Announcement

Collapse
No announcement yet.

Exmerge Permissions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exmerge Permissions

    Does anyone know what permission (user level) are required in order for Exmerge to work.

    I have problems using Exmerge. The Log states that "Error opening message store (MSEMS)" and to check permissions.

    I have used this in the past on other systems.

    I have assigned every permission I can think of.

    Thanks.

  • #2
    Re: Exmerge Permissions

    In order to use Exmerge you need to have "Receive As" permissions on the store you're trying to open.
    Cheers,

    Daniel Petri
    Microsoft Most Valuable Professional - Active Directory Directory Services
    MCSA/E, MCTS, MCITP, MCT

    Comment


    • #3
      Re: Exmerge Permissions

      The trick here is not to give the user too many permissions, because some admin groups are denied so if you make the user a member of every powerful group you can think of, then you'll be getting "denied" in there somewhere. Here is some stuff I learned about exmerge from Daniel Petri's articles and from my own experience and finally I got it all to work:

      Download Exmerge.exe from http://www.microsoft.com/downloads/d...displaylang=en
      Using Exmerge, you can export all mailboxes, calendar notes etc. from Exchange into pst files and then merge the data back into another installation of Exchange. You must take the following steps:

      Export Notes:
      • Copy all the files for Exmerge.exe into the /bin directory under your Exchsrvr directory, i.e. C:\Program Files\exchSrvr\Bin
      • In Active Directory Users and Computers, Click the Advanced Features option from the View menu.
      • Create a new user who will be the Exmerge Administrator (do not make the user a member of the Administrators group!) - call the user "exmerge" and give a password
      • Make "exmerge" a member of Exchange Domain Servers and Exchange Enterprise (to give rights to the Exchange private information store databases) and Server Operators (to give the right to logon locally)
      • Right click each user in turn and on their properties dialog box click Exchange Advanced.
      • Set the Mailbox rights for "exmerge" to have Full Access rights to each of the mailboxes (see our wonderful Daniel Petri's article here: http://www.petri.com/grant_full_mail..._2000_2003.htm)
      • Set user rights for "exmerge" to gain write access to the bin folder mentioned above.
      • Set user rights for "exmerge" to full control access to the exmerge.exe and exmerge.ini files in the bin folder mentioned above.
      • Right click exmerge.exe and select Run As... and enter the credentials of the user called "exmerge".
      • Be sure to carry out this process for both Export and Import

      Import note:

      Use the -k switch to skip over minor errors


      Troubleshooting:

      if you see the error in the exmerge log: "Error configuring message service (MSPST MS) (MAPI_E_EXTENDED_ERROR) (CMapiSession::CreateEMSPSTProfile)" then you have not run the Exmerge program as the special user that has the correct rights over the mailbox. Remember to right click Exmerge.exe and select Run As...
      Best wishes,
      PaulH.
      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

      Comment


      • #4
        Re: Exmerge Permissions

        you are correct in that I have mad the account I am using for exmerge a meber of everything.

        Will hone down and retry.

        If i could get it to work regularaly then it would be a fantastic tool for backups and offsite storage.

        Comment


        • #5
          Re: Exmerge Permissions

          Paul, quick question - where did you get that information from? I'm interested in the part about putting the user in the Exchange and Server Operators groups and so on. Although it may be technically right, I think it's a huge overkill to do that, plus not to mention manually giving the user parmissions on each mailbox.

          I simply suggest to create a regular user, allow that user to logon to the Exchange server (if it's not a DC there should be no changes required), and give it the RECEIVE AS permissions on the specific store that is to be recovered.

          So why do that loop?
          Cheers,

          Daniel Petri
          Microsoft Most Valuable Professional - Active Directory Directory Services
          MCSA/E, MCTS, MCITP, MCT

          Comment


          • #6
            Re: Exmerge Permissions

            Daniel, I got that info from my own efforts at getting it working and during the course of my attempts, I read a number of articles from various places.

            I visited one client, managed to get those steps working and then documented it for myself. Then I visited another client, went through those exact steps in a clear and organised way and it worked first time, so I thought that would be OK.

            Now, having re-read your good article about this whole topic, I can see that the objective can be achieved without going through quite such a long process!

            So, your way is better and as always, the fewer steps one has to do, the better because it's all less error prone. I made my exmerge user a Server Operator so that he could logon locally, which I needed to do at the time. The Exchange networks I tend to look after usually have only 1 server, and he could not be a member of Domain Admins.

            Best wishes,
            Best wishes,
            PaulH.
            MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

            Comment


            • #7
              Re: Exmerge Permissions

              If the Exchange box is not a DC then by default any user can log on to it, no need to make him or her a member of the Server operators group. Too much power.

              As for the Exchange built-in groups - don't ever touch them, don't move them, don't rename them, unless you are looking for trouble.
              Cheers,

              Daniel Petri
              Microsoft Most Valuable Professional - Active Directory Directory Services
              MCSA/E, MCTS, MCITP, MCT

              Comment


              • #8
                Re: Exmerge Permissions

                Understood. Most of the rest of my long-winded approach was to give him permissions to run Exmerge from that folder and to write to the log. When I do this on an SBS box, it is the DC so this approach works. Next time, I'll try a little more sophistication!

                Thanks for the tips.
                Best wishes,
                PaulH.
                MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                Comment

                Working...
                X