Exchange 2007 User cannot access mailbox across VPN unless elevated to domain admin

Posted on 2011-10-20
Last Modified: 2012-06-27
I recently disjoined and rebuilt my last Windows Server 2003 domain controller, upgrading the OS to 2008 R2. My domain functional level remains 2003.I have approximately 10/1000 users in my domain who cannot open their mailbox via Outlook 2003 from a standalone PC while connected via VPN; unless added to the domain admins group. I have granted them full rights to their mailbox via Exchange Management Shell by using:

add-adpermission -user "user" -accessrights genericall
add-mailboxpermission -user "user" -accessrights fullaccess -inheritancetype all

I have rebuilt the outlook profile multiple times, deleted:

Extend.dat – Located in C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook\.

Frmcache.dat – Located in C:\Documents and Settings\<username>\Application Data\Microsoft\Forms\.

Views.dat – Located in C:\Documents and Settings\<username>\Application Data\Microsoft\Outlook\.

Outcmd.dat – Located in C:\Documents and Settings\<username>\Application Data\Microsoft\Outlook\.

I can open their mailbox when connected via a LAN system joined to the domain and also when granting myself full rights to their mailbox and logging in on the other side of the VPN (I am operating as a domain admin).

Nothing seems to work unless I add them to the Domain Admins group, Please help!
Question by:witfog
    LVL 47

    Expert Comment

    Of these 10 Users
    What OS do they have installed?
    XP /Vista/ Win 7?

    Im guessing they are all laptop users?

    If Vista and Win 7 have you check that UAC is not interfearing?
    Or that windows Firewall isnt turned on for some reason.
    Coulod even be their antivirus thats not allowing the connection

    Have you tried to have one of these users use a PC\laptop you know works via VPN?

    Do all these users have the same ISP?
    If they do you might want to check with the ISP. There are some that dont provide full support for VPN.

    LVL 31

    Expert Comment

    by:Rodney Barnhardt
    How are they VPNing in? Do these by chance have wireless data cards, particularly from Verizon, with the software installed. We are seeing a problem on systems once this software is installed. It is like name resolution does not work, or the software is redirecting the request to external DNS servers. Just a thought.

    Author Comment

    The VPN is a hardware IPSEC VPN. I have a point to point VPN established.

    Name resolution is working perfectly, I am also able to telnet to port 25 on the mail servers.

    OS: Windows XP all on clients. Windows firewall is not turned on.

    Antivirus isn't blocking the connection, I can login to other mailboxes across the VPN, just not a select few.

    There are approximately 500 offices all on different IPs and different ISPs, only a few mailboxes are having this issue, not the entire office.

    This really seems like an account permission issue or a schema issue after the last domain controller upgrade.
    LVL 26

    Expert Comment

    Did you get the exchange-server rebooted few times? to get the correct AD server(the only serer)

    What is the Outlook configured with "Cached Exchange Mode" or Online mode?
    Can you confirm if the OWA is working fine for those mailboxes using the VPN clients?

    Author Comment

    Sorry for not being specific before. We have three DCs at a single site, lots of VPN sites coming in.

    I tried configuring both cached exchange mode and online mode, neither allow access.

    I believe OWA works fine but I will double check.

    Accepted Solution

    We found the solution. We had to:

    1. Disable the mailbox
    2. Delete the user object in AD
    3. Re-create the user object
    4. Reconnect disconnected mailbox and user object.
    5. Re-create outlook profile enabling Exchange proxy settings and connect to Exchange over HTTP.

    Author Closing Comment

    Solution found.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Email statistics and Mailbox database quotas You might have an interest in attaining information such as mailbox details, mailbox statistics and mailbox database details from Exchange server. At that point, knowing how to retrieve this information …
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
    This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now