Exchange 2003 Permissions / Access question.
I am having an issue with a group membership in Exchange. This group was set to denyusers access to their email. The group give a deny to the store, and in general seems to be working fine. Once the user is put into this group she has no access to OWA or Outlook, with the exception to computers she has already logged onto and used Outlook. It seems that in that instance she is allowed to send and receive email just fine. If you delete her profile off the computer and then "log her on for the first time" she is not allowed to setup Outlook based on the permissions of the group.It appears MAPI profiles created PRIOR to her addition to the group will authenticate her directly to her mailbox and seems to bypass the Store Authorization. Outlook client is 2007 SP1. When you delete the user profile off the computer Outlook will not recreate the MAPI profile while said user is in the group. But this user has profiles on multple computers.Any idea how to fix the permissions to force the MAPI profile to check store permissions prior to authentication? Individual permission settings are not really an option as there are several thousand users in these groups.Thank you for any and all help. Chris Hornfeldt
March 27th, 2009 4:07pm

Chris,I am not sure why would you like to have mailboxes for the students when you dont want them to access it. Well, thats none of my bussiness of course :-)In stead of setting up these permissions on store level you can think of modifying the access level settings at user level itself. To modify these settings in bulk you can use ADModify.net (be careful and sure about what you are doing with this tool though it allows you a retake if something goes wrong.) Using the tool you can query a group of people using an LDAP query and setup them to deny access to OWA, OMA and RPC connections too. M-Milind Naphade
Free Windows Admin Tool Kit Click here and download it now
March 27th, 2009 9:01pm

"I am not sure why would you like to have mailboxes for the students when you dont want them to access it. Well, thats none of my bussiness of course :-)"And I am not sure how that helps me answer my issue. :-)This is for temporary loss of email for any host of reasons. Abuse etc.And per user is not really an option. Will ADModify work on a group level?Chris Hornfeldt
March 27th, 2009 9:30pm

My own question does make sense to me because the explanation provided in your question does not clearly state the reason behind playig around with permissions on store level though the same can be done using ADUC.Answer to other part of your latest question is NO it will not work at the group level though attributes on a group can be modified using it. Reason is, groups have different set of exchange attributes on them than the user accounts. You can choose either of following:1. Use the security group in the custom LDAP filter to query all of its members (same can be done in ADUC also). Select the desired users from right hand side pane when query execution returns the result.Modify the attributes as neccessary. The filter should look something like (&(ObjectCategory=user)(memberof = <DN of the group>))2. Move these users to a seperate OU where all of them can be selected and modified in bulk using ADUC.Only benefit of using admodify over ADUC is you can revert the changes if anything goes wrong.M-Milind Naphade
Free Windows Admin Tool Kit Click here and download it now
March 27th, 2009 11:40pm

Yes, as Milindn said, ADModify.net is a good option to modify the users in bulk We can select users in bulk via ADModify.net, and check Deny for Full mailbox access on account SELF a. Launch ADModify.net b. Click "Modify Attributes" c. Choose domain and DC from the Domain List, Domain Controller List, and click the green arrow d. Select your domain, click Custom LDAP Query button e. Enter filter as Milindn suggested above, click Add to List button f. Ctrl + Click on the users in the right-pane, click Next g. In the Mailbox Rights tab, check Add user to Mailbox Rights, check Deny Entry, enter Self into Username field, check Full mailbox access h. Click Go More resources: Introduction to ADModify.net Using ADModify to Change Exchange Specific AD User Attributes in Bulk
March 30th, 2009 9:44am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics