Announcement

Collapse
No announcement yet.

Can't get FULL ADMIN access to our Exchange server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't get FULL ADMIN access to our Exchange server

    Something's happened to our Exchange server. The only "Exchange Full Administrator" is "S-1-5-21-5784412-....-1491". The Windows server admin is only an "Exchange Administrator" and thus we can not log on as a FULL ADMINISTRATOR.

    Is there a way to get in as FULL??

    Exchange 2003 running on Win2K3 server.
    Last edited by JDMils; 2nd May 2006, 04:46.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: Can't get FULL ADMIN access to our Exchange server

    Usually the SID is indicative of a problem getting names resolved in AD.

    Is this machine a DC??

    Do you have the Exchange tools installed on another PC??

    Comment


    • #3
      Re: Can't get FULL ADMIN access to our Exchange server

      Have you figured out yet if the SID represents a domain account or a local account? Without even giving it a 2nd look I'm guessing it represents a domain account or group.
      VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
      boche.net - VMware Virtualization Evangelist
      My advice has no warranties. Follow at your own risk.

      Comment


      • #4
        Re: Can't get FULL ADMIN access to our Exchange server

        Usually the SID is indicative of a problem getting names resolved in AD.
        There are two other names in the box marked as Exchange Administrators, but just this one resolves as a SID.

        Is this machine a DC??
        Yes

        Do you have the Exchange tools installed on another PC??
        Sorry, I don't know what the Exchange tools are.

        Have you figured out yet if the SID represents a domain account or a local account?
        Don't know how to do this.

        I've been trying to perform the instructions on this MS page but I get stuck at this point:

        9. Enter the following at a command prompt
        at xx.xx /interactive "mmc.exe"
        where xx.xx is the time for the process to begin.NOTE: If you do this through a Terminal Session the MMC pops up on the console and not through the TS session. You must perform this step directly on the server.
        mmc starts, but it's invisible as it only shows up in Task Manager! I think this line is trying to start the mmc using the SYSTEM credentials in order to get FULL access to Exchange.
        |
        +-- JDMils
        |
        +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
        |

        Comment


        • #5
          Re: Can't get FULL ADMIN access to our Exchange server

          Originally posted by JDMils
          There are two other names in the box marked as Exchange Administrators, but just this one resolves as a SID.


          Yes


          Sorry, I don't know what the Exchange tools are.


          Don't know how to do this.

          I've been trying to perform the instructions on this MS page but I get stuck at this point:


          mmc starts, but it's invisible as it only shows up in Task Manager! I think this line is trying to start the mmc using the SYSTEM credentials in order to get FULL access to Exchange.
          Let me guess, you're trying the command using a Terminal Services connection?
          at xxx /interactive "mmc.exe" isn't going to work properly when you're using Terminal Services. Well, it is but the /interactive MMC is probably being presented to console0 which you can only get to by being at the server keyboard or using a 3rd party remote tool such as DameWare, pcANYWHERE, Altiris, etc. Or a hardware solution such as a TCP/IP KVM, Compaq/HP RILO/iLO, DRAC card, etc.

          at 19:44 /interactive "mmc.exe" worked fabulously for me. The MMC popped up at 19:44.

          You can look at SIDS using the Windows Resource Kit utility getsid.exe
          ie.
          C:\>getsid \\intelp4320 administrator \\obiwan jason
          The SID for account INTELP4320\administrator does not match account BOCHE\jason
          The SID for account INTELP4320\administrator is S-1-5-21-1659004503-1580818891-839522115-500
          The SID for account BOCHE\jason is S-1-5-21-73586283-1580818891-854245398-1114

          Your SID ending in -1491 is definitely a domain user account, possibly a service account.
          Last edited by jasonboche; 2nd May 2006, 01:51.
          VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
          boche.net - VMware Virtualization Evangelist
          My advice has no warranties. Follow at your own risk.

          Comment


          • #6
            Re: Can't get FULL ADMIN access to our Exchange server

            You can look at SIDS using the Windows Resource Kit utility getsid.exe
            Cool! Is it possible to get a full list of all users' SIDs so I can at least try to find who it could belong to.
            |
            +-- JDMils
            |
            +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
            |

            Comment


            • #7
              [RESOLVED] Re: Can't get FULL ADMIN access to our Exchange server

              BTW, I ran the AT command on the server's console and I now have a valid FULL EXCHANGE ADMINISTRATOR account. Thanks!!
              |
              +-- JDMils
              |
              +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
              |

              Comment


              • #8
                Re: Can't get FULL ADMIN access to our Exchange server

                Originally posted by JDMils
                Cool! Is it possible to get a full list of all users' SIDs so I can at least try to find who it could belong to.
                It's possible but if you want to do it efficiently, you'll need to know a little scripting.

                Another tool I use to view domain user SIDs (and computer SIDs) is called psgetsid.exe. This tool is part of the pstools suite available for free download from http://www.sysinternals.com/

                psgetsid.exe will return the SID value for each user account you give it.

                ie.
                C:\>psgetsid boche\jason

                PsGetSid v1.42 - Translates SIDs to names and vice versa
                Copyright (C) 1999-2004 Mark Russinovich
                Sysinternals - www.sysinternals.com

                SID for boche\jason:
                S-1-5-21-73586283-1580818891-854245398-1114


                C:\>psgetsid boche\vcenter

                PsGetSid v1.42 - Translates SIDs to names and vice versa
                Copyright (C) 1999-2004 Mark Russinovich
                Sysinternals - www.sysinternals.com

                SID for boche\vcenter:
                S-1-5-21-73586283-1580818891-854245398-3109


                C:\>


                If you have a lot of user accounts to feed it in order to track down your SID, you'd be better off finding a VB script (or writing one yourself) to tackle the job.

                It is quite possible that you will never find your account/SID by virtue of what has happened in the first place, it would appear the domain account has been deleted.

                Jas
                VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
                boche.net - VMware Virtualization Evangelist
                My advice has no warranties. Follow at your own risk.

                Comment


                • #9
                  Re: Can't get FULL ADMIN access to our Exchange server

                  Ok, I just found a wonderful VB script for you that is exactly what you are looking for:
                  http://www.freevbcode.com/ShowCode.asp?ID=5080

                  Copy the script into notepad, save as filename.vbs

                  Now drop to a command prompt, change directory to where you saved the script, and run the command:

                  cscript filename.vbs

                  It will prompt you for a computer name. Feed it the name of your domain controller.

                  A list of users and their corresponding SIDs will be dumped for you!

                  Jas



                  sample output:
                  Name: SCRead
                  SID: S-1-5-21-73586283-1580818891-854245398-1159
                  SIDType: 2
                  Status: OK
                  Caption: BOCHE\SCWrite
                  Description:
                  Domain: BOCHE
                  InstallDate:
                  Name: SCWrite
                  SID: S-1-5-21-73586283-1580818891-854245398-1160
                  SIDType: 2
                  Status: OK
                  Caption: BOCHE\Virtual Machine Administrator
                  Description:
                  Domain: BOCHE
                  InstallDate:
                  Name: Virtual Machine Administrator
                  SID: S-1-5-21-73586283-1580818891-854245398-3111
                  SIDType: 2
                  Status: OK
                  Caption: BOCHE\Virtual Machine User
                  Description:
                  Domain: BOCHE
                  InstallDate:
                  VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
                  boche.net - VMware Virtualization Evangelist
                  My advice has no warranties. Follow at your own risk.

                  Comment

                  Working...
                  X