Remove From My Forums

Active Directory Rights and Exchange 2007

Question
0

Sign in to vote

Hi ... Hoping someone can assist me with the following problem. I was told to submit this question to this forum.

I have a Windows Server 2008 R2 Domain Controller and Exchange 2007 version 8.03.0192.001. We have approximately 250 users configured with Exchange mailboxes. We have an account named "Account_1" that has "Full Access Permission" to all mailboxes. However this account is unable to access approximately 9 mailboxes. I have tried the following to correct this problem:

1. Delete and re-add "Full Access Permission" within Exchange.
2. Re-boot Exchange.
3. Opened Active Directory, opened the user account, clicked the "Security" tab, clicked "Advanced", un-checked "Include Inheritable Permissions from this object's parent" checkbox, clicked "Add" on the security pop-up window, clicked OK. I then re-checked the checkbox and clicked Ok.

Step number 3 temporarily fixed the problem but a few hours later the problem re-appeared.

Any suggestions ?

JD

Tuesday, January 24, 2012 8:00 PM

All replies

0

Sign in to vote

I feel Include Inheritable Permissions are getting removed on its own.

Can you verify now. is Include Inheritable Permissions Checked ?

Go to any one of your DC and run "repadmin /syncall /Aped"

You are trying to sync your DC's verify you don't have replication Errors"

Regards
Satheshwaran Manoharan

Tuesday, January 24, 2012 9:01 PM
0

Sign in to vote
Hi Satheshwaran,

The "Include Inheritable Permissions" is checked. There do not seem to be any errors with replication. We have two Domain Controllers in our environment. I executed the following two commands on the Primary Domain Controller. Could this be a case of corrupted mailboxes ?:

repadmin /replsum * /bysrc /bydest /sort:delta

repadmin /replsum * /bysrc /bydest /sort:failures

Here are the results:

Beginning data collection for replication summary, this may take awhile:
.....

Source DSA          largest delta    fails/total %%   error
AD2                    31m:42s    0 /   5    0
AD1                    31m:30s    0 /   5    0

Destination DSA     largest delta    fails/total %%   error
AD1                    31m:43s    0 /   5    0
AD2                   31m:31s    0 /   5    0

JD
- Edited by tp99 Wednesday, January 25, 2012 12:43 AM
Wednesday, January 25, 2012 12:42 AM
0

Sign in to vote

I forgot to mention the following Satheshwaran,

Exchange 2007 (version 8.03.0192.001) is installed on a Windows 2003 R2 Standard Server 64-Bit with SP2.

Our Domain Controllers are Windows Server 2008 R2 Standard 64-Bit.

Regards,

JD

Wednesday, January 25, 2012 2:14 AM
0

Sign in to vote

Hello,

Just for a test to grant the Full Access Permission to another user and see if it works properly.

Thanks,
Simon

Thursday, January 26, 2012 4:14 PM

Moderator
0

Sign in to vote

Hi Simon,

It's the same result with another user.

Thanks,

JD

Thursday, February 9, 2012 12:35 AM
0

Sign in to vote

Hello!

If users are members of protected groups controlled by adminsdholder attribute, ACL on Active Directory will reset to default every 60 minutes.

https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

Could be this the issue?

Wednesday, March 2, 2016 12:37 PM
0

Sign in to vote

[...]

Step number 3 temporarily fixed the problem but a few hours later the problem re-appeared.

Any suggestions ?

JD

Yes, I would look at protected groups as Novas T. suggested. The fact that you can apparently make this work and then observe that it stops working later on seems to indicative of this.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Wednesday, March 2, 2016 3:31 PM