locked
Exchange 2010 BPA complains about missing rights on OAB directory RRS feed

  • Question

  • Hello,

    I've installed Exchange 2010 SP1 on a Windows 2008 R2 server, along with the AD DS role (I know, not advised but supported).

    When running an up-to-date version of ExBPA, it complains about missing access rights on the C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB\10ce4957-0422-459b-9f68-c6c9a150fdd5'  directory for several groups : 'Enterprise Admins', 'Domain Admins', 'Admins' and 'Authenticated Users'.

    Though, they are correctly set :

    PS C:\Users\Administrateur> Get-Acl 'C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB\10ce4957-0422-459b-9f68-c6c9a150fdd5' | fl

    Path   : Microsoft.PowerShell.Core\FileSystem::C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB\10ce4957-0422-459b-9f68-c6c9a150fdd5
    Owner  : BUILTIN\Administrateurs
    Group  : AUTORITE NT\Système
    Access : AUTORITE NT\IUSR Deny  Read
             AUTORITE NT\Utilisateurs authentifiés Allow  Read, Synchronize
             AUTORITE NT\Système Allow  Read, Synchronize
             BUILTIN\Administrateurs Allow  FullControl
             BUILTIN\IIS_IUSRS Allow  ReadAndExecute, Synchronize
             LPA\Administrateur Allow  Read, Synchronize
             LPA\Admins du domaine Allow  Read, Synchronize
             LPA\Administrateurs de l'entreprise Allow  Read, Synchronize
             LPA\Organization Management Allow  Read, Synchronize
             LPA\Organization Management Allow  ReadAndExecute, Synchronize
             LPA\View-Only Organization Management Allow  ReadAndExecute, Synchronize
             LPA\View-Only Organization Management Allow  Read, Synchronize
             LPA\Exchange Servers Allow  FullControl
             LPA\Exchange Trusted Subsystem Allow  Read, Synchronize

    Any idea ?

    Thanks in advance

    Christian


    Christian G.
    Tuesday, September 27, 2011 12:48 PM

Answers

  • Hello,

    as far as I know this is a known issue because BPA searches for the English group names and can't find them, so this error is generated.

    If you have ensured that the rights are correct and the OAB is downloadable you can safely ignore the error.

    Greetings,

    Toni

    Thursday, September 29, 2011 9:29 AM

All replies

  • FYI, I've added FullControl access to All, and the same errors pop out.
    Christian G.
    Tuesday, September 27, 2011 1:38 PM
  • From the Get-ACL command result, I cannot find the 'Enterprise Admins', 'Domain Admins', 'Admins' and 'Authenticated Users' groups. Please manually add it and assign full access permission for them.

    Restart the system attendent service and see if the issue persists.

    Thanks,

    Simon

    Thursday, September 29, 2011 3:10 AM
    Moderator
  • Actually those are set, but the output being in French that might not be so easy to read :

    Enterprise Admins = LPA\Administrateurs de l'entreprise
    Domain Admins = LPA\Admins du domaine
    Authenticated Users = AUTORITE NT\Utilisateurs authentifiés

    ExBPA says that it might prevent users from downloading the OAB via HTTP. But I configured an Outlook profile with Outlook Anywhere and I got it fine. Maybe another of the numerous false alarms triggered by BPA ?

    Christian


    Christian G.
    Thursday, September 29, 2011 6:03 AM
  • Hello,

    as far as I know this is a known issue because BPA searches for the English group names and can't find them, so this error is generated.

    If you have ensured that the rights are correct and the OAB is downloadable you can safely ignore the error.

    Greetings,

    Toni

    Thursday, September 29, 2011 9:29 AM
  • Ok, thanks for the answer Toni.

     

    Christian

     


    Christian G.
    Thursday, September 29, 2011 10:15 AM