Solved

Urgent - cannot set Delegate on CIO's mailbox

Posted on 2011-02-21
18
1,827 Views
Last Modified: 2012-05-11
Running Exchange 2007 SP2 and Outlook 2007 SP2. We have two forests, one for Messaging (Exchange) and one for standard user accounts, i.e. we're using linked mailboxes.

Exchange forest is called Exchange, user account forest is called Domain.

There is a CIO named Bill Gates. He wants his PA, Jenny Smith,  to be able to recv and respond to meeting requests sent to him.

In Bill's Outlook, we go to Delegates and add Jenny as a delegate so that she has Editor access on his Calendar. We tick the box saying "Delegate receives copies of meeting related messages sent to me"

But when he tries to save, he gets the message:

"The Delegates settings were not saved correctly. Unable to activate send-on-behalf-of list. You do not have sufficient permission to perform this operation on this object"

We've also gone into Exchange Shell and run this command:

Add-ADPermission -identity BillGates - user Domain\JennySmith -properties:publicDelegates -AccessRights:WriteProperty

Stil same problem!

Any ideas?
0
Comment
Question by:elpaso1
  • 8
  • 8
  • 2
18 Comments
 
LVL 4

Expert Comment

by:denissie
ID: 34946507
Hi Elpaso1.

you wrote that you received the error:
"The Delegates settings were not saved correctly. Unable to activate send-on-behalf-of list. You do not have sufficient permission to perform this operation on this object"

Do you have enough permissions to change the CIO's mailbox send-on-behalfs?
You might try executing the command as administrator or as the CIO user, hoping that it will grant you sufficient permissions.

I hope it helps.
0
 
LVL 4

Expert Comment

by:denissie
ID: 34946525
Additional note:
To see the permissions you've got on the CIO's user, you can use (for ex) ADExplorer, right click on the CIO's user and go to the security tab...
0
 

Author Comment

by:elpaso1
ID: 34946563
Hi

The CIO is trying to add the delegate to his own mailbox, via Outlook, and getting that error.

If I go to Exchange Management Console > CIO's mailbox properties, I can see that the PA has send on behalf rights set there.

So not sure where or what the problem is, but everytime the CIO tries to add his PA as a delegate so she can respond to his Calendar stuff, he gets this message:

"The Delegates settings were not saved correctly. Unable to activate send-on-behalf-of list. You do not have sufficient permission to perform this operation on this object"
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34946583
Hi,

Try the following PS cmd

Get-mailbox CIOmailbox | Add-ADPermission –user “NT AUTHORITY\SELF” –AccessRights WriteProperty –Properties Personal-Information
0
 

Author Comment

by:elpaso1
ID: 34946671
Hi v-2nas

Couple of questions on running the above:

1. Is there any risk at all? The user having the problem is the CIO so I don't want to run something that may mess up his mailbox or rights somehow :)

2. I assume I actually write "NT Authority\SELF" after -user, not the CIO's AD account name or anything like that?

3. How will this fix the problem?

Thanks very much both!
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34946893
Hi,

If you try with a test account do you face the same issue.

Have you run this command in resource forest
Add-ADPermission -identity BillGates - user Domain\JennySmith -properties:publicDelegates -AccessRights:WriteProperty

Have you tried Setting delegation using OWA?

0
 

Author Comment

by:elpaso1
ID: 34946968
Hi

I tried with my own account, it works fine without having to do all this.

I have run that Add-ADPermission command in the Exchange forest, yes (I assume resource forest=Exchange forest?)

I didn't know that you could set Delegation via OWA in Exchange 2007? Is this possible in case the problem is something to do with the CIO's profile?
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34947043
Try with OWA. I am aslo looking for more options as well. Its a little bit complex in linkedmailbox scenario
0
 

Author Comment

by:elpaso1
ID: 34954352
Ran cleanfreebusy but this didn't fix it :( Also noticed that the CIO cannot even remove existing delegates or add new ones, he always gets "The Delegates settings were not saved correctly. Unable to activate send-on-behalf-of list. You do not have sufficient permission to perform this operation on this object" coming up.

Any ideas? Is it possible that he's missing some rights to perform actions on his own mailbox? SELF does have Full Mailbox access to his mailbox though.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34954564
Can you confirm if user has "Write Personal Information" permission in AD?
0
 

Author Comment

by:elpaso1
ID: 34954668
Do you know how I would do that? And if it hasn't - do I add that permission to SELF or to BillGates?
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34954802
Hi,

this will be for self account. I don't have a lab env where i can repro but i have worked on this issue before.

First check the above option if it doesn't work then you can use EMC to grant appropriate permissions.
0
 

Author Comment

by:elpaso1
ID: 34954853
Will give it a go - out of interest, what is difference between giving access to SELF and giving access to BillGates?
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34954895
0
 

Author Comment

by:elpaso1
ID: 34955548
Ok, managed to get it to work by running this command:

Add-ADPermission -identity BillGates - user Domain\BillGates -properties:publicDelegates -AccessRights:WriteProperty

No idea how though!!

Can anyone explain?
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34955610

Information stores caches permission for 2 hours before it apply. the immediate would be restart of the store would bring permission in effect asap.

may be earlier permission didn't propagated properly and now it is.
0
 

Author Comment

by:elpaso1
ID: 34955750
Ah ok. Out of interest do

Add-ADPermission -identity BillGates - user Domain\BillGates -properties:publicDelegates -AccessRights:WriteProperty

and

Add-ADPermission -identity BillGates - user NT Authority\Self -properties:publicDelegates -AccessRights:WriteProperty

do the same thing?
0
 
LVL 12

Accepted Solution

by:
Navdeep earned 500 total points
ID: 34955858
Excerpt from technet

In addition, because the account is now disabled, for the mailbox to continue being used, we have to set the msExchMasterAccountSID attribute and apply the appropriate permissions.  In this case, we are not assigning a linked account, but instead assigning the NT AUTHORITY\SELF privilege to the msExchMasterAccountSID attribute.  In addition, we need to ensure that the NT AUTHORITY\SELF privilege has the appropriate permissions so that mail flow and the mailbox are not affected.  We do this in two ways.  First, we grant the NT AUTHORITY\SELF privilege full access to the mailbox by updating the mailbox security descriptor.  Second, we grant the NT AUTHORITY\SELF privilege the Send-As extended right and read and write access to the Personal Information property set (so that publicDelegates and other attributes can be managed by NT AUTHORITY\SELF).

From Blogpost
http://bsmith9999.blogspot.com/2009/02/adding-nt-authorityself-back-for.html

From another blogspot
http://exchangepedia.com/2008/02/how-to-list-mailboxes-with-full-mailbox-access-permission-assigned.html

The output shows all explicitly-assigned permissions, including the permissions assigned to the mailbox owner (NT AUTHORITY\SELF).

Although it says it is mailbox owner but the way permission take effect is different.

hope this will shed show light
0

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now