RE: Exch2007 permissions issue

Michael B. Smith Wed, 17 Feb 2010 13:32:19 -0800

So....if your AD domain is "docksystemsinc.com" then you have to update the 
command to match your AD domain!!!!


Instead of
    Add-ADPermission -InheritedObjectType User -InheritanceType Descendents 
-ExtendedRights Send-As -User GFITest -Identity "CN=Users,DC=mydomain,DC=com"

You use
    Add-ADPermission -InheritedObjectType User -InheritanceType Descendents 
-ExtendedRights Send-As -User GFITest -Identity 
"CN=Users,DC=docksystemsinc,DC=com"

That is the OU/container where the relevant user objects exist.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-----Original Message-----
From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] 
Sent: Wednesday, February 17, 2010 3:26 PM
To: NT System Admin Issues
Subject: RE: Exch2007 permissions issue

No luck on this.  I ran the commands based on your link for Blackberry.

The first command resulted in:

[PS] C:\Windows\System32>Get-MailboxDatabase | Add-ADPermission -User GFITest 
-AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

Identity             User                 Deny  Inherited Rights
--------             ----                 ----  --------- ------
EXCHANGE\First St... SYSTEMS\GFITest      False False     Receive-As
EXCHANGE\First St... SYSTEMS\GFITest      False False    
ms-Exch-Store-Admin

For the adding of the user with Exchange View Only, I accomplished that via the 
GUI interface instead.

I could not get the third command to work at all. (results below)



[PS] C:\Windows\System32>Add-ADPermission -InheritedObjectType User 
-InheritanceType Descendents -ExtendedRights Send-As -User GFITest -Identity 
"CN=Users,DC=mydomain,DC=com"
Add-ADPermission : Active Directory operation failed on EXCHANGE.docksystemsinc 
.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUF 
F_ACCESS_RIGHTS), data 0 At line:1 char:17
+ Add-ADPermission  <<<< -InheritedObjectType User -InheritanceType
Descendents
 -ExtendedRights Send-As -User GFITest -Identity "CN=Users,DC=mydomain,DC =com"
[PS] C:\Windows\System32>

For kicks, I tried logging on to OWA with "GFItest" user account, and I still 
can't open up other user's emails/

ARGH
JR



Original Message:
-----------------
From: Michael B. Smith mich...@smithcons.com
Date: Wed, 17 Feb 2010 17:40:42 +0000
To: ntsysadmin@lyris.sunbelt-software.com
Subject: RE: Exch2007 permissions issue


Yes, still should be ok.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-----Original Message-----
From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com]
Sent: Wednesday, February 17, 2010 12:39 PM
To: NT System Admin Issues
Subject: RE: Exch2007 permissions issue

A followup...

The user was/is already added to the Exchange-View Only group.  This was done 
months back when 2007 was introduced as the user account (Account-A) in 
question is the account we use for Backupexec backups.

I will give a try the commands you listed in the Blackberry link.  Should be 
okay that it's stating those commands are for 2010, right?

I'll let you know this afternoon how things go, when I'm on site and able to 
test.


Original Message:
-----------------
From: Michael B. Smith mich...@smithcons.com
Date: Wed, 17 Feb 2010 17:15:55 +0000
To: ntsysadmin@lyris.sunbelt-software.com
Subject: RE: Exch2007 permissions issue


This is what you want to do:

http://docs.blackberry.com/nl-nl/admin/deliverables/12142/Configure_Exchange
_10_perms_for_Exchange_account_962758_11.jsp

For Exchange 2007, change step 3 to "add user to 'Exchange View-Only 
Administrator' security group".

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-----Original Message-----
From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, February 17, 2010 12:08 PM
To: NT System Admin Issues
Subject: RE: Exch2007 permissions issue

More counterpoints.

1] Like I said - the command you show is wrong. But caching can prevent things 
from taking affect "immediately".

2] You didn't SAY you wanted to do it for every mailbox in the store! I'll go 
look up that command.

But while I do, what mechanism did you use in OWA to attempt to access the 
other mailbox?

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-----Original Message-----
From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com]
Sent: Wednesday, February 17, 2010 12:04 PM
To: NT System Admin Issues
Subject: RE: Exch2007 permissions issue

Hmm. A few counterpoints.

1. I'm not sure the caching is the problem.  We waited over 24 hours and the 
results was the same.

2. Your method would require me doing this for EVERY single mailbox in the 
store, surely the method as explain by GFI is easier??  (unless I'm not 
understanding you correctly?)  Furthmore, if I go to Account-B and look at 
Manage Full Access Permissions, Account-A is already listed (because of the 
command I ran the other day from the command-line)

Thoughts? 

Thanks.
J


Original Message:
-----------------
From: Michael B. Smith mich...@smithcons.com
Date: Wed, 17 Feb 2010 16:59:46 +0000

The Sunbelt Exchange forum is a great place to ask questions like this. :-)

Regardless, the GFI instructions are wrong, at least as you've quoted them.

The easiest thing to do is open the Exchange management Console, find 
Account-B, then click on "Manage Full Access Permission" in the Action pane, 
and give Account-A rights.

And yes, you need to either "restart-service msexchangeis" or wait about two 
hours for the permissions cache to expire. No reboot required.

In re: the Domain Admin question, explicitly assigned permissions override 
inherited permissions.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-----Original Message-----
From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com]
Sent: Wednesday, February 17, 2010 11:53 AM
To: NT System Admin Issues
Subject: Exch2007 permissions issue

Haven't had much help from other sources with this issue so I thougth I'd try 
here.

Environment:  Single Exchange 2007 server

I need to be able to access another user's mailbox via OWA in order for this 
particular software (GFI Mail Archiver) to work properly. 

When I use Account-A to logon to OWA 2007, I try to access another user's 
mailbox (Account-B) and I receive this error: 

"You do not have permission to open this mailbox. For access or for more 
information, contact technical support for your organization. " 

According to the documentation from GFI, I am supposed to enter this from the 
Exchange 2007 command prompt: 

Add-ADPermission -Identity "Mailbox Database" -User "domain\UsernameJOE"
-AccessRights GenericAll 


I did that... but when logged into OWA as UsernameJOE, the error still occurs 
when trying to access another user's email via OWA. 

Really stuck here and could use some help. Can someone tell me what I should 
try next? Single Exchange 2007 server with MBX/CAS/HUB roles. 

Note - since making that change, the Exchange server has not been rebooted (I 
dont think it needs to be?), and also, the user account in question is a Domain 
Admin (is this possibly an issue because of inherited deny
permissions??)


Thanks. 
J

--------------------------------------------------------------------
myhosting.com - Premium Microsoft(r) Windows(r) and Linux web and application 
hosting - http://link.myhosting.com/myhosting



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


--------------------------------------------------------------------
mail2web.com - Microsoft(r) Exchange solutions from a leading provider - 
http://link.mail2web.com/Business/Exchange



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


--------------------------------------------------------------------
mail2web - Check your email from the web at http://link.mail2web.com/mail2web



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


--------------------------------------------------------------------
mail2web.com - Enhanced email for the mobile individual based on Microsoft(r) 
Exchange - http://link.mail2web.com/Personal/EnhancedEmail



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Exch2007 permissions issue

Reply via email to