Solved

Exchange 2013 mailbox delegation error message (NT Authority/self corrupt object)

Posted on 2016-10-26
4
113 Views
Last Modified: 2016-11-09
Having some issues i cant wrap my head around.

See attached picture for error message.

Researching.
Adding users to mailbox delegation will not give them the actual access. Need to use add-mailboxfolderpermission and add-adpermission. It's not given this actually works. For now it works in 50% of the cases.

The 9b026da6-0d3c-465c-8bee-5199d7165cba is :

IdentityReference     : NT AUTHORITY\SELF
ActiveDirectoryRights : Self
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
InheritanceFlags      : ContainerInherit
InheritanceType       : Descendents
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
ObjectType            : 9b026da6-0d3c-465c-8bee-5199d7165cba
PropagationFlags      : InheritOnly
AccessControlType     : Allow

It seems like this is the object that actually failes.

I also noted on the user in AD, there is propogated some objects that is deleted. This is not the SELF object but likely some level of user access.


So to my questions :

How can i repair/verify the NT Authority\SELF object ?
What is needed for an AD account to be given correct access to the mailbox (in Security objects) ?
Anyone have any tips and/or tricks ?
Mailbox-delegation1.png
0
Comment
Question by:Mr Woober
  • 2
  • 2
4 Comments
 
LVL 19

Accepted Solution

by:
Peter Hutchison earned 500 total points
ID: 41860116
NT Authority\Self is not an account as such but allows the owner of the mailbox have full access to the mailbox. An alternative is just to add the domain\username account to the permissions which does the same thing, but this is has to be done manually.
You can view and verify permissions to mailboxes using Get-MailboxPermission -Id mailboxname to list all permissions or Get-MailboxPermission -Id mailboxname -User "nt authority\self" to confirm Self rights.
Also you can check user permissions on the mailbox database:
Get-MailboxDatabase DBName | Get-ADPermission -User "everyone" | fl Inher*,Extend*
0
 
LVL 1

Author Comment

by:Mr Woober
ID: 41860165
Thanks for the swift reply.

Not quite sure what to get out of the Get-MailboxDatabase DBName | Get-ADPermission -User "everyone" | fl Inher*,Extend* (sett picture attached)

Attached picture 3 with the mailboxpermissions. What i noticed that our admin user (marked/filled with red) is noted 2 places with what seems the same access level.
Mailbox-delegation2.png
Mailbox-delegation3.png
0
 
LVL 19

Expert Comment

by:Peter Hutchison
ID: 41860168
The permissions for Database look to be the same as ours.
0
 
LVL 1

Author Closing Comment

by:Mr Woober
ID: 41881711
The solution was to do an Windows Update then restart. Solved the issue with the delegation access
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now