• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2878
  • Last Modified:

Administrator account has no rights on Exchange 2010 -AT ALL-!

Hi everybody,

i got a strange issue with Exchange 2010 on a MWS 2008 r2 machine.

The Admnistrator account SUDDENTLY lost permissions to access any functionality of Exchange: PS, EMC, even Outlook on the same machine!

To solve the problem I initially created another admin account to manage everything, as I already meant to do. So, for now, it doesn't stand.
But having this issue on the main admin account keeps me awake at night!
The misfunction keeps changing behaviour!
I explain: sometimes I open the EMC console and when i click on the first menu i get an error on the right saying: "Access Denied: wrong user name or password", other times I CAN SEE THE MAIL BOXES, the server configuration menu is hidden, but I can do nothing! not even open mailbox properties (The properties window opens, but with no folder menus and all the lines show a tiny yellow lock on the right).
It also happened, two days ago, that i couldn't access EMC so I batch restarted all services, without logging off the Main Admin account, I reopened EMC and everything worked fine for a while. Then again: only read-only access, then nothing more! Access Denied!
I tried recreating Admin mailbox, still nothing, then I opened Outlook on the same machine (w/o caching) and it threw some popup errors like: "Can't open window, Exchange server offline", while the new admin user and the others have no problems at all!
I can open Outlook on the new admin, add the Main Admin account, it asks the user and passwords for it, i put them in and it works! But if i try the same, but logged on with the main admin account, it doesn't work!
Everything else work perfectly on the Main Admin account: no problem with files, policies, domain management, sql... for now.
This problem seems to affect only the Main Admin while operating on EXCHANGE!
While the same Main Admin credentials seem to work perfectly when I'm logged with another Admin user, even on Exchange! (SO FAR, I'm still testing).

I checked permissions on the main admin account and they're all right! Admin rights appears everytime i query ps or the dc.
I've checked many similar issues on many forums. Everything seems ok BUT IT DOESN'T WORK!

WHY? what am I missing?


THANKS FOR HELP
0
federicomarinucci
Asked:
federicomarinucci
  • 11
2 Solutions
 
federicomarinucciAuthor Commented:
ADDENDUM:
Sometimes PS starts but it doesn't accept commands of any kind, when I write Get-Mailbox I see only room's mailboxes.
Other times I get this error (very long, but the main part is): Pssessionopenfailed: The user name or password specified are invalid
0
 
federicomarinucciAuthor Commented:
Still unsolved.... ANY suggestions?

Bump it up!
Any help, hint, idea, link would be really appreciated

Thanks a lot!
0
 
Adam BrownSr Solutions ArchitectCommented:
Run the attached code to make sure the account is a member of the Organization Management Role for Exchange 2010. If it succeeds without error, that is likely the cause of the problem. If it fails and says the user is a member of the group already, there's something else wrong.
add-rolegroupmember -identity "Organization Management" -member <account>

Open in new window

0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
federicomarinucciAuthor Commented:
Hi,

i tried:
[PS] add-rolegroupmember -identity "Organization Management" -member Administrator

The recipient "Administrator" is already a member of the group "domain.local/Microsoft Exchange Security Groups/Organ
ization Management".
    + CategoryInfo          : NotSpecified: (Administrator:SecurityPrincipalIdParameter) [Add-RoleGroupMember], Member
   AlreadyExistsException
    + FullyQualifiedErrorId : 17EB8ED3,Microsoft.Exchange.Management.RbacTasks.AddRoleGroupMember

Open in new window


As expected it threw the "already member" error

Thanks anyway!
0
 
federicomarinucciAuthor Commented:
I tried the command reversed (using "get") and I noticed that the user that doesn't work (Administrator) is marked differently compared to the user that "work" (Exchange Administrator).

May this mean something?

[PS] C:\Windows\system32>get-rolegroupmember -identity "Organization Management"

Name                                                        RecipientType
----                                                        -------------
Administrator                                               UserMailbox
Exchange Administrator                                      User

Open in new window

0
 
federicomarinucciAuthor Commented:
Ignore the previous post, I forgot that Exchange Administrator doesn't have a mailbox linked. That's why they're marked with different recipient type.
0
 
Mike ThomasConsultantCommented:
Log onto your exchange servers with one of the admin account you created, open the EMC and go to Tools > Roles Based Access Control (RBAC) and check the rights for the security groups. These groups can be found in the 'Microsoft Exchange Security Groups' OU in AD users and computers so check the group membership once you check the rights.

0
 
federicomarinucciAuthor Commented:
Updates:
I checked the rights on RBAC again, assuring that all the rights are assigned to Organization Management. Both admins users (EXAdmin and Administrator) belong to the same groups, but they still have different rights on field. I also created new special administration groups putting both users in it. But only EXAdmin works. I tried to look for denied authorizations but I can't see any.
Admin still gets read-only EMC and PS, while EXAdmin gets full access.

Administrator couldn't access its mailbox using Outlook cause I deleted it and recreated it in the first place. I just had to reassign Outlook to the new mailbox by removing the account and re-adding it.

Now I can describe the problem much easily by saying that Administrator have the same rights of a normal user, not as an admin, while EXAdmin, which is in the same security groups on the AD and RBAC, works perfectly as administrator account.
0
 
federicomarinucciAuthor Commented:
Is it relevant that i changed Administrator's name? I did this long time ago and it always worked, so I assume not...
0
 
federicomarinucciAuthor Commented:
Updates:
- I can't access emc with the Exchange Admin account anymore. Symptoms are even worse than the main Admin's. I open EMC, click on the 'organization on premises' (orange icon) and I get "Bad username or password" error, while the main admin, at least, can access the mailboxes list in read-only (but if I open the properties of a mailbox I still get all those tiny locks and no tabs).
- funny thing is this: if I access RBAC with the browser or the 'organization management', owa or ecp through their web interfaces I can manage everything with both admin accounts, like everything is working fine.
- I fixed the mailboxes access for both admins so now I can receive and send emails.
- Now I use a third admin account to access EMC on the server (on premises).

It works for now, but how long will keep on going?
I didn't changed anything on the ExAdmin account!
I don't understand how could this happen.

Also, I don't know if this is connected to the main problem, the third admin account and some other normal users (like 3-4 on >120) get a login prompt once in a while if outlook is running on their pcs. The software asks for id and pwd like a refused connection (eventhough it was working perfectly till then). If they try to login they get "wrong password" error, if they click "cancel" everything go back to normal. (Outlook works perfectly like nothing happened)
For this issue I tested connection client/server and availability of the services: all working fine, so why do users get this login request?

I'm starting to think some hackers are somehow changing something. I don't know what to think anymore. Getting desperate.
I change both accounts passwords and even user names.
Every account is set for both groups "server admin" and "organization admin". (but I already tried to set only one group, to add a new admin group and others crossed test)

I'm getting really worried. Microsoft asks 300€ for phone help on the sw.

Can anybody help me, please!
0
 
federicomarinucciAuthor Commented:
I may have fixed the EMC part:

I simply added another forest using only the 'servername' (instead of 'servername.domain.local).

Everything worked, for both users. I simply can't understand why!
The third admin still works with its original forest 'link' on EMC, the other two (the main admin and the second Exchange admin) have been re-enabled as I told, by re-adding the forest.

I can't remove the original forest on the EMCs, but, at least it turned back to order.
If I click on the original forest (where I don't have the 'remove forest' button), i get this error on both accounts (earlier it was only one):

EMC error
Since when I added the new forest on the main Admin, it can't access the first forest in read-only as before, but works perfectly with the new forest.

WTF is happening?
0
 
federicomarinucciAuthor Commented:
Finally:

all those issues were generated by a virus: Conficker.B which was attempting to spread on the network using Administrators accounts enforced passwords. While the server was protected and all admins had strong passwords, all the attempts locked some functions and, by brute-forcing another non-admin account through other computers on the domain, the virus managed to spread and redefine some folders rights causing everything to lock up, even on the server, without actually infecting it.

Strange thing is that the admins accounts didn't lock up on the domain, but temporary lost their rights on exchange.

Hope this will help someone else.
0
 
federicomarinucciAuthor Commented:
Nobody helped here, the issue was caused by undetected virus on the network that wasn't affecting directly the server. To solved I removed the virus and updated all XP clients
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now