none
Who is "NT Authority\Self"? How can you tell who? RRS feed

  • Question

  • This is why I'm asking...

    I was practicing various recovery scenarios for lost messages or accidently deleted mailboxes:

    1. Retrieve message from Deleted Items

    2. Retrieve message from Dumpster

    3. Create RSG (E2K7) or RDB (E2K10) and merge messages into associated mailbox

    If an entire mailbox is disabled, it can be (re)connected to the same user account or another account so the messages can be accessed.

    That's when I encountered the following problem.

    1. I disable the mailbox of Alannah.Shaw (that's right, some of you will recognize that user as one created by Andy Grogan's Create User Script).

    2. I (re)connect the mailbox to the Alannah.Shaw account (still OK).

    Now let's try to connect the mailbox to another account - Pierre Dupont (after having disabled it once again).

    That works.

    So what's the problem?

    If I disable the mailbox yet once more and then attempt to reconnect it to the user account of Alannah.Shaw, she can no longer access her mailbox either with Outlook (2010 SP1) or OWA.

    Clean-MailboxDatabase, creating a new Outlook profile, removing and adding the NT Authority\Self permission all failed.

    Yet, if I grant Full Access to "Aisha Bhari", that user can access Alannah.Shaw's mailbox just fine.

    If I grant Alannah.Shaw access, using her name rather than "NT Authority\Self", she once again has access to her mailbox by both Outlook and OWA.

    It looks like, somehow, in the disabling and reconnecting process, "Self" was associated with Pierre Dupont and was never re-associated with Alannah Shaw.

    Has anyone ever encountered this issue? How would you resolve it (other than the way I did)?

    Granted, it's unlikely one would be disabling and reconnecting mailboxes so often (unless practicing recovery options, like here) but I'm still curious.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.



    Sunday, June 24, 2012 12:19 AM

Answers

  • On Sun, 24 Jun 2012 00:19:10 +0000, Le Pivert wrote:
     
    >
    >
    >This is why I'm asking...
    >
    >I was practicing various recovery scenarios for lost messages or accidently deleted mailboxes:
    >
    >1. Retrieve message from Deleted Items
    >
    >2. Retrieve message from Dumpster
    >
    >3. Create RSG (E2K7) or RDB (E2K10) and merge messages into associated mailbox
    >
    >If an entire mailbox is disabled, it can be (re)connected to the same user account or another account so the messages can be accessed.
    >
    >That's when I encountered the following problem.
    >
    >1. I disable the mailbox of Alannah.Shaw (that's right, some of you will recognize that user as one created by Andy Grogan's Create User Script).
    >
    >2. I (re)connect the mailbox to the Alannah.Shaw account (still OK).
    >
    >Now let's try to connect the mailbox to another account - Pierre Dupont (after having disabled it once again).
    >
    >That works.
    >
    >So what's the problem?
    >
    >If I disable the mailbox yet once more and then attempt to reconnect it to the user account of Alannah.Shaw, she can no longer access her mailbox either with Outlook (2010 SP1) or OWA.
    >
    >Clean-MailboxDatabase, creating a new Outlook profile, removing and adding the NT Authority\Self permission all failed.
    >
    >Yet, if I grant Full Access to "Aisha Bhari", that user can access Alannah.Shaw's mailbox just fine.
    >
    >If I grant Alannah.Shaw access, using her name rather than "NT Authority\Self", she once again has access to her mailbox by both Outlook and OWA.
    >
    >It looks like, somehow, in the disabling and reconnecting process, "Self" was associated with Pierre Dupont and was never re-associated with Alannah Shaw.
     
    "Self" is a self-referential account. It simply means "me". It's the
    same SID no matter where it's used.
     
    >Has anyone ever encountered this issue? How would you resolve it (other than the way I did)?
    >
    >Granted, it's unlikely one would be disabling and reconnecting mailboxes so often (unless practicing recovery options, like here) but I'm still curious.
     
    I think I'd have tried "Set-Mailbox <name>
    -ApplyMandatoryProperties:$true".
     
    The thing to keep in mind is that the permissions you see in the AD
    aren't necessarily those that are stamped in the mailbox. They should
    be, but it's not always the case. When you change the permission in
    the AD the software is supposed to write those permissions into the
    mailbox -- if the mailbox exists.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Sunday, June 24, 2012 3:13 AM