Between Exchange 5.5 and Exchange 200x there was a major change to the way that permissions for folders were enacted. It's one of the hardest parts of an upgrade because the acl's were changed from the proprietary 5.5 to the AD type of acl's (pTagAcl if I recall correctly). For those in mixed environments, that creates all kinds of difficulty. It also impacts the sizing of servers and speed of migration because the store has to convert those acls on all folders (not just pf's). In the early part of the lifecycle, there were a lot of issues around this where the store didn't deal with errors very well.
At the same time, there was a change to prevent administrative accounts from being able to logon to people's mailboxes. One of the biggest complaints was that administration and mailbox rights were too loose. Not that it changed a whole lot for the better, but you do have to work at allowing privileged account to be able to access other mailboxes than it's own.
What you're seeing is odd and you may be looking too deep for what you want to accomplish. The deep layer you're looking at might eplain why you are seeing the mapi ace missing.
The rights should be associated with the AD Account and not the mailbox (that was another change that precipitated the change to the AD acl style from the old 5.5 acl style). Because you're having to use MAPI, you have to have the MAPI expected pieces in line in order to effect the changes you want. This infers (although I can't remember if this the case) that you have a translation going on. That's messy.
Have your admins use the administrator interface for public folders vs. the mapi interface. There's no reason to mailbox enable the administrative accounts (not for this anyway).
Al
On 10/17/06, joe <[EMAIL PROTECTED]> wrote:
Well just because Outlook doesn't throw an error doesn't mean it is
happening. Outlook has HORRENDOUS error checking. It can completely fail an
operation but it will updates its internal cached view of an object and you
will think you did what you expected.
I haven't looked at monkeying with PFs like this. Actually I try to stay
away from PFs, seems MSFT is going that way too. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Saturday, October 14, 2006 7:44 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT:Exchange/outlook auth question
I add myself as owner of the PF(which Outlook lets me do) and then
when I try to create a subfolder, I get an permissions error.
When i check back on the perms, my MAPI ACE is missing.
This is logged in as a Exchange Full Admin user while opening the
non-admin user's mailbox in Outlook.
When I add the non-admin user to a Exchange Full admin group and then
log in as the previous Exchange admin and open the former non-admin
box and try to modifiy a PF, it works fine.
Does that make any sense?
I'm asking mostly because, I'd like to know how Exchange checks for
perms in this situation(I can't seem to get anything out of the
"Working with Store Permissions" whitepaper on this particular
senario).
Also, if this is true, then that would suck as I would have to
mail-box enable my Exchange Admin accounts as if they were regular
acconts to create any non post mapi PF's like calender or contact
items.
And i'm sure once I do that, my Exchange Admins will start logging in
with these privileged accounts to start checking their mail and do
normal tasks.
Thanks
On 10/13/06, joe <[EMAIL PROTECTED]> wrote:
> Is it doing it and then getting changed as you mention or is it not doing
> it?
>
> When you put the user in the full admin group are you then logging on as
the
> user or are you logging on as the other user accessing the first user's
> mailbox?
>
> This could be something specific to public folders. The Exchange
> permissioning model is a big messed up hodgepodge and a combination of
what
> I call real permissions (those in AD) and mapi properties in mailboxes and
> other constructs in the store. I guess it is possible something goofy goes
> on between the mailbox and the PF, but you can be sure the mailbox is
being
> accessed as the user logged in. You can easily ascertain that looking at
the
> logon properties of the mailbox.
>
> joe
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
> Sent: Friday, October 13, 2006 5:16 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT:Exchange/outlook auth question
>
> The i'm curious why Exchange won't let me change the perms on a PF
> through Outlook when logged into that user's mailbox but logged into
> the domain as a Exchange Full Admin.
> If i put the mailbox enabled user account into the Exchange full admin
> group, then it works.
> What am I not seeing here?
>
> Thanks
>
> On 10/12/06, joe <[EMAIL PROTECTED]> wrote:
> > The work is done as the logged on user, so in this case, as the Exchange
> > admin.
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern
> > Sent: Thursday, October 12, 2006 8:46 PM
> > To: activedirectory
> > Subject: [ActiveDir] OT:Exchange/outlook auth question
> >
> > This isn't really an issue but more of an request for an explanation
> > of how things work under the hood.
> >
> > I have a mutli domain forest.
> > A user who is an Exchange full admin in one domain logs in and opens
> > Outlook to an mailbox that is owned by a user account in another
> > domain(same forest).
> > This mail box enabled user has no special rights.
> > The Exchange full admin account(which has full mail box rights on the
> > mailbox enabled acoount in the child domain) then modifies the rights
> > on a Public folder thru outlook, which Exchange seems to let him do
> > and then those perms disappear after a few minutes.
> >
> > Now my question is, when exchange determines who can do what, is that
> > based on the actual account logging into the domain with outlook or
> > the account associated with the mailbox that outlook has open?
> > if the later, does it just lookup the msexchmailboxguid to determine
> > the user account and base it on that?
> >
> > as i said, this is not an issue, just looking for an explanation of
> > how things work.
> >
> >
> > thanks
> >
> >
> > p.s- win2k3 forest ffl/dfl win2k3 and exch2k3
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
