Solved

Grant "admin" full mailbox access in Exchange 2003 Ent

Posted on 2012-03-23
17
570 Views
Last Modified: 2012-05-15
I have a need to be able to open any mailbox in the Exchange server.

Of course by default the usual "admin" (administrator/domain admin) are explicity denied this right...

That said, I've change the rights so they're no longer "denied", and in fact now have full access in as much as security goes, but still, I cannot access other mailboxes.

Is there something else that needs to get changed, or reset to allow full access to the admin user(s)?

This was working in a previous install, so I know it can be done, but I can't seem to get past the access block in this new install.

I've changed the rights, I've also used ADSIEDIT to remove the DENY options, and still not cooperating...

I realize there's a reason for the default exclusion, but there has to be a reasonably simple answer for this...
0
Comment
Question by:btetlow-expert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 2
  • +1
17 Comments
 
LVL 40

Expert Comment

by:als315
ID: 37757975
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 37757990
Already did these changes --- results are the same.   Still denied access for some reason
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 37758002
If I am logged in as administrator, which is part of domain admin group also, or really any user that belongs to that group --- no access.

Using Outlook alone, OPEN OTHER USERS FOLDER, I get Cannot display the folder.  The inbox folder cannot be found.

If I attach the mailbox in question, I get Cannot display the folder.  Microsoft Office Outlook cannot access the specified folder location.  The operation failed. An object cannot be found.

Also has pop-up of "Cannot expand the folder"

This is the expected response when I am denied access to the users mailbox --- BUT --- all my rights are setup that should allow me in...
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 9

Expert Comment

by:meko72
ID: 37758010
Here is a Microsoft KB that will help you

http://support.microsoft.com/kb/821897
0
 
LVL 40

Expert Comment

by:als315
ID: 37758015
May be you have anywhere deny rule?
0
 
LVL 5

Expert Comment

by:TAWpower
ID: 37758038
We have an account with this need, too. Here are the group memberships for our account.

Administrators (Exchange Local)
Domain Users (Must not be a Domain Admin)
Exchange View-Only Administrators
View-Only Organizational Management

The "View-Only" groups can be set in System Manager (Exchange)

Let me know if that helps or if you need anything further.

TAW
0
 
LVL 9

Expert Comment

by:meko72
ID: 37758052
In the Active Directory Users and Computer, when you select a user go into the "Exchange advanced" Tab then Click on Mailbox rights.
Is the Domain Administrator and Administrator listed in there for the following
"Full mailbox access: Allow
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 37758360
@meko72 - KB already reviewed...- mailbox full access already set to allow

@als375 - no deny on any of the designated users or groups...

@TAW -- On your groups, are you speaking of these at the AD level, or within Exchange?  Your reference is not clear to me other than the grouping itself.
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 37758463
@TAW -- are you referring to the delegation controls in the ESM?
0
 
LVL 5

Expert Comment

by:TAWpower
ID: 37758565
Been since 2008 since I was on 2003 but if I recall....

Go  to System Manager then...

Administrative group
First Admin Group>Servers>Servername
First Storage Group
Set the appropriate permissions on each store you need access to.

By the way, in case others search this topic... The reason you don't want to give these rights to domain admins is because they have Deny rights by default on the storage groups. While a subset of admins may need access, you do not want to give blanket access. Therefore, the best practice is to give a single user, specifically created for this task, access to all mail stores/mailboxes.

Also, on the local exchange server, add that same user to the local Administrators group.
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 37758619
I've actually done these steps here --- except for the last one of adding that user to the local admin group...

I suspect whoever previously had this server setup had to have allowed it to a much broader base than I would have....

I'll see if that additional change gets me to the end...

Thanks for the additional input.
0
 
LVL 5

Expert Comment

by:TAWpower
ID: 37758660
Looked this up in old notes - not sure where I got them, but the fact I kepty them means they worked.

When setting permissions make sure the following are selected:

Administer Information Store
Send As
Receive As

Click the Advanced button and ensure that the option Select the Allow inheritable permissions from parent to propagate to this object and all child objects is checked.

Click OK.

Repeat the above steps for each Exchange Server within the routing group that will be hosting mailboxes for BlackBerry device users who have accounts on a BlackBerry Enterprise Server.
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 37758664
Alas, this last part didn't solve my problem.

There must be something else in the mix that's getting in the way.
0
 
LVL 5

Expert Comment

by:TAWpower
ID: 37758669
I used the last comment, as it indicates, for giving the access permissions to our BES Admin... I used this to create another "All access" account though...
0
 
LVL 5

Author Comment

by:btetlow-expert
ID: 37758680
In my case, I've created a single all access user...  That user happens to also be domain admin...  I wonder if there's a rights conflict because of that?

There's defintely no "deny" left in any of the rights.... unless it's a hidden one.
0
 
LVL 5

Accepted Solution

by:
TAWpower earned 500 total points
ID: 37758689
Yes, there is a conflict... Take that user out of domain admins then login as that user and try again.

Be sure you did the following too...

When setting permissions make sure the following are selected:

Administer Information Store
Send As
Receive As

Click the Advanced button and ensure that the option Select the Allow inheritable permissions from parent to propagate to this object and all child objects is checked.

Click OK.
0
 
LVL 5

Author Closing Comment

by:btetlow-expert
ID: 37971647
Issue seems to be that the user I had been "using" was also part of domain admin.

When I created a specific user, and gave them the exact same rights, this user works.

Understanding that you want a mail server locked down as much as possible, this sure was quite a battle of wits in the logic of setting up for a specific user or even a group to have full rights....Sometimes, there's a reason it's needed....

Thanks for the help!
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The new Microsoft OS looks great, is easier than ever to upgrade to, it is even free.  So what's the catch?  If you don't change the privacy settings, Microsoft will, in accordance with the (EULA) you clicked okay to without reading, collect all the…
Having trouble getting your hands on Dynamics 365 Field Service or Project Service trial? Worry No More!!!
The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…
The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question