Solved

Exchange 2013 mailbox delegation error message (NT Authority/self corrupt object)

Posted on 2016-10-26
4
249 Views
Last Modified: 2016-11-09
Having some issues i cant wrap my head around.

See attached picture for error message.

Researching.
Adding users to mailbox delegation will not give them the actual access. Need to use add-mailboxfolderpermission and add-adpermission. It's not given this actually works. For now it works in 50% of the cases.

The 9b026da6-0d3c-465c-8bee-5199d7165cba is :

IdentityReference     : NT AUTHORITY\SELF
ActiveDirectoryRights : Self
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
InheritanceFlags      : ContainerInherit
InheritanceType       : Descendents
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
ObjectType            : 9b026da6-0d3c-465c-8bee-5199d7165cba
PropagationFlags      : InheritOnly
AccessControlType     : Allow

It seems like this is the object that actually failes.

I also noted on the user in AD, there is propogated some objects that is deleted. This is not the SELF object but likely some level of user access.


So to my questions :

How can i repair/verify the NT Authority\SELF object ?
What is needed for an AD account to be given correct access to the mailbox (in Security objects) ?
Anyone have any tips and/or tricks ?
Mailbox-delegation1.png
0
Comment
Question by:Mr Woober
  • 2
  • 2
4 Comments
 
LVL 19

Accepted Solution

by:
Peter Hutchison earned 500 total points
ID: 41860116
NT Authority\Self is not an account as such but allows the owner of the mailbox have full access to the mailbox. An alternative is just to add the domain\username account to the permissions which does the same thing, but this is has to be done manually.
You can view and verify permissions to mailboxes using Get-MailboxPermission -Id mailboxname to list all permissions or Get-MailboxPermission -Id mailboxname -User "nt authority\self" to confirm Self rights.
Also you can check user permissions on the mailbox database:
Get-MailboxDatabase DBName | Get-ADPermission -User "everyone" | fl Inher*,Extend*
0
 
LVL 1

Author Comment

by:Mr Woober
ID: 41860165
Thanks for the swift reply.

Not quite sure what to get out of the Get-MailboxDatabase DBName | Get-ADPermission -User "everyone" | fl Inher*,Extend* (sett picture attached)

Attached picture 3 with the mailboxpermissions. What i noticed that our admin user (marked/filled with red) is noted 2 places with what seems the same access level.
Mailbox-delegation2.png
Mailbox-delegation3.png
0
 
LVL 19

Expert Comment

by:Peter Hutchison
ID: 41860168
The permissions for Database look to be the same as ours.
0
 
LVL 1

Author Closing Comment

by:Mr Woober
ID: 41881711
The solution was to do an Windows Update then restart. Solved the issue with the delegation access
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question