Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 495
  • Last Modified:

Outlook not able to connect to Exchange server

In a nutshell the issue is a permissions issue but it is unclear to me where the problem exist.  This is the second time that this has happened and I know how to 'repair' the problem but no idea on a real fix.

Windows 2003 server R2, Exchange 2007, Outlook 2007, Windows 7 desktop - all up to date on patches etc.

My Outlook account can no longer connect to the Exchange server.  OWA and my mobile phone also loose the ability to connect to the Exchange server.  The main errors that show up in the Exchange event viewer are 1016 and 1022.

They talk about a mapi faliure due to the login.  In researching the errors, it narrowed down to the permissions set on my AD account.  Under my account/Security/Advanced, I found that my "include inheritable permissions from this object's parent" is unchecked.  I go through the steps to check that box, save it etc to find that it is unchecked about 20 minutes later!  When it is checked it does not solve the problem right away but last time I talked with MS, that was the root of the issue.  Although they had me pretty much delete my Exchange account and recreate it to get my e-mail working again.  That fixed lasted almost 3 weeks to the day.

Needless to say, they also thought it was a group policy problem that was causing the problem but I have moved my account to it's own OU and the problem still exist.  I am running a Windows 7 machine along with others but the problem exist only with my account.  The backup domain adminstrator who has the same permissions etc doesn't have this problem... any ideas?

Tia,
Andrew
0
itbossman
Asked:
itbossman
  • 9
  • 3
  • 2
1 Solution
 
Adam BrownSr Solutions ArchitectCommented:
Rather than propagating the permissions over and over and having it clear out again, you might try assigning specific permissions. I believe the Exchange Servers group is the one that needs permission on your account in this situation. It would be difficult to dig into the cause of the problem, but explicitly assigning the permissions that should be propagated to your account is a feasible work around since there is only one account having this problem.
0
 
GridLock137Commented:
a mapi issue mostly likely related to your phone setup, under your user object in AD make sure that feature is enabled and also make sure that any SSL (if running it) is checked on the phone and that your password if changed is updated on the mobile phone. in regards to exchange services make sure the map services are running.
0
 
itbossmanAuthor Commented:
All of the services are running, the account is a member of all of the Exchange groups.  The password has not been reset.  The account has full domain/enterprise permissions etc.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Adam BrownSr Solutions ArchitectCommented:
The permissions that the account has doesn't matter in this situations. It's what has permission to read and write *to* the account. If the Exchange Servers Group doesn't have the necessary permission to read and write on your account object, you won't be able to connect to the Exchange Server because the permissions only exist one way. AD Permissions work two ways with Exchange. Your account has to have access to the Exchange Server to read data, and the Server has to have permission to your account in order to read account information and write changes if necessary. When you lose the Inherit Permissions checkmark on your account's security settings, it effectively removes the Exchange Server group from the list of objects that are able to read and write to your account's AD Object, thus breaking the two way permissions requirement.
0
 
itbossmanAuthor Commented:
Your comments make sense, the question is why is that happening though and how do I restore it.  How can I be sure it is the Exchange Servers Group is the one that is having the issue?
0
 
GridLock137Commented:
i agree with acbrown, mine was a shot in the dark but his makes sense.
0
 
Adam BrownSr Solutions ArchitectCommented:
I've run into this problem before. We had a couple of users in a recent migration that were just randomly set to not inherit permissions. I remember reading that the Exchange Servers group was the one that needed the access. However, you *can* get it so you have all of the necessary permissions written explicitly to your account without having to put them all in manually. On the Advanced Screen for your Accounts Security, check the Inherit Permissions box and hit apply, once that's done, remove the check mark and you'll be prompted to Copy, Remove, or Cancel. Clicking Copy will assign the necessary permissions explicitly to your account. Hit OK to close your Account Properties box and Click Yes when prompted to write the additional ACLs. Once you have the permissions assigned explicitly, you can then re-enable Inherited permissions and they won't go away if the Inheritable permissions box gets unchecked for some reason.
0
 
itbossmanAuthor Commented:
I had tried that yesterday and the prompt for the username and password still pops up.  I agree that your idea should work but it isn't.  I just tried it again and the same problem happens.  I can try to reboot instead of exiting and re-entering Outlook if that would make a difference.
0
 
itbossmanAuthor Commented:
Rebooted and same issue.
0
 
itbossmanAuthor Commented:
Spent all day with MS and they are still working on the issue.  Odd thing is that they said over the last month or so they have seen this problem pop up.  If that were the case then why can't they fix it =p

A lot of changes were made to the back end permissions and will be rebooting the DC's, Catalog Server and the Exchange Server in the am.  Fingers crossed.
0
 
itbossmanAuthor Commented:
Servers rebooted, problem still exist.
0
 
itbossmanAuthor Commented:
After talking with MS, the finally concluded that the problem was with the AD account, not with Exchange.  I spent countless hours with them changing permissions on groups and ultimately my account where 'nothing' was set to deny but yet I still would get prompted for a user name a password that would not work.

I ended up setting up a backup domain account and gave that rights to get into the e-mail account and that work fine but at the end of the day, I created a new AD account that had to have a different name since I left the existing problem account active but not pointing to an e-mail account.  MS felt that if this happens again, they could compare the permissions between the two accounts to see where the problem exist.

They wanted me to create the new account and add the permission groups one by one to see which one has the problem but I told them that would be fine, it would take a few weeks to see the problem flair up so we are watching for the next installment.  With a clean AD account, hopefully this won't happen again.  Yes, the backup admin has the same permissions as I do but his account was not effected ???

For the admins on the site, I would not close this based on date or lack of a definitive answer for a while since I am in the waiting process but from researching the net, others have had this problem with no rationale on why and a 'true' fix; as of yet.

Andrew
0
 
itbossmanAuthor Commented:
The fix was to delete my AD account, delete my Exchange account and start from scratch.  I made a backup of my current e-mail folder and imported it after the new accounts were setup.  No 'fix' but a complete 'do over'.  Yes, don't forget to redo 'all' of you domain shares, permissions etc.  Huge time project...
0
 
itbossmanAuthor Commented:
that was the solution
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 9
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now