Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Exchange 2013 mailbox delegation error message (NT Authority/self corrupt object)

Posted on 2016-10-26
4
Medium Priority
?
995 Views
Last Modified: 2016-11-09
Having some issues i cant wrap my head around.

See attached picture for error message.

Researching.
Adding users to mailbox delegation will not give them the actual access. Need to use add-mailboxfolderpermission and add-adpermission. It's not given this actually works. For now it works in 50% of the cases.

The 9b026da6-0d3c-465c-8bee-5199d7165cba is :

IdentityReference     : NT AUTHORITY\SELF
ActiveDirectoryRights : Self
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
InheritanceFlags      : ContainerInherit
InheritanceType       : Descendents
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
ObjectType            : 9b026da6-0d3c-465c-8bee-5199d7165cba
PropagationFlags      : InheritOnly
AccessControlType     : Allow

It seems like this is the object that actually failes.

I also noted on the user in AD, there is propogated some objects that is deleted. This is not the SELF object but likely some level of user access.


So to my questions :

How can i repair/verify the NT Authority\SELF object ?
What is needed for an AD account to be given correct access to the mailbox (in Security objects) ?
Anyone have any tips and/or tricks ?
Mailbox-delegation1.png
0
Comment
Question by:Mr Woober
  • 2
  • 2
4 Comments
 
LVL 20

Accepted Solution

by:
Peter Hutchison earned 2000 total points
ID: 41860116
NT Authority\Self is not an account as such but allows the owner of the mailbox have full access to the mailbox. An alternative is just to add the domain\username account to the permissions which does the same thing, but this is has to be done manually.
You can view and verify permissions to mailboxes using Get-MailboxPermission -Id mailboxname to list all permissions or Get-MailboxPermission -Id mailboxname -User "nt authority\self" to confirm Self rights.
Also you can check user permissions on the mailbox database:
Get-MailboxDatabase DBName | Get-ADPermission -User "everyone" | fl Inher*,Extend*
0
 
LVL 1

Author Comment

by:Mr Woober
ID: 41860165
Thanks for the swift reply.

Not quite sure what to get out of the Get-MailboxDatabase DBName | Get-ADPermission -User "everyone" | fl Inher*,Extend* (sett picture attached)

Attached picture 3 with the mailboxpermissions. What i noticed that our admin user (marked/filled with red) is noted 2 places with what seems the same access level.
Mailbox-delegation2.png
Mailbox-delegation3.png
0
 
LVL 20

Expert Comment

by:Peter Hutchison
ID: 41860168
The permissions for Database look to be the same as ours.
0
 
LVL 1

Author Closing Comment

by:Mr Woober
ID: 41881711
The solution was to do an Windows Update then restart. Solved the issue with the delegation access
1

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question