Exchange 2003 BackofficeStorage ACLs reset
Hello:
Have a customer running Exchange 2003 (Verison 6.5.7638.1 ) on Windows 2003 SP2. During the reboot of thier server, they got the
error “Invalid Security Id” and it reset the security on the BackOfficeStorage.
Users can access Exchange via Outlook, but the web users (about 200+) can't access thier mailbox via OWA. Microsoft remoted in when this happened last time and fixed
the permisions on the \\.\BackOfficeStorage\MBX directories but didn't tell the customer what the ACLs should be. Domain Administrators can access the mailboxes via OWA and can list the directories via the
command prompt.
I dumped the permisions using xcacls for a mailbox, but unfortunatley, I don't have access to a E2K3 box to compare:
C:\Program Files\Support Tools>xcacls
\\.\backofficestorage\someschool.k12.xx.us\mbx\testacc | more
\\.\backofficestorage\someschool.k12.xx.us\mbx\testacc SOLANCO\testacc:(OI)(CI)F
someschool\Exchange Domain Servers:(OI)(CI)F
<Account domain not found>(OI)(CI)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)F
<Account domain not found>(OI)(CI)(IO)F
Someschool\TTCEMJ-84EF8E29A342:(OI)(CI)F
SOmeschool\TTCEMJ-84EF8E29A342:(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)(IO)F
<Account domain not found>(OI)(CI)(IO)F
SOmeschool\Domain Admins:(OI)(CI)F
SOmeschool\Enterprise Admins:(OI)(CI)N
SOmeschool\Exchange Services:(OI)(CI)F
SOmeschool\EXCHANGE$:(OI)(CI)F
SOmeschool\ExMerge:(OI)(CI)F
SOmeschool\BlackBerryServ:(OI)(CI)F
NT AUTHORITY\ANONYMOUS LOGON:(OI)(IO)(DENY)(special access:)
STANDARD_RIGHTS_ALL
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
NT AUTHORITY\ANONYMOUS LOGON:(CI)(DENY)(special access:)
STANDARD_RIGHTS_ALL
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
C:\Program Files\Support Tools>
November 30th, 2010 5:39pm