locked
Permission of Full Mailbox Access LOST after some hours for some user RRS feed

  • Question

  • Hello,

    During mailbox migration from exchange 2003 to exchange 2010. We are working well about migration. All users are working and always connected also with mobile.

    But there are some mailbox (generic mailbox like "administration") where I set full access for one or two users. All works fine for one or more hours but, for example...today after lunch, the 2 users call me telling that they have not the right to send for "administration" mailbox.

    I go on AD and the full rights on security tab for user "Administration" are missing !! What's the matter ?

    We have 3 domain controller but 1 of this is in a bad state.....we are working for a new domain controller.....

    I think that probably the domain controller in fault is the problem !! Can somebody confirm ?....I can run as soon as possible for change the domain controller that's probably the solution ?

     

    Thanks a lot.

    Luca


    Luca Targa Vecomp Software
    Tuesday, June 14, 2011 12:50 PM

All replies

  • You said that you have moved mailbox's from 2003 to 2010, If yes then why you are giving permission from AD console. If mailbox is in 2010 server then you must use EMC or EMS to give full mailbox permission.
    Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com
    Tuesday, June 14, 2011 1:47 PM
  • Yes, you have right, but the problem still exist.

    Luca


    Luca Targa Vecomp Software
    Tuesday, June 14, 2011 1:49 PM
  • If you set full access permission from Security tab on AD user properties....then automatically the proper exchange permission is exactly shown on the full access permission dialog of exchange console....it's the same.

    The question is: why only the same 1 user is removed after some hour ?....others users still remain enabled for full access permission on the same mailbox.

     

    Thanks

    Luca


    Luca Targa Vecomp Software
    Tuesday, June 14, 2011 2:00 PM
  • Hi Luca
        According to my experience, it is due to AD replication error.
        I always meet AD account lose properties after AD replication.
        You can do the test.  You can change domain control and grant account again.
        If the properties don’t lose in one month, it is AD error.
        If the properties still lose in one month, it is account erro of AD schema error. The best way is to delete and recreate the user account.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, June 15, 2011 2:44 AM
  • Thanks Terence,

    I have 3 domain controller...but one is corrupt...so we are looking for replace the corrupt AD server with the third.

    If I set permission far a user I can see the new permission on every server (also on the corrupt)....but after one, two, or three hour the permission is removed (and we can see the missing permission on every server).

    So, we know that we have problem with SYSVOL replication. You think we can wait until the corrupt server is replaced o can I procede with recreate the single user ?

     

    Thanks

    Luca


    Luca Targa Vecomp Software
    Wednesday, June 15, 2011 8:30 AM
  • You mentioned that send as priveledges are gone, this is expected if the user is in any priveledges groups or nested into any priveledges groups.

    The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server

    http://support.microsoft.com/kb/907434


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Proposed as answer by Terence Yu Thursday, June 16, 2011 11:17 AM
    Wednesday, June 15, 2011 5:24 PM
  • We ran into a similar issue with some of our accounts that had elevated rights (Domain Admins, Account Operators). The operative word here is "had", because this even applied to some users that used to be in these groups, but had since been removed.

    Make sure the Inherit Permissions is checked on the AD Object.

    Hope this helps.

    Thanks,

    Karl

    Thursday, June 16, 2011 6:19 PM
  • Hi Karl,

     

    Now I'm trying chechink Inherit Permission on the AD Object. Wait for a response.....Hope on this for solution !!

    The problem is only for mailbox migrated from Exchange 2003 (we have coexisting server with Exchange 2010).....For the new mailbox created on Exchange 2010 there are no problems.

     

    Thanks

    Luca


    Luca Targa Vecomp Software
    Tuesday, June 21, 2011 8:39 AM
  • Hi Karl,

     

    unfortunatly it's not work !!!.....at this moment my account has been removed from the security of the interested account !!

     

    Have any other idea ?

    Luca


    Luca Targa Vecomp Software
    Tuesday, June 21, 2011 8:41 AM
  • Hi Luca,

    how are you setting these permissions, using the shell, or in AD?

    Have you tried: Add-ADPermission mailboxname -User username -Extendedrights "Send As"

    where mailboxname is the name of the mailbox the user should have Send As permissions for, and username is the name of the user to be given access.

    Thanks,

    Karl

    Friday, July 15, 2011 4:00 PM