Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17



Posted on 2011-03-13
Medium Priority
Last Modified: 2012-05-11
I am using exmerge and it hangs on one mailbox.
I went and checked in AD and the security for mailbox rights for the user in question has both allow and deny checked for full mailbox access.  They are being inherited from somewhere but i don't where.
Maybe it's because the domain\administrator account i am trying to use for exmerge has inherited deny for send and receive as on the mailbox store?  Not sure where that inheritance is coming from either.
Question by:cmkeur
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1

Author Comment

ID: 35124614
ah! maybe it's because the domain/administrator account is a "full exchange administrator" which has deny for send as and receive as?

Accepted Solution

Nivlesh earned 1000 total points
ID: 35124869
Yes that is true. You have to explicitly remove the deny settings for your administrator account.
1. Go into Exchange System Manager and locate the Storage Group where the mailbox you want to exmerge lives.

2. Right click on the Storage Group and click Properties. From the tab, select Security.
3. Then click on Advanced in this tab.
4. In the window that shows next, untick "Allow inheritable permissions from the parent to propagate to this object ..."  You will be then asked if you want to Copy, Remove or Cancel. Select Copy
5. Then once you have applied this, go back to the Security settings and untick the deny's. Save this and that should be all good now.

Try exmerging now.
LVL 31

Assisted Solution

MegaNuk3 earned 1000 total points
ID: 35125844
Or allow the account that is doing the exmerge "Full Access" on the mailbox. Explicit Allow overrides Inherited Deny.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 32

Expert Comment

ID: 35127797
Do not remove preconfigured security settings as stated in 35124869

@MegaNuk3 has the proper solution which is to grant explicit allow which will override the inherited deny
yes, this goes against what you know with NTFS permissions, but it is accurate

Expert Comment

ID: 35133538
Hi endital1097.

My comment is not "removing" security settings. It is one of the ways to resolve this issue. I have tested/performed this many times and it works a treat.

cmkeur, a full how-to on using exmerge, including setting up a user account etc to use to exmerge is contained in this article from microsoft.  Hope this helps.


Expert Comment

ID: 35133576
Also, note that my initial comment was no different than what MegaNuk3 had given. His is giving permissions to the account you are using to exmerge on a per mailbox level. In my initial comment, I assumed you were using the domain/administrator and was getting you to do what MegaNuk3 stated but on a much global level (on the storage group).

So endital1097, I disagree with your comment above and also MegaNuk3's solution wont work if cmkeur is using domain/administrator since in that case, you will have to break inheritance and then explicitly give permission , same as what I had suggested.
LVL 31

Expert Comment

ID: 35133602
You don't have to break inheritance to give an Explicit Allow
LVL 32

Expert Comment

ID: 35134497
You should never remove permission inheritance
Adding the user account or another group with explicit allow will work

I am just trying to protect from possible future issues related to permissions as that should be one of our goals in this forum

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question