Solved

Exchange Ignoring Configs?

Posted on 2014-11-13
21
39 Views
Last Modified: 2015-02-09
Exchange Version: 2010 (14.03.0158.001)
Server version: Windows Server 2012

Exchange seems to be ignoring the settings and setup in the server. Here's an example:

Despite having "Send As" permissions, the user Ava cannot send as the user George:

Sendas
Here's where it tells me "no". This is consistent from the web interface (remotely) as well as from outlook (locally), even after doing gpudate /force on the client machine.

Computer says "no"
How to fix this?

Sidenote: there appear to be other items where this permission problem is showing up. One user is having a hard time sharing their calendar, and network wide, exchange seems to be ignoring the max allowed attachment size. it's liket he settings are not getting updated somewhere...
0
Comment
Question by:DrDamnit
  • 10
  • 3
  • 3
  • +3
21 Comments
 
LVL 41

Expert Comment

by:Amit
Comment Utility
download OAB on client side and test again.
0
 
LVL 8

Expert Comment

by:tshearon
Comment Utility
What version of Exchange are you running? Did you just recently update a service pack or a rollup update?
0
 
LVL 9

Expert Comment

by:MHMAdmins
Comment Utility
Do you use cached exchange mode? Try turning that option off and see if it works then.
0
 
LVL 8

Expert Comment

by:tshearon
Comment Utility
Sorry I see your version. Did you just perform any updates?
0
 
LVL 32

Author Comment

by:DrDamnit
Comment Utility
@MHMAdmins:
Cached mode does not apply to OWA. and No, we're not using it on the client in question.

@tshearon
Nothing more than normal Windows Update updates... but this has been going on for the better part of a week. The symptoms are non-emergent, but it needs to be fixed.
0
 
LVL 32

Author Comment

by:DrDamnit
Comment Utility
@amit:

How do I download OAB on client side and retry?
0
 
LVL 9

Expert Comment

by:MHMAdmins
Comment Utility
Any major flags being thrown in the event viewer for microsoft exchange?
0
 
LVL 32

Author Comment

by:DrDamnit
Comment Utility
@amit:

I see the cmdlets to re-download the OAB here. What's throwing me off is that OWA is having the same problem, which should be independent of the OAB download on the Outlook client. Right?
0
 
LVL 32

Author Comment

by:DrDamnit
Comment Utility
@MHMAdmins: nothing glaring... let me clear out the logs, and retry so that it is cleaner...
0
 
LVL 41

Expert Comment

by:Amit
Comment Utility
You download OAB on client end system via outlook.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 9

Expert Comment

by:MHMAdmins
Comment Utility
Also did you set the permissions with the EMC or through powershell? I've noticed sometimes you have to run certain things in powershell for it to effect correctly.
0
 
LVL 32

Author Comment

by:DrDamnit
Comment Utility
Set permissions from EMC. I'll try again via powershell...
0
 
LVL 8

Expert Comment

by:tshearon
Comment Utility
Remove the permissions first. Removing and re-adding will likely restore the access but we also want to resolve the issue entirely. Their is likely a cause.
0
 
LVL 32

Author Comment

by:DrDamnit
Comment Utility
I am starting to think this is realted to this other item I've been chasing for a while...

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28524795.html

Thoughts?
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
The Offline Address Book has nothing to do with this, nor does Group Policy, nor does Cached Exchange Mode (since this is OWA, not Outlook-related). If the permissions are set via the management console, removing and re-adding unfortunately is unlikely to be a fix, either -- unless there's a very complex multi-site AD setup going on here, the console won't be lying.

I highly suspect you are being caught out by Exchange's internal cache of Active Directory data. Send-As permissions are actually stored on the relevant principal's object in Active Directory; Exchange caches these data for a period of up to 2 hours to avoid load on domain controllers. Probably not a concern for you, but definitely an issue in high volume environments.

Two solutions:

1. Wait for the cache to be purged, then try again.
2. Restart the information store and associated Exchange services on the machine, which will force the cache to be flushed.

You should also be careful if any of the accounts you are using in this send-as relationship are members of "privileged" groups in Active Directory, including anything in the "Built-in" container (Administrators, Backup Operators, Print Operators, etc.) and any of the higher privilege domain-level groups (Domain Admins, Enterprise Admins, etc.). Members of such groups have more stringent permissions forced upon them.  The ACL model should cause an explicit allow (this Send-As right) to override an inherited deny (inherited from elsewhere in AD). However, if this caveat applies, I would recommend simplifying the setup and layering the complexity on step-by-step until you find the problem. (Restarting the services each time to ensure the cache is cleared.)
0
 
LVL 32

Author Comment

by:DrDamnit
Comment Utility
@tigermatt:

I agree with your assessment that the OAB and other suggestions are not relevant because the symptoms occur in OWA as well.

I had to wait until the system was idle, and finally restarted the Active Directory Topology service (because it restarts nearly everything else), but the problem persists.

Since this server needed the most recent schannel patch, I ran the updates, and rebooted the server, but I still have the same problem.

Doesn't appear to be cache now...

Thoughts?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Those permissions look completely wrong.
Security Principle shouldn't be listed there, neither should "Everyone".

Is the user concerned a member of a protected group? Domain Admins, Power Users etc? Members of those groups have an deny permission which overrides any other permission.

However considering the other problems with the permissions, it could be that the permission structure is completely broken.

Simon.
0
 
LVL 32

Author Comment

by:DrDamnit
Comment Utility
@Simon

"Everyone" was added temporarily as a debugging measure. It has since been removed, but good eye for catching that.

The user is NOT a member of a protected group. They are part of an OU that is for people who are physically in the office, and that OU is not a protected group.

They are just a regular user.
0
 
LVL 32

Author Comment

by:DrDamnit
Comment Utility
@Simon:

If the permissions structure was broken, how would we fix it?
0
 
LVL 41

Expert Comment

by:Amit
Comment Utility
0
 
LVL 32

Accepted Solution

by:
DrDamnit earned 0 total points
Comment Utility
Latest roll up fixed this problem. It was an Exchange internal issue I guess.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now