Announcement

Collapse
No announcement yet.

Administrator given 'deny' to server group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Administrator given 'deny' to server group

    Last winter I replaced an SBS 2003 server and granted the administraor full access to the 'server' object under My Organization so I could do an exmerge brick backup of the mailstore.

    Tonight during routine maintenance I decided to undo this and in error, I gave the administrator 'deny' access to the entire server object. Now when I click on the object nothing shows up, not mail store, mai boxes, public folder store.

    If I try to expand the 'server' icon from the ESM I get the error "there is no such object on the server'. If I right-click the server icon, there is no selection for properties.

    Is there a way I can undo what I have done or fix this? Thanks
    Network Engineers do IT under the desk

  • #2
    Re: Administrator given 'deny' to server group

    take ownership?
    Create new user that belongs to the appropriate group and use that to fix?
    REstore backup ?

    (You mentioned adminstrator user, not administrator group..)
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Administrator given 'deny' to server group

      That is correct, the administrator user had been given the deny accees to the exchange server object. It is difficult to adminster the exchange server when it doesn't even show up. THANKS,
      Network Engineers do IT under the desk

      Comment


      • #4
        Re: Administrator given 'deny' to server group

        ok -the USER has been given deny privileges
        However, I expect that there will be a group such as "domain administrators" that will have existing privileges to exchange

        Therefore, add a new user to the "Domain Admins" group within Active Directory. That should help your scenario..
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: Administrator given 'deny' to server group

          Than tehcamel, I will try that later or this weekend and report back. Cheers.
          Network Engineers do IT under the desk

          Comment


          • #6
            Re: Administrator given 'deny' to server group

            no probs buddy
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: Administrator given 'deny' to server group

              That worked good. I created a new user and made the user a member of the Domain Admins. When I went to ESM I got the error, the user has to have 'Create Global Name' privledge. I made that change in the Local Security Policy and I was off to the races.

              I am now able to remove the 'deny' rights from the administrator but I have had seconds thoughts about it. Before all this started, I was looking in the Logons object in ESM and saw an HTTP administrator logon to a regular users mailbox.

              What do you think?
              Network Engineers do IT under the desk

              Comment


              • #8
                Re: Administrator given 'deny' to server group

                I used to see random users logged onto other user's mailboxes all the time.. not necessarily a security problem...
                Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                Comment


                • #9
                  Re: Administrator given 'deny' to server group

                  I could see that if you were sharing calendars or a contact list. It was peculiar to see the administrator as having logged onto the mailbox of a marketing manager using HTTP - something like spy vs. spy

                  Thanks,
                  Network Engineers do IT under the desk

                  Comment


                  • #10
                    Re: Administrator given 'deny' to server group

                    I suspect, but not fully sure, that i've seen it before

                    In fact, if I think about it.. you're using the administrator account to use ESM, correct ?
                    I think that may use HTTP connections..
                    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                    Comment


                    • #11
                      Re: Administrator given 'deny' to server group

                      ESM does indeed use HTTP to access some elements of Exchange. Public Folders is the most common element.

                      The simple rule with Exchange permissions is that you shouldn't touch the permissions unless you are 100% sure that you know the consequences.
                      Your mistake was how you granted permission to do the exmerge. I am not sure where you found that setting, it isn't one I recognise. Permissions for that kind of activity should be done at the Mailbox Database or Mailbox level.

                      Simon.
                      --
                      Simon Butler
                      Exchange MVP

                      Blog: http://blog.sembee.co.uk/
                      More Exchange Content: http://exchange.sembee.info/
                      Exchange Resources List: http://exbpa.com/
                      In the UK? Hire me: http://www.sembee.co.uk/

                      Sembee is a registered trademark, used here with permission.

                      Comment

                      Working...
                      X