[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 323
  • Last Modified:

Running Exmerge on Exchange 2003 SP3 and Windows 2003 SP 2

Hi,
I created a new user to use with Exmerge. I gave that user admin rights as well as domain rights.
I then created a security group and placed that user in it.
I delegated control to the group and gave the group full rights at the Store level.
As per Microsoft:  http://support.microsoft.com/kb/292509

However, two strange things are happening.

1. When I log on as that user, I get an error message when trying to retrieve the list of users in ExMerg ("Error getting list of private information store databases on server."). When I launch ESM as that user, I can't see the database. This tells me I must have a permission issue someplace but I can't figure out where.  Any ideas?

2. After I was done experimenting with this, I right clicked on the new user I created and disabled it. Then the next morning some error messages in my Application Log:  ID 1058:
"Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=crd,DC=lcl. The file must be present at the location <\\crd.lcl\sysvol\crd.lcl\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. ). Group Policy processing aborted."
Also an error in my   System log: ID 40960: "The Security System detected an authentication error for the server cifs/crd.lcl.  The failure code from authentication protocol Kerberos was "The referenced account is currently disabled and may not be logged on to.
 (0xc0000072)".

Are these error messages because I disabled the user. It appears as though that's the case but I don't know why.


Thanks,
Mike


0
michaelshavel
Asked:
michaelshavel
  • 5
  • 5
  • 3
1 Solution
 
AkhaterCommented:
have you tried to restart the information store after assigning the permission ?
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
If the account that we are using is a member of other groups and they have deny for SendAs and ReceiveAs this would be a problem. For that you cantry creating a user who is a member of no group rather then the default one, then give it Exchange Full admin and also give it rights on the ORg as full control and verify that they get to the store level. Once that is done you can try running the Exmerge with the option of RunAs and use this new account. For the info about the disabled account it would have an Event 9548 for the disabled account.
This event says that it cannot access a share and find a GPT file
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=crd,DC=lcl. The file must be present at the location <\\crd.lcl\sysvol\crd.lcl\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
Also in this event i see refernce to the same server
System log: ID 40960: "The Security System detected an authentication error for the server cifs/crd.lcl.  
0
 
michaelshavelAuthor Commented:
Akhater --

No I didn't restart the store. Is this necessary?
I will give it a try.

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
You can try once
0
 
michaelshavelAuthor Commented:
Rancy --
The thing is that I need to run all of this remotely, as this server is hosted as at a hosting company. I can't physically sit down in front of it, that's why I included it as part of the admin group (The Admin group is the only one who can log on remotely I believe)
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
yeah. ohk but as i said that if its a member of XYZ and that group has deny for SendAs and ReceiveAs then it would take the presedence. So you might have to have a look at this and if possible you can take PST from Outlook cache user but this would be a manual process.
0
 
michaelshavelAuthor Commented:
Ok.

Question:
All I really need it to use ExMerge to import some contacts from a .pst file,  into a users account (they use OWA, not Outlook).
Is there ANY way I can just do this as the Admin user?  Can I give the Admin user permission to do this on a specific box and then take that permission away when I'm done?
 This is very frustrating.
Thanks
Mike
0
 
AkhaterCommented:
You need to restart the information store for the permissions to be applied

and yes you can give the administrator permissions on the mailbox and use it
0
 
AkhaterCommented:
here is for the administrator question

http://support.microsoft.com/kb/823143
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Yes you can add the Admin account and give it full control on those set of account with Full Control.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Hello michaelshavel any update on the status of the issue ?
0
 
michaelshavelAuthor Commented:
Rancy,

Resolution:
I was able to add the Admin group directly to each user, then just click "Full Control". Then I could run ExMerge on that user, as Admin, with no problem at all.  This was by far the simplest way for me to do this.

As for the "Windows can't access gpt.ini" error message in my Application log, that went away when I stopped trying to jump through hoops giving a new user correct access to run ExMerge. I'm sure it had to do with me trying to make this work.

Thanks for the help.  You get the points for your suggestions and for sticking with me.

Mike
0
 
michaelshavelAuthor Commented:
Rancy,

Resolution:
I was able to add the Admin group directly to each user, then just click "Full Control". Then I could run ExMerge on that user, as Admin, with no problem at all.  This was by far the simplest way for me to do this.

As for the "Windows can't access gpt.ini" error message in my Application log, that went away when I stopped trying to jump through hoops giving a new user correct access to run ExMerge. I'm sure it had to do with me trying to make this work.

Thanks for the help.  You get the points for your suggestions and for sticking with me.

Mike
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 5
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now