Announcement

Collapse
No announcement yet.

Odd Permissions issue?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Odd Permissions issue?

    This is a bit of a strange one and not sure where to go from here.

    Exchange 2007 SP3 no roll updates applied.

    I have a security group Called "Full Mailbox Access" This was set up over a year ago and has been working fine. This Security Group was given the "GenericAll" Permission to a mailbox database.

    Since last week, If I create a new mailbox on the above Mailbox Database and initialise the mailbox, this security group is listed on the "Manage Full Mailbox Access"

    I can open the mailbox via Outlook, via OWA, I can't. I receive the following message:

    "You do not have permission"


    So at first I thought OK, maybe it is replication, waited 9 hours. This made no difference, still the same message.

    So I right clicked the mailbox in question and selected "Manage Full Access" added a normal user say in finance.

    Apply and OK.

    I then attempted to open the mailbox via OWA, and guess what it I got in!!!!

    So it is like the mailboxes now have to be touched /modified for the permissions to kick in.

    Clearly my permissions are correct as I haven't added or removed the "Full Mailbox Access" group from the mailbox.

    I ran the command get-mailboxpermission <Mailbox> | fl
    and
    get-mailbox <mailbox name> | fl

    before and after

    I then opened a file comparer and both text files were the same (Except for the standard user account I added to kick in my the permissions)

    Anyone got any ideas?

  • #2
    Re: Odd Permissions issue?

    Had anyone logged in to that mailbox directly? If not, then that is the problem. The permissions are not populated until the mailbox is used for the first time.

    Also, I wouldn't have created a group called "Full Mailbox Access" because that could get confused with the permission "Full Mailbox Access". Although I never have a group with permissions to everything by default anyway. The only account that does that is BESADMIN when Blackberry is used. Anything else I consider a security risk.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Odd Permissions issue?

      I see your point, but this has never been the case as I enabled the mailbox by pinging it an email.

      This then showed all the groups listed in the "Manage Full Access"
      instead of the NT User\Self Permission.

      The mailbox can be initialised by the user logging on for the first time or an email being pinged to it which was done as the ACL was populated correctly.

      The odd thing is this only started happening last week.

      Comment


      • #4
        Re: Odd Permissions issue?

        Previous behaviour is not a guarantee that the behaviour was correct or will continue to operate in the same way.
        In my experience, sending an email to the mailbox did not always populate the permissions in AD correctly, only by logging in to the account did that happen.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Odd Permissions issue?

          Thanks for the info,

          I have MS calling this afternoon. I'll see what happens.

          Comment


          • #6
            Re: Odd Permissions issue?

            Turned out MS tested this in their lab and they stated that this is by design, the mailbox permissions have to be set explicitly on the mailbox, rather than inherited from either the DB or server.

            I will just have to work round this by adding the required groups, when mailboxes are created.

            The most annoying thing about this, it was working fine two weeks ago

            Ho Hum, thought I would post this in case anyone else stumbled across this post.

            Comment

            Working...
            X