Active Directory Rights and Exchange 2007 RRS feed

  • Question

  • Hi ... Hoping someone can assist me with the following problem.  I was told to submit this question to this forum.

    I have a Windows Server 2008 R2 Domain Controller and Exchange 2007 version 8.03.0192.001.  We have approximately 250 users configured with Exchange mailboxes.  We have an account named "Account_1" that has "Full Access Permission" to all mailboxes.  However this account is unable to access approximately 9 mailboxes.  I have tried the following to correct this problem:

    1.  Delete and re-add "Full Access Permission" within Exchange.
    2.  Re-boot Exchange.
    3.  Opened Active Directory, opened the user account, clicked the "Security" tab, clicked "Advanced", un-checked "Include Inheritable Permissions from this object's parent" checkbox, clicked "Add" on the security pop-up window, clicked OK.  I then re-checked the checkbox and clicked Ok.

    Step number 3 temporarily fixed the problem but a few hours later the problem re-appeared.

    Any suggestions ?


    Tuesday, January 24, 2012 8:00 PM

All replies

  • I feel Include Inheritable Permissions are getting removed on its own.


    Can you verify now. is Include Inheritable Permissions Checked ?


    Go to any one of your DC and run "repadmin /syncall /Aped"

    You are trying to sync your DC's verify you don't have replication Errors"


    Satheshwaran Manoharan

    Tuesday, January 24, 2012 9:01 PM
  • Hi Satheshwaran,

    The "Include Inheritable Permissions" is checked.  There do not seem to be any errors with replication.  We have two Domain Controllers in our environment.  I executed the following two commands on the Primary Domain Controller.  Could this be a case of corrupted mailboxes ?:

    repadmin /replsum * /bysrc /bydest /sort:delta

    repadmin /replsum * /bysrc /bydest /sort:failures

    Here are the results:

    Beginning data collection for replication summary, this may take awhile:

    Source DSA          largest delta    fails/total %%   error
     AD2                    31m:42s    0 /   5    0
     AD1                    31m:30s    0 /   5    0

    Destination DSA     largest delta    fails/total %%   error
     AD1                    31m:43s    0 /   5    0
     AD2                    31m:31s    0 /   5    0


    • Edited by tp99 Wednesday, January 25, 2012 12:43 AM
    Wednesday, January 25, 2012 12:42 AM
  • I forgot to mention the following Satheshwaran,

    Exchange 2007 (version 8.03.0192.001) is installed on a Windows 2003 R2 Standard Server 64-Bit with SP2.

    Our Domain Controllers are Windows Server 2008 R2 Standard 64-Bit.



    Wednesday, January 25, 2012 2:14 AM
  • Hello,

    Just for a test to grant the Full Access Permission to another user and see if it works properly.


    Thursday, January 26, 2012 4:14 PM
  • Hi Simon,

    It's the same result with another user.



    Thursday, February 9, 2012 12:35 AM
  • Hello!

    If users are members of protected groups controlled by adminsdholder attribute, ACL on Active Directory will reset to default every 60 minutes.


    Could be this the issue?

    Wednesday, March 2, 2016 12:37 PM
  • [...]

    Step number 3 temporarily fixed the problem but a few hours later the problem re-appeared.

    Any suggestions ?


    Yes, I would look at protected groups as Novas T. suggested. The fact that you can apparently make this work and then observe that it stops working later on seems to indicative of this.

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Wednesday, March 2, 2016 3:31 PM