?
Solved

Running Exmerge on Exchange 2003 SP3 and Windows 2003 SP 2

Posted on 2009-05-18
13
Medium Priority
?
321 Views
Last Modified: 2012-05-07
Hi,
I created a new user to use with Exmerge. I gave that user admin rights as well as domain rights.
I then created a security group and placed that user in it.
I delegated control to the group and gave the group full rights at the Store level.
As per Microsoft:  http://support.microsoft.com/kb/292509

However, two strange things are happening.

1. When I log on as that user, I get an error message when trying to retrieve the list of users in ExMerg ("Error getting list of private information store databases on server."). When I launch ESM as that user, I can't see the database. This tells me I must have a permission issue someplace but I can't figure out where.  Any ideas?

2. After I was done experimenting with this, I right clicked on the new user I created and disabled it. Then the next morning some error messages in my Application Log:  ID 1058:
"Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=crd,DC=lcl. The file must be present at the location <\\crd.lcl\sysvol\crd.lcl\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. ). Group Policy processing aborted."
Also an error in my   System log: ID 40960: "The Security System detected an authentication error for the server cifs/crd.lcl.  The failure code from authentication protocol Kerberos was "The referenced account is currently disabled and may not be logged on to.
 (0xc0000072)".

Are these error messages because I disabled the user. It appears as though that's the case but I don't know why.


Thanks,
Mike


0
Comment
Question by:michaelshavel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
13 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 24411166
have you tried to restart the information store after assigning the permission ?
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24411229
If the account that we are using is a member of other groups and they have deny for SendAs and ReceiveAs this would be a problem. For that you cantry creating a user who is a member of no group rather then the default one, then give it Exchange Full admin and also give it rights on the ORg as full control and verify that they get to the store level. Once that is done you can try running the Exmerge with the option of RunAs and use this new account. For the info about the disabled account it would have an Event 9548 for the disabled account.
This event says that it cannot access a share and find a GPT file
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=crd,DC=lcl. The file must be present at the location <\\crd.lcl\sysvol\crd.lcl\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
Also in this event i see refernce to the same server
System log: ID 40960: "The Security System detected an authentication error for the server cifs/crd.lcl.  
0
 
LVL 1

Author Comment

by:michaelshavel
ID: 24411666
Akhater --

No I didn't restart the store. Is this necessary?
I will give it a try.

0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24411716
You can try once
0
 
LVL 1

Author Comment

by:michaelshavel
ID: 24411989
Rancy --
The thing is that I need to run all of this remotely, as this server is hosted as at a hosting company. I can't physically sit down in front of it, that's why I included it as part of the admin group (The Admin group is the only one who can log on remotely I believe)
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24412302
yeah. ohk but as i said that if its a member of XYZ and that group has deny for SendAs and ReceiveAs then it would take the presedence. So you might have to have a look at this and if possible you can take PST from Outlook cache user but this would be a manual process.
0
 
LVL 1

Author Comment

by:michaelshavel
ID: 24412399
Ok.

Question:
All I really need it to use ExMerge to import some contacts from a .pst file,  into a users account (they use OWA, not Outlook).
Is there ANY way I can just do this as the Admin user?  Can I give the Admin user permission to do this on a specific box and then take that permission away when I'm done?
 This is very frustrating.
Thanks
Mike
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24413297
You need to restart the information store for the permissions to be applied

and yes you can give the administrator permissions on the mailbox and use it
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24413423
here is for the administrator question

http://support.microsoft.com/kb/823143
0
 
LVL 52

Accepted Solution

by:
Manpreet SIngh Khatra earned 2000 total points
ID: 24418679
Yes you can add the Admin account and give it full control on those set of account with Full Control.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24440211
Hello michaelshavel any update on the status of the issue ?
0
 
LVL 1

Author Comment

by:michaelshavel
ID: 24441115
Rancy,

Resolution:
I was able to add the Admin group directly to each user, then just click "Full Control". Then I could run ExMerge on that user, as Admin, with no problem at all.  This was by far the simplest way for me to do this.

As for the "Windows can't access gpt.ini" error message in my Application log, that went away when I stopped trying to jump through hoops giving a new user correct access to run ExMerge. I'm sure it had to do with me trying to make this work.

Thanks for the help.  You get the points for your suggestions and for sticking with me.

Mike
0
 
LVL 1

Author Closing Comment

by:michaelshavel
ID: 31583926
Rancy,

Resolution:
I was able to add the Admin group directly to each user, then just click "Full Control". Then I could run ExMerge on that user, as Admin, with no problem at all.  This was by far the simplest way for me to do this.

As for the "Windows can't access gpt.ini" error message in my Application log, that went away when I stopped trying to jump through hoops giving a new user correct access to run ExMerge. I'm sure it had to do with me trying to make this work.

Thanks for the help.  You get the points for your suggestions and for sticking with me.

Mike
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Here's a look at newsworthy articles and community happenings during the last month.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses
Course of the Month13 days, 8 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question