locked
Exchange Server 2007 Permissions RRS feed

  • Question

  • We have the affected users who are a member of Exchange Organization Management, Domain Admins, Domain Users. Now I try to logon to OL 2007 and it prompts me for credentials, OWA unable to logon. Later I go to EMC and get to the Manage full access permissions of the affected mailbox and add the Domain Admins group there and yes now we are able to access the mailbox successfully without even a promp for credentials and OWA works fine
    If i remove the Domain admins group from the Manage full access permissions of the affected mailbox I lose access to OL and OWA

    I created a test mailbox and made the account to be a member of the same 3 groups, Org management, Domain Admins and Domain users. Am able to access the mailbox without the Domain Admins group being added to the Manage full access permission of the affected mailbox

    Can Anyone post your advise on this ?

    Regards,

    Deepak Exchange Server 2003/2007/2010

    <input id="aea3edce-c16e-4765-b8de-709afbe1f1ca_attachments" type="hidden" />
    Friday, March 2, 2012 4:06 PM

Answers

  • Yes, use two separate accounts.  The security benefit is that the account you use to log on to your workstation won't have rights to do dangerous stuff to the Internet should you get infected with spyware or some such.  You're also less likely to do something accidentally.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Wednesday, March 7, 2012 7:58 PM
  • On Wed, 7 Mar 2012 19:29:37 +0000, Deepak Siva Sankar wrote:
     
    >Thanks, Is there any article which explains this fact ?
     
    That the inheritence will be blocked? That any permissions you assign
    to the account will be removed?
     
    http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx
    http://blogs.technet.com/b/exchange/archive/2009/09/23/3408362.aspx
    http://support.microsoft.com/kb/232199
    etc.
     
    But you could have discovered all of that just by searching for
    "AdminSDHolder".
    >Because it was working fine in my Lab. I appreciate your reply.
     
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, March 7, 2012 10:27 PM

All replies

  • Don't use privileged accounts for e-mail. Create separate accounts for administration and e-mail.  This is also a security best practice.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Sunday, March 4, 2012 3:51 AM
  • On Sun, 4 Mar 2012 03:51:32 +0000, Ed Crowley wrote:
     
    >Don't use privileged accounts for e-mail. Create separate accounts for administration and e-mail.
     
    Being a member of a privileged group blocks inheritence. Exchange
    doesn't get the necessary security settings on the account.
     
    If you try to change the security on the account the AdminSDHolder
    thread takes them away wihthin an hour.
     
    >This is also a security best practice.
     
    Besides retaining your sanity. :-)
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Sunday, March 4, 2012 5:28 AM
  • Hello Ed,

    Thank you for your reply. Well you mean to say that we cann have a domain account seperate and a mailbox account seperate ? So is it like if an account is a member of privilaged account we have to create another account for him to access his mailbox ?

    Regards,

    Deepak


    Deepak

    Wednesday, March 7, 2012 2:48 PM
  • Sure Rich,

    Thank you for the information however I have a question where I would seek your advise.

    This scenario happened on a mailbox that was working fine for a long time! so do you thinka Inheritence block will happen all of a sudden ?

    Regards,

    Deepak


    Deepak

    Wednesday, March 7, 2012 2:50 PM
  • On Wed, 7 Mar 2012 14:50:16 +0000, Deepak Siva Sankar wrote:
     
    >Thank you for the information however I have a question where I would seek your advise.
    >
    >This scenario happened on a mailbox that was working fine for a long time! so do you thinka Inheritence block will happen all of a sudden ?
     
    It isn't a question of when it will happen, it's a fact.
     
    It's possible the user account wasn't a member of a priviledge group
    before.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, March 7, 2012 4:39 PM
  • Thanks, Is there any article which explains this fact ?

    Because it was working fine in my Lab. I appreciate your reply.

    Regards,


    Deepak

    Wednesday, March 7, 2012 7:29 PM
  • Yes, use two separate accounts.  The security benefit is that the account you use to log on to your workstation won't have rights to do dangerous stuff to the Internet should you get infected with spyware or some such.  You're also less likely to do something accidentally.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Wednesday, March 7, 2012 7:58 PM
  • On Wed, 7 Mar 2012 19:29:37 +0000, Deepak Siva Sankar wrote:
     
    >Thanks, Is there any article which explains this fact ?
     
    That the inheritence will be blocked? That any permissions you assign
    to the account will be removed?
     
    http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx
    http://blogs.technet.com/b/exchange/archive/2009/09/23/3408362.aspx
    http://support.microsoft.com/kb/232199
    etc.
     
    But you could have discovered all of that just by searching for
    "AdminSDHolder".
    >Because it was working fine in my Lab. I appreciate your reply.
     
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, March 7, 2012 10:27 PM