No announcement yet.

2000/2003 ExMerge permissions in a Terminal Server session

  • Filter
  • Time
  • Show
Clear All
new posts

  • 2000/2003 ExMerge permissions in a Terminal Server session

    First allow me to take a moment to thank everyone for a fantastic site and what promises to be a fantastic forum. What I am posting here is not a problem, or rather is a problem I have already found the solution too. (Not a bad first post eh?) I am posting the solution here because this site is where the best portion of my research was performed.

    I am the Sys Admin for a small municipality with limited resources. The last day or so I have been working with the ExMerge program in Exchange 2003 with the intention of creating brick level backups once a week to supplement the regular backups which use NT-backup. My Exchange server is down the hall from my office so normally I do my work in a Terminal Server (Administrative Mode) session.

    I had significant issues with setting the correct permissions to access the mailboxes. Daniel's article although very good did not seem to be working for me. Since Domain Admins had an explicit Deny on the Exchange Receive As permission I had created a new user for this purpose, I added the new user to both the Server Administrators group and a new security group called Email Managers.

    Initially I would not be able to view the list of mailboxes and I would get this as the last entries in my ExMerge.log...
    [14:06:33] Error initializing MAPI. (CAdminProfileRoutines::CreateSystemAttendantProfi le)
    [14:06:33] Error initializing MAPI.
    [14:06:33] Error initializing MAPI.
    [14:06:33] MAPI has not been initialized (CMapiSession:eleteOurProfile)
    [14:06:33] Error encountered getting mailbox information from the private information store database(s) on server 'EXCHANGE'. Make sure you have adequate permissions on the Information Store object. Please refer to the 'ExMerge.log' log file for more information.
    My problem as it turns out was solely due to the Terminal Session I was working in. Non-Administrators working in a term session do not have the right to "Create Global Objects" (see Had I been working at the console, or had I scheduled my process using the AT command everything would have worked hours ago.

    To add the Create Global Objects permission to an account or group follow these steps on the server running ExMerge.
    • Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy.
    • Expand Security Settings, expand Local Policies, and then click User Rights Assignment.
    • In the right pane, double-click Create global objects.
    • Click to select the Define these policy settings check box, and then click Add.
    • Add the User or Group you are working with and then click OK.
    • In the Security Policy Setting dialog box, click OK, and then quit the Domain Controller Security Policy utility.

    (You must wait 15 minutes and/or restart the Information Store for the changes to take effect.)

    Hopefully this will save some poor soul the couple hours I lost...
    Last edited by Menneset; 10th January 2008, 23:16.

  • #2
    Re: 2000/2003 ExMerge permissions in a Terminal Server session

    Hi there, good tip.

    Or, you can do this:
    • Create a new user who will be the Exmerge administrator but do not create an Exchange mailbox for that user - call the user "exmerge" and give a strong password
    • Add "exmerge" to be a member of the following groups:
    • Administrators (not Domain Admins. To give read/write access to the correct Windows files and folders needed for exmerge.exe to run)
    • Exchange Domain Servers and
    • Exchange Enterprise Servers (to give Receive As permissions on the all of the Information stores, both private and public)
    • For each of the Information Stores in Exchange System Manager, (e.g. First Storage Group) right click and on the Security tab, add the user account "exmerge" and give him at least "Receive As" permissions.
    • Right click exmerge.exe and select Run As... and enter the credentials of the user "exmerge" or schedule the task exmerge.exe to run under that user account.
    Best wishes,
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008


    • #3
      Re: Thanks for sharing


      Thanks for sharing your answer with us! I'm sure others will also benefit from knowing what was wrong and how you fixed it.


      Daniel Petri
      Microsoft Most Valuable Professional - Active Directory Directory Services