Solved

ACL Inheritance on Exchange 2003 Servers

Posted on 2011-03-09
6
792 Views
Last Modified: 2012-05-11
We are in the process of transitioning from Exchange 2003 to 2010 and are having a permissions issue.  So far, we have installed 2 CAS/HUB servers into the organization and the temporary routing groups have been automatically created.  The problem is, our 2003 servers do not inherit permissions from above (for an unknown reason) and the new permissions for groups "Exchange Servers" and "Exchange Trusted Subsystem" are not present on any 2003 server.

We are afraid of just clicking the inherit permissions checkbox fearful that something will stop working.  My question...is there a tool out there that will allow us to easily compare ACL permissions between parent and child?  I was able to use dsacls to export but that is going to take a lot of sifting through.  Or would it just be easier to add the new 2010 groups to each server node?  I do see "Exchange Trusted Subsystem" has Full Permission and "Exchange Servers" have read and extended rights.  Are there any other permissions to note?
0
Comment
Question by:msCCare
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35087366
Although this guide covers a LOT more than just the 2003 to 2010 migration it is a very very guide guide to how to move from 2003 to 2010.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2881-Migrate-Small-Business-Server-2003-to-Exchange-2010-and-Windows-2008-R2.html

Read it all, mainly from section 6 for exchange and make sure you followed ALL the right steps
0
 
LVL 1

Author Comment

by:msCCare
ID: 35087826
Thanks, that is a great document, but the issue still remains that we have permission issues on our 2003 server objects.  We already ran all prerequisites, schema updates, and installed 2 CAS/HUB servers.  Apparently, the Exchange 2010 install does not check for these permissions prior to installing.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35094217
You can use tool called dumpsec or user powershell command

get-acl -path x:\folderName\files.txt | FL AccessToString

To get the acl on the folder or file
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 1

Accepted Solution

by:
msCCare earned 0 total points
ID: 35148179
i was able to resolve this by adding "Exchange Trusted Subsystem" and "Exchange Servers" to have full permission to the objects in question
0
 
LVL 1

Author Comment

by:msCCare
ID: 35148193
Resolved on own
0
 
LVL 1

Author Closing Comment

by:msCCare
ID: 35178761
Resolved on own
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question