CEvans72
asked on
Exchange 2007 Client Permissions - Domain Admins removed
OK... It was noticed that Domain Admins had the ability to access a specific mailbox. This was discovered since the AD Group - Domain Admins had Full Access permissions to that specific mailbox. OK... so what did I do, I removed the Domain Admins permission from that mailbox, problem solved, right? Wrong... Now that particular user cannot access his mailbox via Outlook or OWA. The only solution was to add the Domain Admin group back in with Full Access. Is this user a member of the Domain Admin group you ask...? Yes, in fact he is... OK, so remove the DA group and add the specific user account, right...? Wrong... That did not work either. After further searching, it appears that one other Exchange Mailbox has this same issue, MINE...
Not sure what else to try, but it clearly spells out some sort of permissions issue. When the DA group is removed, OWA says "Outlook Web Access could not connect to Microsoft Exchange. If the problem continues, contact technical support for your organization." Outlook states that the Exchange Server is unavailable.... What? Really? I just connected to it prior to the ripping out of the DA group in Exchange Management... I could ping it...
Help...
Not sure what else to try, but it clearly spells out some sort of permissions issue. When the DA group is removed, OWA says "Outlook Web Access could not connect to Microsoft Exchange. If the problem continues, contact technical support for your organization." Outlook states that the Exchange Server is unavailable.... What? Really? I just connected to it prior to the ripping out of the DA group in Exchange Management... I could ping it...
Help...
ASKER
OK... I have added a Word document with the full error.
Exactly what permission did you remove?
"Full Access" does not grant permissions to the mailbox content. There are only two permissions that do that - Full Mailbox Access which would be listed in the User properties within the EMC or Send As/Receive As permissions.
Simon.
"Full Access" does not grant permissions to the mailbox content. There are only two permissions that do that - Full Mailbox Access which would be listed in the User properties within the EMC or Send As/Receive As permissions.
Simon.
ASKER
I removed the AD Group Domain Admins. Don't ask how it got there, clearly not all mailboxes have this group with Full Access permissions. What I noticed is that is why I was able to open the mailbox with my Outlook client or via OWA. Yes, I logged into OWA under my account and opened the other mailbox within OWA, successfully. I do not have explicit permissions under my own AD user account. This must have been from me being a member of the AD Domain Admins group. Clearly this person does not anyone else aside from themselves within thier mailbox. So I removed the group. However, he no longer had access once I did it. I was under tha assumption that within the EMC Full Permissions wizard, the security authority NT AUTHORITY\SELF allowed him to have his own access.
What I meant was, what permission name was it? Was it "Full Control", "Full Mailbox Access", something else?
Checking my own system, I have two accounts with Full Mailbox Access:
Self
Domain\Exchange Domain Servers.
If you have added Self in to the permissions, then do be aware that a permission change can take two hours to take effect, due to the way that the permissions are cached by Exchange.
Simon.
Checking my own system, I have two accounts with Full Mailbox Access:
Self
Domain\Exchange Domain Servers.
If you have added Self in to the permissions, then do be aware that a permission change can take two hours to take effect, due to the way that the permissions are cached by Exchange.
Simon.
ASKER
It was to remove the Full Access permission via the EMC.
I see that we have a bunch... like 16. Most of them are OK in my eyes but are probably more than needed.
I noticed the group, Domain Admins, so I removed it. Prior to that the mailbox functioned just fine. Once I replaced it, it functions fine as well.
The permission of NT AUTHORITY\SELF was already there...
I see that we have a bunch... like 16. Most of them are OK in my eyes but are probably more than needed.
I noticed the group, Domain Admins, so I removed it. Prior to that the mailbox functioned just fine. Once I replaced it, it functions fine as well.
The permission of NT AUTHORITY\SELF was already there...
ASKER
Attached is the detailed error message...
Stack-Error.doc
Stack-Error.doc
ASKER
In my opinion and own analysis, it appears that this is a permissions issue.
Is there anything I can do to view detailed permissions for this mailbox? I can see the ones via EMC.
But is there anything I can run within the Exchange Management Shell?
I believe something is being denied and possibly Domain Admin rights override it?
Is there anything I can do to view detailed permissions for this mailbox? I can see the ones via EMC.
But is there anything I can run within the Exchange Management Shell?
I believe something is being denied and possibly Domain Admin rights override it?
Domain Admins should be on the list of permissions for all mailboxes, just with some deny permissions set. Therefore the first thing I would do is put domain admins back in to the list and then look at a working user and recreate the exact permission structure. Be aware of the cache issue above.
No idea what the attachment says, I don't open .docs on this site as they could contain a payload.
Simon.
No idea what the attachment says, I don't open .docs on this site as they could contain a payload.
Simon.
ASKER
Adding Domain Admins back into the mailbox permissions works, however this clearly allows additional members with full access to this mailbox. This is not good security practice, nor would be approved by the owner of this mailbox. This is not a widespread issue as I have only identified one other mailbox to where I can replicate this issue with. Is there any way to see the Deny permissions for this mailbox? If I look at a working user, they do not have the Domain Admins group added, all other groups appear to be the same as they relate to permissions...
Here is what was contained within the .doc file....
So, I will try and make the changes and wait 2 hours? Is that normal? If I yank the Domain Admins group, they response is almost immediate. If I add, it, here too, it is almost immediate...
Exception
Exception type: Microsoft.Exchange.Data.St orage.Conn ectionFail edTransien tException
Exception message: Cannot open mailbox /O=******/OU=***** /cn=Recipients/cn=******** **.
Call stack
Microsoft.Exchange.Data.St orage.Conn ectionCach ePool.Open Mailbox(St ring serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)
Microsoft.Exchange.Data.St orage.Conn ectionCach ePool.Open Mailbox(St ring serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)
Microsoft.Exchange.Data.St orage.Conn ectionCach ePool.Open Mailbox(St ring serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString)
Microsoft.Exchange.Data.St orage.Mail boxSession .Initializ e(LogonTyp e logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags)
Microsoft.Exchange.Data.St orage.Mail boxSession .CreateMai lboxSessio n(LogonTyp e logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString)
Microsoft.Exchange.Data.St orage.Mail boxSession .Open(Exch angePrinci pal mailboxOwner, WindowsPrincipal authenticatedUser, CultureInfo cultureInfo, String clientInfoString)
Microsoft.Exchange.Clients .Owa.Core. OwaWindows Identity.C reateMailb oxSession( ExchangePr incipal exchangePrincipal, CultureInfo cultureInfo)
Microsoft.Exchange.Clients .Owa.Core. UserContex t.Load(Owa Context owaContext)
Microsoft.Exchange.Clients .Owa.Core. RequestDis patcher.Cr eateUserCo ntext(OwaC ontext owaContext, UserContextKey userContextKey, UserContext& userContext)
Microsoft.Exchange.Clients .Owa.Core. RequestDis patcher.Pr epareReque stWithoutS ession(Owa Context owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients .Owa.Core. RequestDis patcher.In ternalDisp atchReques t(OwaConte xt owaContext)
Microsoft.Exchange.Clients .Owa.Core. RequestDis patcher.Di spatchRequ est(OwaCon text owaContext)
System.Web.HttpApplication .SyncEvent ExecutionS tep.System .Web.HttpA pplication .IExecutio nStep.Exec ute()
System.Web.HttpApplication .ExecuteSt ep(IExecut ionStep step, Boolean& completedSynchronously)
Inner Exception
Exception type: Microsoft.Mapi.MapiExcepti onLogonFai led
Exception message: MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=1010) Diagnostic context: Lid: 18969 EcDoRpcExt2 called [length=431] Lid: 27161 EcDoRpcExt2 returned [ec=0x0][length=124][laten cy=0] Lid: 23226 --- ROP Parse Start --- Lid: 27962 ROP: ropLogon [254] Lid: 17082 ROP Error: 0x3F2 Lid: 26937 Lid: 21921 StoreEc: 0x3F2 Lid: 27962 ROP: ropExtendedError [250] Lid: 1494 ---- Remote Context Beg ---- Lid: 26426 ROP: ropLogon [254] Lid: 4740 StoreEc: 0x80070005 Lid: 30409 StoreEc: 0x80070005 Lid: 19145 StoreEc: 0x3F2 Lid: 23241 StoreEc: 0x3F2 Lid: 32186 Lid: 8620 StoreEc: 0x3F2 Lid: 1750 ---- Remote Context End ---- Lid: 26849 Lid: 21817 ROP Failure: 0x3F2 Lid: 26297 Lid: 16585 StoreEc: 0x3F2 Lid: 32441 Lid: 1706 StoreEc: 0x3F2 Lid: 24761 Lid: 20665 StoreEc: 0x3F2 Lid: 25785 Lid: 29881 StoreEc: 0x3F2
Call stack
Microsoft.Mapi.MapiExcepti onHelper.T hrowIfErro r(String message, Int32 hresult, Int32 ec, DiagnosticContext diagCtx)
Microsoft.Mapi.ExRpcConnec tion.OpenM sgStore(Op enStoreFla g storeFlags, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, MapiStore msgStorePrivate, String& correctServerDn, ClientIdentityInfo clientIdentityAs, String userDnAs, String applicationId, CultureInfo cultureInfo)
Microsoft.Mapi.ConnectionC ache.OpenM apiStore(S tring mailboxDn, Guid mailboxGuid, Guid mdbGuid, ClientIdentityInfo clientIdentity, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId)
Microsoft.Mapi.ConnectionC ache.OpenM ailbox(Str ing mailboxDn, Guid mailboxGuid, Guid mdbGuid, WindowsIdentity windowsIdentityAs, String userDnAs, OpenStoreFlag openStoreFlags, CultureInfo cultureInfo, String applicationId)
Microsoft.Exchange.Data.St orage.Conn ectionCach ePool.Open Mailbox(St ring serverDn, String userDn, String mailboxDn, Guid mailboxGuid, Guid mdbGuid, Object identity, ConnectFlag connectFlag, OpenStoreFlag openStoreFlag, CultureInfo cultureInfo, String clientInfoString, Boolean secondTry)
Here is what was contained within the .doc file....
So, I will try and make the changes and wait 2 hours? Is that normal? If I yank the Domain Admins group, they response is almost immediate. If I add, it, here too, it is almost immediate...
Exception
Exception type: Microsoft.Exchange.Data.St
Exception message: Cannot open mailbox /O=******/OU=***** /cn=Recipients/cn=********
Call stack
Microsoft.Exchange.Data.St
Microsoft.Exchange.Data.St
Microsoft.Exchange.Data.St
Microsoft.Exchange.Data.St
Microsoft.Exchange.Data.St
Microsoft.Exchange.Data.St
Microsoft.Exchange.Clients
Microsoft.Exchange.Clients
Microsoft.Exchange.Clients
Microsoft.Exchange.Clients
Microsoft.Exchange.Clients
Microsoft.Exchange.Clients
System.Web.HttpApplication
System.Web.HttpApplication
Inner Exception
Exception type: Microsoft.Mapi.MapiExcepti
Exception message: MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111, ec=1010) Diagnostic context: Lid: 18969 EcDoRpcExt2 called [length=431] Lid: 27161 EcDoRpcExt2 returned [ec=0x0][length=124][laten
Call stack
Microsoft.Mapi.MapiExcepti
Microsoft.Mapi.ExRpcConnec
Microsoft.Mapi.ConnectionC
Microsoft.Mapi.ConnectionC
Microsoft.Exchange.Data.St
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry, correct me if I am wrong here, but this is an Exchange 2007 environment. Domain Admins does not have permissions to the mailbox by default. If a Domain Admin were to need access to a mailbox, it must be exclusively done.
Where is the security tab that you are referring to? We manage Exchange permission via EMC. Two options... Full Access or Send as...
Where can I see the deny permissions?
Thanks,
Chris
Where is the security tab that you are referring to? We manage Exchange permission via EMC. Two options... Full Access or Send as...
Where can I see the deny permissions?
Thanks,
Chris
Even though you are using Exchange 2007, permissions are still stored in AD.
Therefore some permissions are also set through ADUC on the Security tab. You can see the security tab choose View, Advanced Features and then opening the properties of the User Account again.
So in EMC under Full Mailbox Access you shouldn't see Domain Admins, but you will see them listed on the Security tab in ADUC.
Simon.
Therefore some permissions are also set through ADUC on the Security tab. You can see the security tab choose View, Advanced Features and then opening the properties of the User Account again.
So in EMC under Full Mailbox Access you shouldn't see Domain Admins, but you will see them listed on the Security tab in ADUC.
Simon.
ASKER
OK...
This helps sooo much more. So, here in ADUC, it is the SELF ID that grants the permissions for that particular user to acces his/her mailbox, correct? It is that one that I believe that I should be the most concerned with. Should I just enable Full Access for it?
This helps sooo much more. So, here in ADUC, it is the SELF ID that grants the permissions for that particular user to acces his/her mailbox, correct? It is that one that I believe that I should be the most concerned with. Should I just enable Full Access for it?
Looking at some of my systems Self does not have full control. The advice I gave above still applies - look at a working user and replicate the permissions exactly - looking in Advanced permissions as well.
Simon.
Simon.
ASKER
Yes, this was resolved... I do not have a 100% definition on exactly what was needed, but it appears that there was some excessive groups and most likely a deny or two permission that blocked it.
This exception may occur if the Allow inheritable permissions check box is not selected on the user object or on the OU container in Active Directory Users and Computers.
Article: http://technet.microsoft.com/en-us/library/bb885050.aspx