in ADUC.

Simon.
0
 

Author Comment

by:CEvans72
ID: 24227008
OK...
This helps sooo much more. So, here in ADUC, it is the SELF ID that grants the permissions for that particular user to acces his/her mailbox, correct? It is that one that I believe that I should be the most concerned with. Should I just enable Full Access for it?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24232355
Looking at some of my systems Self does not have full control. The advice I gave above still applies - look at a working user and replicate the permissions exactly - looking in Advanced permissions as well.

Simon.
0
 

Author Closing Comment

by:CEvans72
ID: 31573831
Yes, this was resolved... I do not have a 100% definition on exactly what was needed, but it appears that there was some excessive groups and most likely a deny or two permission that blocked it.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question