• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 803
  • Last Modified:

ACL Inheritance on Exchange 2003 Servers

We are in the process of transitioning from Exchange 2003 to 2010 and are having a permissions issue.  So far, we have installed 2 CAS/HUB servers into the organization and the temporary routing groups have been automatically created.  The problem is, our 2003 servers do not inherit permissions from above (for an unknown reason) and the new permissions for groups "Exchange Servers" and "Exchange Trusted Subsystem" are not present on any 2003 server.

We are afraid of just clicking the inherit permissions checkbox fearful that something will stop working.  My question...is there a tool out there that will allow us to easily compare ACL permissions between parent and child?  I was able to use dsacls to export but that is going to take a lot of sifting through.  Or would it just be easier to add the new 2010 groups to each server node?  I do see "Exchange Trusted Subsystem" has Full Permission and "Exchange Servers" have read and extended rights.  Are there any other permissions to note?
0
msCCare
Asked:
msCCare
  • 4
1 Solution
 
Neil RussellTechnical Development LeadCommented:
Although this guide covers a LOT more than just the 2003 to 2010 migration it is a very very guide guide to how to move from 2003 to 2010.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2881-Migrate-Small-Business-Server-2003-to-Exchange-2010-and-Windows-2008-R2.html

Read it all, mainly from section 6 for exchange and make sure you followed ALL the right steps
0
 
msCCareAuthor Commented:
Thanks, that is a great document, but the issue still remains that we have permission issues on our 2003 server objects.  We already ran all prerequisites, schema updates, and installed 2 CAS/HUB servers.  Apparently, the Exchange 2010 install does not check for these permissions prior to installing.
0
 
NavdeepCommented:
You can use tool called dumpsec or user powershell command

get-acl -path x:\folderName\files.txt | FL AccessToString

To get the acl on the folder or file
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
msCCareAuthor Commented:
i was able to resolve this by adding "Exchange Trusted Subsystem" and "Exchange Servers" to have full permission to the objects in question
0
 
msCCareAuthor Commented:
Resolved on own
0
 
msCCareAuthor Commented:
Resolved on own
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now