Full Permission Access to Mailbox in Exchange 2013


In my exchange server 2013, I can see multiple security groups  under Full permission /delegation option.
I have 1000+ employee users to whom I would like to have Full access being on service desk side.

The groups that already appear are Exchange Full admin, Exchange admins, Exchange Services etc ..
Recently , my admin account has been added to all these groups. However, I cannot access any one account from webmail and I get following error :

something went wrong

You don't have permission to open this mailbox.
X-ClientId: TSLB - OQEM - PXSA - H0LMA
X-OWA-Error: SDServerErr;Microsoft.Exchange.Clients.Owa2.Server.Core.OwaExplicitLogonException
X-OWA-Version: 15.0.1044.25
X-FEServer: CAS1
X-BEServer: mail1.ad.int
Date: 6/14/2015 2:36:36 PM

However, If i manually add my admin account under any one mailbox as Full permission, then I can view his mailbox.

I have following questions :

Adding my admin account to 1000+ manually will not be the right way in order to manage those mailboxes. Since I am already part of those security groups , why I am unable to access mailbox ? When we have exchange 2010 , it used to work.

From where Exchange ECP is picking up those security groups and some other user account like backup etc ? I mean where we can define the list of Groups and Users that should be part of all Mailboxes and appear under Full permission by default.

Last, How can I fix the issue ?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
try to access it via MAPI (Outlook)

There are some history about this.

I have seen this issue during Exchange 2007. https://support.microsoft.com/en-us/kb/940846

Also, you are on a lot of default exchange group.
Some of them has deny group (because they don't really need access to mailbox level), you might over-write them before.

So, If you have migrated from Exchange 2010 to 2013, the big chance, it has revert to default and deny you from accessing it.

I will prefer applicationimpersonation rights over full mailbox rights but that just me.

This problem occurs because only the mailbox security descriptor is verified when the underlying components are shared by Outlook Web Access and by Exchange Web Services. 

If permissions were granted to server-level objects, the permissions are not merged with the mailbox security descriptor. This condition occurs when the access verification is denied in Outlook Web Access and in Exchange Web Services.

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mac80Author Commented:

Please note that Other service desk analyst can access it through the same way.
Is there way I can change the permission level of these groups from Deny to access mailboxes ? I remember there was a way through ADSIEdit but i cannot recall.

I get the same error though MAPI outlook and even if it works, we dont want to access it that way.
Please help me sort this out.

Jian An LimSolutions ArchitectCommented:
you are specially in a domain admin group or etc?
They are usually a default group that can cause trouble.

also, adding yourself to a new group, you need to log off and log on to get the group added to your name (to get it effective)..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.