Exchange Mailbox Security Rights

[rstainforth]

Hi all,

After a little bit of advice, if anybody can help...We experienced a server outage last night on our exchange server, which is now in hand and being dealt with, but during the course of investigations this morning I have found some rather odd rights assigned in the exchange mailbox rights for users;

I discovered that I couldn't access exchange mailboxes via Outlook 2003, and when I looked into the rights I found that Administrator had full mailbox access both applied and denied. Now then, the full mailbox access was allowed at the top of the list, and the deny was further down, and I'm sure that the rights are assigned heirarchically, so I should still be able to access the mailboxes, so I am assuming the rights are being inherited further up the chain....but I don't know where from. ANd the wierdest thing is, even though those rights are uniform across the schema, I can access some mailboxes but not others !?!?

OK, so as a temporary fix, I added administrators onto the exchange mailbox store, and allowed that to propagate down; this has given me access to all the mailboxes through Outlook, however I don't want to leave this as a permanent solution. I need to find the parent that is assigning rights to the individual mailboxes in A/D, but I can't for the life of me see it! As far as I can see, there isn't anything in GP to govern this (infact, I don't think there are any exchange attributes in our GPO's anywhere), so can anybody give me a clue where to look?

atm I am running server/exchange 2003 (standard/enterprise respectively) patched up last week, and it is a 2ary DC.

[chilifrei64]

Where specifically are you applying these permissions, Exchange (fortunately and unfortunately) can have permissions changed on nearly 10 different levels.

[rstainforth]

Ok, the permissions are applied (usually) when I create a user in A/D, on their exchange advanced tab of the user properties. Once I've created the user and their exchange box, they are added into our spam filter, the mailbox is added onto Admins Outlook, and a test mail sent to activate the account.

I'm guessing that, since I can't access boxes as I would do, that something has gotten screwed up in A/D or Exchange following last nights server outage (still not 100% what happened there, but we got it back ok lol). I need to find the ultimate parent for the exchange attributes so I can alter the permissions.

I din't set up this domain, and the guy I took over from has left...I'm a complete A/D and Exchange n00b, so struggling a little with it all now lol

[rstainforth]

Right, managed to find a fix, if not a solution....looking at the permissions assigned to the mail server in exchange manager, the allow full access was waaaaaay down the bottom of special permissions, so whatever was being inherited from the parent was meaning A/D never actually got down to it, so we added a new permission at the top of the list allowing admisnistrator full access....

et voila, I can now access mailboxes in Outlook.

Would still be nice to know what was causing the issue in the first place, as I think it will need rectifying eventually.....got a nasty feeling that all is not well in Active Directory lol