So....if your AD domain is "docksystemsinc.com" then you have to update the command to match your AD domain!!!!
Instead of Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User GFITest -Identity "CN=Users,DC=mydomain,DC=com" You use Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User GFITest -Identity "CN=Users,DC=docksystemsinc,DC=com" That is the OU/container where the relevant user objects exist. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, February 17, 2010 3:26 PM To: NT System Admin Issues Subject: RE: Exch2007 permissions issue No luck on this. I ran the commands based on your link for Blackberry. The first command resulted in: [PS] C:\Windows\System32>Get-MailboxDatabase | Add-ADPermission -User GFITest -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin Identity User Deny Inherited Rights -------- ---- ---- --------- ------ EXCHANGE\First St... SYSTEMS\GFITest False False Receive-As EXCHANGE\First St... SYSTEMS\GFITest False False ms-Exch-Store-Admin For the adding of the user with Exchange View Only, I accomplished that via the GUI interface instead. I could not get the third command to work at all. (results below) [PS] C:\Windows\System32>Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User GFITest -Identity "CN=Users,DC=mydomain,DC=com" Add-ADPermission : Active Directory operation failed on EXCHANGE.docksystemsinc .com. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUF F_ACCESS_RIGHTS), data 0 At line:1 char:17 + Add-ADPermission <<<< -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User GFITest -Identity "CN=Users,DC=mydomain,DC =com" [PS] C:\Windows\System32> For kicks, I tried logging on to OWA with "GFItest" user account, and I still can't open up other user's emails/ ARGH JR Original Message: ----------------- From: Michael B. Smith mich...@smithcons.com Date: Wed, 17 Feb 2010 17:40:42 +0000 To: ntsysadmin@lyris.sunbelt-software.com Subject: RE: Exch2007 permissions issue Yes, still should be ok. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, February 17, 2010 12:39 PM To: NT System Admin Issues Subject: RE: Exch2007 permissions issue A followup... The user was/is already added to the Exchange-View Only group. This was done months back when 2007 was introduced as the user account (Account-A) in question is the account we use for Backupexec backups. I will give a try the commands you listed in the Blackberry link. Should be okay that it's stating those commands are for 2010, right? I'll let you know this afternoon how things go, when I'm on site and able to test. Original Message: ----------------- From: Michael B. Smith mich...@smithcons.com Date: Wed, 17 Feb 2010 17:15:55 +0000 To: ntsysadmin@lyris.sunbelt-software.com Subject: RE: Exch2007 permissions issue This is what you want to do: http://docs.blackberry.com/nl-nl/admin/deliverables/12142/Configure_Exchange _10_perms_for_Exchange_account_962758_11.jsp For Exchange 2007, change step 3 to "add user to 'Exchange View-Only Administrator' security group". Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, February 17, 2010 12:08 PM To: NT System Admin Issues Subject: RE: Exch2007 permissions issue More counterpoints. 1] Like I said - the command you show is wrong. But caching can prevent things from taking affect "immediately". 2] You didn't SAY you wanted to do it for every mailbox in the store! I'll go look up that command. But while I do, what mechanism did you use in OWA to attempt to access the other mailbox? Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, February 17, 2010 12:04 PM To: NT System Admin Issues Subject: RE: Exch2007 permissions issue Hmm. A few counterpoints. 1. I'm not sure the caching is the problem. We waited over 24 hours and the results was the same. 2. Your method would require me doing this for EVERY single mailbox in the store, surely the method as explain by GFI is easier?? (unless I'm not understanding you correctly?) Furthmore, if I go to Account-B and look at Manage Full Access Permissions, Account-A is already listed (because of the command I ran the other day from the command-line) Thoughts? Thanks. J Original Message: ----------------- From: Michael B. Smith mich...@smithcons.com Date: Wed, 17 Feb 2010 16:59:46 +0000 The Sunbelt Exchange forum is a great place to ask questions like this. :-) Regardless, the GFI instructions are wrong, at least as you've quoted them. The easiest thing to do is open the Exchange management Console, find Account-B, then click on "Manage Full Access Permission" in the Action pane, and give Account-A rights. And yes, you need to either "restart-service msexchangeis" or wait about two hours for the permissions cache to expire. No reboot required. In re: the Domain Admin question, explicitly assigned permissions override inherited permissions. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, February 17, 2010 11:53 AM To: NT System Admin Issues Subject: Exch2007 permissions issue Haven't had much help from other sources with this issue so I thougth I'd try here. Environment: Single Exchange 2007 server I need to be able to access another user's mailbox via OWA in order for this particular software (GFI Mail Archiver) to work properly. When I use Account-A to logon to OWA 2007, I try to access another user's mailbox (Account-B) and I receive this error: "You do not have permission to open this mailbox. For access or for more information, contact technical support for your organization. " According to the documentation from GFI, I am supposed to enter this from the Exchange 2007 command prompt: Add-ADPermission -Identity "Mailbox Database" -User "domain\UsernameJOE" -AccessRights GenericAll I did that... but when logged into OWA as UsernameJOE, the error still occurs when trying to access another user's email via OWA. Really stuck here and could use some help. Can someone tell me what I should try next? Single Exchange 2007 server with MBX/CAS/HUB roles. Note - since making that change, the Exchange server has not been rebooted (I dont think it needs to be?), and also, the user account in question is a Domain Admin (is this possibly an issue because of inherited deny permissions??) Thanks. J -------------------------------------------------------------------- myhosting.com - Premium Microsoft(r) Windows(r) and Linux web and application hosting - http://link.myhosting.com/myhosting ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -------------------------------------------------------------------- mail2web.com - Microsoft(r) Exchange solutions from a leading provider - http://link.mail2web.com/Business/Exchange ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -------------------------------------------------------------------- mail2web - Check your email from the web at http://link.mail2web.com/mail2web ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -------------------------------------------------------------------- mail2web.com - Enhanced email for the mobile individual based on Microsoft(r) Exchange - http://link.mail2web.com/Personal/EnhancedEmail ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~