Hello

When I trying to assign full access permissions using 2013 Powershell or EAC console, the permissions are not applied to mailbox resided on 2010 server (full access list is not updated on 2010 console). I have to do it using 2010 tools in order to work it correctly. Is the behavior by design or something is wrong with AD permis

It should be applies to the mailbox. Did you get any error message?

That's bad. No errors. In EAC added user exists in full access rights list, but in 2010 console full access list it not exists and the permission is not working.

Wait for some time and retry. Maybe due to replication latency. Also you can verify from client end.

No, there are only one site with two DCs. No replication problems. I've waited few hours and no luck.

Not sure what's wrong with your environment. But I can confirm it's not designed behavior. Just tested in my lab on exactly same as what you described. I see the permission in both EMC and EMS on 2010 side.

Did you test it from the client side? I.e. see weather the user is able to access the mailbox?

User is given error that he has no rights, but auto-mapping is working. Thanks for checking.

Hi,

You are probably being caught out by cached information.

Exchange caches a lot of permissions etc and that cache is only flushed every 120 minutes by default. And also, the AD replication time between the servers depends on the kind of Network infrastructure.

You can force it to flush by restarting the information store. It is not recommended to reduce that cache time as it can cause significant performance issues.

I would look at changing the cache values as described here for both mailboxes and access cache to maybe 20 minutes and see if that makes things better. This also applies to 2010.

https://technet.microsoft.com/en-us/library/bb684892%28EXCHG.80%29.aspx

Best Regards.