Announcement

Collapse
No announcement yet.

User rights question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User rights question

    Hello all,

    I am having an odd problem with a user's rights. We have a 2003 Exchange Server, and a 2003 AD Domain. I have enterprise admin rights, but cannot change mailbox rights on a user. The permissions are inherited from the parent, which is deny full mailbox access.

    1. What would the parent object for a user account be?
    2. Why can't I change security settings on a user account since I am a member of domain admins, enterprise admins, etc...

    Thank you,

    Tim

  • #2
    Re: User rights question

    In the case of mailboxes, "mailbox store" is the parent and in case of users the container/OU is the parent.

    1. Just check the rights at at exchnage level because exchange rights are different from the AD permissions and can be delegated at Exch org and administrative group level.

    2. If some else has set an explicit deny for admin then being an admin you can take ownership and reset the permissions.

    Regards,
    Kapil Sharma
    ~~~~~~~~~~~~~
    Life is too short, Enjoy It.

    Comment


    • #3
      Re: User rights question

      I have full rights to the mailbox store in Exchange Manager.

      In AD, under Exchange Advanced, Mailbox rights, I have deny full, yet I am the owner.

      I also have Full Control of the Users container.

      I'm not sure what else to check.

      Thanks again for your help!

      Tim

      Comment


      • #4
        Re: User rights question

        By default administrators do not have permissions to "send as" and "recieve as" permissions on the user mail boxes.

        Just go through the last FAQs carefully in the below article:

        http://technet.microsoft.com/en-us/l.../aa998756.aspx

        Regards,
        Kapil Sharma
        ~~~~~~~~~~~~~
        Life is too short, Enjoy It.

        Comment


        • #5
          Re: User rights question

          How to Grant Your Administrative Logon Account Temporary Access to All Mailboxes in an Exchange Database

          "In Microsoft Exchange 2000 Server and Exchange Server 2003, there is no service account, and even accounts with Enterprise Administrators rights are denied rights to gain access to all mailboxes.

          Note In Microsoft Windows 2000 Server and Microsoft Windows Server 2003, services typically run under the account of the computer where they are installed. This account is the local system account (LocalSystem), and its password is created and recycled by Windows 2000 or Windows Server 2003. By default, you can use this service account to gain access to the Exchange mailbox, the public folder stores, and other Windows resources for performing mail transfer and directory synchronization.

          If your logon account is the Administrator account or is a member of the Domain Admins or Enterprise Admins groups, then you are explicitly denied access to all mailboxes other than your own, even if you otherwise have full administrative rights over the Exchange system. All Exchange Server 2003 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail.

          You can override this default restriction in several ways, but do so only in accordance with your organization's security and privacy policies. Frequently, overriding the default restriction is appropriate only in a recovery server environment.
          "
          1. Create a Windows Security Group, and name it something such as "Exchange Recovery Administrators".
          2. Add the Windows account you are using to this group.
          3. In Exchange System Manager, locate the target database and open its Properties dialog box. On the Security tab, add the Exchange Recovery Administrators group and grant this group Full Control permissions on the database, including Receive As permissions.

          "It may be necessary to wait up to 15 minutes for the permissions granted to take effect or you may have to log off and log back on.
          Microsoft also recommends that you reset cached permissions by stopping and restarting all Exchange services, the IIS Admin Service, and the Windows Management services. If you have multiple domain controllers in the forest, you may also have to wait for directory replication to complete.
          "

          source
          - http://technet.microsoft.com/en-us/l...aa996410.aspx#
          - http://support.microsoft.com/kb/821897

          Security Tab Not Available on All Objects in System Manager
          http://support.microsoft.com/kb/259221/


          \Rems

          This posting is provided "AS IS" with no warranties, and confers no rights.

          __________________

          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts

          Comment


          • #6
            Re: User rights question

            Thanks for all the help! I am able to access the mailbox now. What's odd is that I have been able to grant myself (and others) access to other mailboxes without a problem for a while now.

            This perticular mailbox is one of the only ones that had a deny Full Control on. Most of these mailboxes are shared between members of the same department and I have been able to grant them access without an issue. We migrated from a 2000 SB server w/ exchange to 2003 AD /exchange and have seen some odd problems. I think it may be related to that...

            Thanks again,

            Tim

            Comment

            Working...
            X