qualityip
asked on
SBS 2003/Exchange 2003 Permission Issues
I have a client with a very customized setup. They have an SBS 2003 server that is sending from multiple domains in Exchange. To accomplish this, I added the domains to the receipient policy, created usernames for the additional domains and added as additional mailboxes to the each of the users Outlook clients. This was working great. The users were able to send and receive from multiple domains without a hitch.
The problem is that the server crashed while we were performing maintenance on the backup. We were able to recover their data partition but we could not recover the operating system partition. We had to re-install SBS 2003 and setup this painful e-mail configuration. I was able to get two of the domains to work but now I am having some strange issues with setting mailbox rights and removing users.
Somehow the users are inheriting permissions from somewhere that is blocking me from making changes to mailbox rights for the additional users. The checkboxes in active directory are grayed out. I am also having issues removing and adding users to the server level of the system manager. I cannot remove "everyone" permission because the server level is inheriting permissions from somewhere that I cannot find.
I've attached two screenshots with each of the issues I am having trouble with. Ultimately, I want to be able to edit their mailbox rights from Active directory and also remove users from the server level of Exchange in system manager.
I have downloaded and installed ADSIedit but I am not too familiar. I've turned off inheritance on in ADSI and it brought the Exchange store down. I re-enabled that and I was able to mount the store again. It seems like the permissions I've really goofed up the permissions on the server.
Any ideas?
cascade-mailbox-rights.JPG
cascade-remove-everyone.JPG
The problem is that the server crashed while we were performing maintenance on the backup. We were able to recover their data partition but we could not recover the operating system partition. We had to re-install SBS 2003 and setup this painful e-mail configuration. I was able to get two of the domains to work but now I am having some strange issues with setting mailbox rights and removing users.
Somehow the users are inheriting permissions from somewhere that is blocking me from making changes to mailbox rights for the additional users. The checkboxes in active directory are grayed out. I am also having issues removing and adding users to the server level of the system manager. I cannot remove "everyone" permission because the server level is inheriting permissions from somewhere that I cannot find.
I've attached two screenshots with each of the issues I am having trouble with. Ultimately, I want to be able to edit their mailbox rights from Active directory and also remove users from the server level of Exchange in system manager.
I have downloaded and installed ADSIedit but I am not too familiar. I've turned off inheritance on in ADSI and it brought the Exchange store down. I re-enabled that and I was able to mount the store again. It seems like the permissions I've really goofed up the permissions on the server.
Any ideas?
cascade-mailbox-rights.JPG
cascade-remove-everyone.JPG
Cris Hanna
If you click on the advanced button you can tur off inherited permissions
Also Sean Daniel , Microsoft SBS program manager wrote a detailed blog on this
http://sbs.seandaniel.co/2004/10/hosting-multiple-domains-on-sbs-2003.html
http://sbs.seandaniel.co/2004/10/hosting-multiple-domains-on-sbs-2003.html
ASKER
The problem is that when I turn off inheritance in Exchange, the Exchange store is dismounted and I am still unable to change the permissions in AD. Any idea where does AD inherit its permissions from?
ASKER
Also - I am not able to access that link but I really want to read the blog!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also, I forgot to mention that I can not disable permission inheritance in Active Directory as you can see by the screen shot.
cascade-no-disable-inheritance.JPG
cascade-no-disable-inheritance.JPG
Hard to tell what you have or have not done at this point..I would get the blog its 3 parts I believe and go throough step by step from the beginning ...you should be good at the end of that
ASKER
I only need to know where active directory inherits permissions from and how to disable this inheritance. I know how to setup sending from multiple domains. I set it up previously and it worked and I set it up this time and it works on 3 of the 5 domains they send from. My only concern is being able to remove and change these permissions. I cannot figure out where AD is inheriting these permissions and why I cannot disable inheritance in AD.
ASKER
Anyone have any more ideas?
Again you should be able to click on the advanced button in your pictures and Uncheck inheritance...
ASKER
I resolved this issue myself.
ASKER
The comment with the link to the blog also helped.
ASKER
Thanks for the link.
The author indicates in his comments on 4/4/ that my link and comments were helpful...so why no points
qualityyip
You originally asked for the question to be re-opened an action with which we cooperated but as far as I can see you have not returned to the site to implement any action since that date.
Normally we would leave the question to yu to action but it would appear that would be inappropriate as we have no indication that when you return your recollection of the question will be enhanced and therefore I am closing the question on your behalf.
If you return in the 3 day window before closure then you may indicate your own requirement for closure and otherwise the question will be closed per my post.
WallyMod
Community Support Moderator
You originally asked for the question to be re-opened an action with which we cooperated but as far as I can see you have not returned to the site to implement any action since that date.
Normally we would leave the question to yu to action but it would appear that would be inappropriate as we have no indication that when you return your recollection of the question will be enhanced and therefore I am closing the question on your behalf.
If you return in the 3 day window before closure then you may indicate your own requirement for closure and otherwise the question will be closed per my post.
WallyMod
Community Support Moderator