Exchange 2007 Full Access only working for some mailboxes, any ideas?
Hello,I'm working on an Exchange 2007 server where a "svcacct" account/mailbox needs full access permissions to the contents of all the other mailboxes on the Exchange server. There are around 100 mailboxes on this Exchange server. So, using the Exchange Management Shell, I run the following command:
get-mailbox | add-mailboxpermission -user svcacct -AccessRights FullAccess
I wait two hours for Exchange's cache to expire, and the "svcacct" can now access around 1/3 of the mailboxes. However, the "svcacct" still cannot accesaround 2/3of the mailboxes. Ilogged into Outlook Web Access as the "svcacct", and I am able to open up some of the mailboxes okay. However, for the other mailboxes, when I try to open them,I get the error message "You do not have permission to open this mailbox. For access or for more information, contact technical support for your organization."This Exchange server has three storage groups, and one mailbox database per storage group. The permissions problem is not specific toany mailbox database. There are mailboxesthe"svcacct" canand cannot access in each mailbox database.Searching online, I found and tried running these additional commands:
get-mailbox | add-adpermission -user svcacct -accessrights ExtendedRight -ExtendedRights "send as"
get-mailbox | add-adpermission -user svcacct -accessrights GenericAll -ExtendedRights Receive-As, Send-As, ms-Exch-Store-Admin
get-mailboxdatabase | add-adpermission -user svcacct -extendedrights Receive-As
get-mailboxdatabase | add-adpermission -user svcacct -accessrights GenericAll -ExtendedRights Receive-As, Send-As, ms-Exch-Store-Admin
I wait anothertwo hours for Exchange's cache to expire, and the "svcacct" is still unable toaccess (the same) around2/3 of the mailboxes. Does anyone have any ideas what permission settings I might be missing? Any help would be greatly appreciated. This is a real show stopper for us; our application that automatically synchronizes our CRM database with the contacts, tasks, and appointments in Exchange (via Exchange Web Services)will not work until we can resolve this permissions problem. --Greg
December 11th, 2009 5:15pm
Here are the ACL entries for one of the mailboxes the svcacct cannot open up via Outlook Web Access:Here is theoutput of running get-mailboxpermission "Doe, John"
AccessRights : {FullAccess, SendAs, ReadPermission}
Deny : False
InheritanceType : All
User : NT AUTHORITY\SELF
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : False
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : MYDOMAIN\administrator
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : False
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : MYDOMAIN\svcacct
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : False
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny : False
InheritanceType : All
User : MYDOMAIN\svcacct
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : MYDOMAIN\besadmin
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : MYDOMAIN\EX01$
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : MYDOMAIN\besadmin
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : True
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : True
InheritanceType : All
User : MYDOMAIN\Domain Admins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : True
InheritanceType : All
User : MYDOMAIN\Exchange Organization Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : True
InheritanceType : All
User : MYDOMAIN\Enterprise Admins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : True
InheritanceType : All
User : MYDOMAIN\administrator
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange Domain Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange Public Folder Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : NT AUTHORITY\NETWORK SERVICE
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange Domain Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange View-Only Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange Organization Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny : False
InheritanceType : All
User : MYDOMAIN\administrator
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny : False
InheritanceType : All
User : MYDOMAIN\Enterprise Admins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny : False
InheritanceType : All
User : MYDOMAIN\Domain Admins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
IsInherited : True
IsValid : True
ObjectState : Unchanged
And here is theoutput of running get-adpermission "Doe, John"
User : NT AUTHORITY\Authenticated Users
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {GenericRead}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\SYSTEM
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {GenericAll}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : BUILTIN\Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\Domain Admins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\Enterprise Admins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\svcacct
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {GenericAll}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Enterprise Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ListChildren}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : Everyone
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {User-Change-Password}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\SELF
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {User-Change-Password}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\SELF
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ReadProperty, WriteProperty, ExtendedRight}
ExtendedRights : {Private-Information}
IsInherited : False
Properties : {Private-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : S-1-5-32-554
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {General-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : S-1-5-32-554
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {RAS-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : S-1-5-32-554
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {User-Logon}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : S-1-5-32-554
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {GenericRead}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : S-1-5-32-560
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {Token-Groups-Global-And-Universal}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : S-1-5-32-561
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {Terminal-Server}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : S-1-5-32-561
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {Terminal-Server-License-Server}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\Cert Publishers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {X509-Cert}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\svcacct
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {Send-As}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\svcacct
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {Receive-As}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\svcacct
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-Store-Admin}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Enterprise Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {Display-Name}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Enterprise Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {Public-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Enterprise Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {Personal-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2009 5:51pm
And FWIW, here are the ACL entries for one of the mailboxes the svcacctis able toopen okayvia Outlook Web Access:Here is theoutput of running get-mailboxpermission "Doe, Jane"
AccessRights : {FullAccess, ReadPermission}
Deny : False
InheritanceType : All
User : NT AUTHORITY\SELF
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : False
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : MYDOMAIN\svcacct
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : False
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny : False
InheritanceType : All
User : MYDOMAIN\svcacct
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : MYDOMAIN\besadmin
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : MYDOMAIN\EX01$
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : MYDOMAIN\besadmin
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : True
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : True
InheritanceType : All
User : MYDOMAIN\Domain Admins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : True
InheritanceType : All
User : MYDOMAIN\Exchange Organization Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : True
InheritanceType : All
User : MYDOMAIN\Enterprise Admins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : True
InheritanceType : All
User : MYDOMAIN\administrator
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange Domain Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange Public Folder Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : NT AUTHORITY\NETWORK SERVICE
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange Domain Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {ReadPermission}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange View-Only Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny : False
InheritanceType : All
User : MYDOMAIN\Exchange Organization Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny : False
InheritanceType : All
User : MYDOMAIN\administrator
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny : False
InheritanceType : All
User : MYDOMAIN\Enterprise Admins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
Deny : False
InheritanceType : All
User : MYDOMAIN\Domain Admins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
IsInherited : True
IsValid : True
ObjectState : Unchanged
And here is theoutput of running get-adpermission "Doe, Jane"
User : NT AUTHORITY\SELF
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericRead}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\Authenticated Users
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadControl}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\SYSTEM
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericAll}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : S-1-5-32-548
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericAll}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\Domain Admins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericAll}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\svcacct
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericAll}
ExtendedRights :
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : Everyone
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {User-Change-Password}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\SELF
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {Email-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\SELF
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {Web-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\SELF
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {Personal-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\SELF
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {Receive-As}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\SELF
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {Send-As}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\SELF
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {User-Change-Password}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\Authenticated Users
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {Web-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\Authenticated Users
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {Personal-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\Authenticated Users
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {General-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : NT AUTHORITY\Authenticated Users
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {Public-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : S-1-5-32-560
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {Token-Groups-Global-And-Universal}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : S-1-5-32-561
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {Terminal-Server-License-Server}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : S-1-5-32-561
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {Terminal-Server}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\Cert Publishers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty, WriteProperty}
ExtendedRights :
IsInherited : False
Properties : {X509-Cert}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\RAS and IAS Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {Membership}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\RAS and IAS Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {User-Logon}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\RAS and IAS Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {RAS-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\RAS and IAS Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : False
Properties : {User-Account-Restrictions}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None
User : MYDOMAIN\svcacct
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-Store-Admin}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\svcacct
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {Receive-As}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\svcacct
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {Send-As}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\besadmin
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {Send-As}
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\HelpDesk
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {CreateChild, DeleteChild}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes : {User}
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\besadmin
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty, GenericExecute}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\HelpDesk
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericAll}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\RTCUniversalUserReadOnlyGroup
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {User-Account-Restrictions}
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\RTCUniversalUserReadOnlyGroup
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {General-Information}
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\RTCUniversalUserReadOnlyGroup
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {Public-Information}
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\RTCUniversalUserReadOnlyGroup
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {RTCPropertySet}
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\RTCUniversalUserReadOnlyGroup
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {RTCUserSearchPropertySet}
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\RTCUniversalUserReadOnlyGroup
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {Personal-Information}
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\RTCUniversalUserAdmins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty, DeleteTree}
ExtendedRights :
IsInherited : True
Properties : {Proxy-Addresses}
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\RTCUniversalUserAdmins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty, DeleteTree}
ExtendedRights :
IsInherited : True
Properties : {RTCPropertySet}
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\RTCUniversalUserAdmins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty, DeleteTree}
ExtendedRights :
IsInherited : True
Properties : {RTCUserSearchPropertySet}
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ExtendedRight}
ExtendedRights : {User-Change-Password}
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {Exchange-Personal-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {Canonical-Name}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {User-Account-Control}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {Exchange-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {Is-Member-Of-DL}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {Garbage-Coll-Period}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Proxy-Addresses}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Show-In-Address-Book}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Exchange-Personal-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Admin-Display-Name}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Group-Type}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Enterprise Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Group-Type}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {ms-Exch-Mailbox-Security-Descriptor}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {ms-Exch-UM-Server-Writable-Flags}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Display-Name}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Enterprise Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Display-Name}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Enterprise Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Public-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {ms-Exch-User-Culture}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Display-Name-Printable}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {E-mail-Addresses}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {ms-Exch-Mobile-Mailbox-Flags}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {X509-Cert}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Enterprise Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Personal-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Text-Encoded-OR-Address}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Exchange-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Enterprise Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Exchange-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {ms-Exch-Public-Delegates}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {ms-Exch-Public-Delegates}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {ms-Exch-UM-Spoken-Name}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Garbage-Coll-Period}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {ms-Exch-UM-Pin-Checksum}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {WriteProperty}
ExtendedRights :
IsInherited : True
Properties : {Legacy-Exchange-DN}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericAll}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes : {ms-Exch-Dynamic-Distribution-List}
InheritedObjectType :
InheritanceType : All
User : NT AUTHORITY\Authenticated Users
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {RTCUserSearchPropertySet}
ChildObjectTypes :
InheritedObjectType : inetOrgPerson
InheritanceType : Descendents
User : NT AUTHORITY\Authenticated Users
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {RTCUserSearchPropertySet}
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : NT AUTHORITY\Authenticated Users
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {RTCUserSearchPropertySet}
ChildObjectTypes :
InheritedObjectType : Contact
InheritanceType : Descendents
User : MYDOMAIN\Exchange Enterprise Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericRead}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : MYDOMAIN\Exchange Enterprise Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericRead, WriteDacl}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType : Group
InheritanceType : Descendents
User : S-1-5-32-554
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericRead}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType : Group
InheritanceType : Descendents
User : S-1-5-32-554
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericRead}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType : User
InheritanceType : All
User : NT AUTHORITY\NETWORK SERVICE
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {Exchange-Personal-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : NT AUTHORITY\Authenticated Users
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty}
ExtendedRights :
IsInherited : True
Properties : {Exchange-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : NT AUTHORITY\SELF
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ReadProperty, WriteProperty, ExtendedRight}
ExtendedRights : {Private-Information}
IsInherited : True
Properties : {Private-Information}
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Enterprise Servers
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ListChildren}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Exchange Recipient Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericRead}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : MYDOMAIN\Enterprise Admins
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {GenericAll}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : S-1-5-32-554
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {ListChildren}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
User : BUILTIN\Administrators
Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane
Deny : False
AccessRights : {CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner}
ExtendedRights :
IsInherited : True
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
December 11th, 2009 6:00pm
Using get-mailbox, I noticed a difference in the ProtocolSettings; I was wondering if that might have anything to do with the permissions problems?For John Doe,a mailbox svcacctcan't access: ProtocolSettings : {HTTP11, OWA1}For Jane Doe, a mailbox svcacct can access: ProtocolSettings : {}--Greg
Free Windows Admin Tool Kit Click here and download it now
December 12th, 2009 2:41am
I learned that, in the Exchange Management Console, if you view the properties of a mailbox, goto the mailbox features tab, you can control the HTTP/OWA protocol settings by enabling or disabling OWA. The first number will be 1 if its enable or 0 if its disabled. Since the HTTP/OWA is enabled (first number is 1) for the John Doe account , I don't believe that particular setting is what is causing our problem.Interestingly, if I log into OWA as the svcacct and try to open up another mailbox where HTTP/OWA has been disabled, I get the error message "Microsoft Outlook Web Access is currently disabled for user smtp:<user's email ID>". However, the svcacct can still access the HTTP/OWA disabled mailbox okay via Exchange Web Services.I still have not had any luck figuring this problem out.--Greg
January 9th, 2010 2:07am
FWIW, just a few other details that might be relevant:(1) I found the following post that mentioned problems with "send-as" when you started off using Exchange 5.5 and then migrated to 2003 and then 2007, and thought maybe that might be related to our "full-access" problem. However, I learned the Exchange enviornment I'm working with never used Exchange 5.5. It started with Exchange 2003 and then was migrated to 2007.http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/39be2ec3-5208-4f36-b950-99368e1a6da4(2) Our svcacct originally was a domain administrator and Exchange administrator, and out of concern that the default denies might be cauisng problems; we created a new svcacct2 that was not a domain adminstrator and not an Exchange administrator (only belongs to the domain users group), and we still get the same permissions problem.(3) To ensure nothing got stuck in Exchange's in-memory cache, we rebooted the Exhcange server, but still have the same permssions problem.--Greg
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2010 4:18pm
Are there any orphan permissions on those mailboxes? I've seen those cause some weird problems.
January 20th, 2010 4:26pm
What do you mean by orphan permisisons? How could I tell if there are orphan permissions?Thanks,Greg
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2010 4:44pm
They will only display as a SID. MAPI permissions aren't removed automatically if the security principal they were assigned to is removed, so if a user or group is given permission to a mailbox, and then that group or user is deleted it leaves behind an "orphan" ACE that can't be resolved to a name anymore, so it just diplays the SID.
January 20th, 2010 5:25pm
They will only display as a SID. MAPI permissions aren't removed automatically if the security principal they were assigned to is removed, so if a user or group is given permission to a mailbox, and then that group or user is deleted it leaves behind an "orphan" ACE that can't be resolved to a name anymore, so it just diplays the SID.
Hi.We have almost the identical problem in our environment. It looks like the MAPI permissions are GONE. And the SID is the only thing that remains (and that on a few mailboxes only). Is it possible to add these permissions again, somehow?
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2010 12:55am
Hello, Our client does have orphan permissions on both mailboxes where "full access" works and mailboxes where "full access" doesn't work. But we haven't had a chance yet to try removing the orphan permissions. Thanks for the tip. We contacted Microsoft support and they said the "Allow inheritable permissions from parent to propagate to the object" option needs to be checked, for each user with a mailbox. Go into Active Directory Users and Computers, make sure view -> Advanced Features is selected, choose properties on one of the users, click on the Security tab, click the Advanced button, click on the Permissions tab, and make sure the "Allow inheritable permissions from parent to propagate to the object" option is checked. I don't know if that would add back your missing permissions, but maybe it might solve the "full access" not working. We haven't heard back yet from our client on whether that solved their "full access" permissions problem. --Greg
January 31st, 2010 2:31am
@Greg:I've checked the inheritable permissions and they all look just fine. The weird thing is that the orphaned account(s) still appears on new mailboxes after a couple of hours (or maybe when I stop and start the Information Store), not really sure. Anyways, it seems that I can open all the mailboxes correctly from OWA now when logged in as Administrator.We are also using another a third-party CRM software called SuperOffice to link SO (SuperOffice) data and Exchange mailbox data, but when we run the link from within SO it says that the current user doesn't have rights to open mailboxes.It looks like the SO connects fine to the Exchange server via MAPI as the user mailboxes gets extracted and displayed in SO.Any thoughts? :)
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2010 3:56pm
Possibly related?http://blogs.utexas.edu/glenmark/2009/09/28/setting-delegates-on-mailboxes-that-are-not-your-own/
January 31st, 2010 10:19pm
The mailbox security descriptors look fine. The NT security descriptors are where the major differences lie. The John account has no inherited permissions, at all, whereas the Jane account has tons of appropriate ACL entries. Futhermore, the John account's NT security descriptor is nearly bare, except for some minimum defaults that look suspiciously similar to the default ACL on the AdminSDHolder object... So, I would suggest checking and comparing the group membership of the John/Jane accounts. Specifically, make sure John is not a member of any of the protected groups below, nor is a member of any other groups that are members of these protected groups (from KB817433): Administrators Account Operators Server Operators Print Operators Backup Operators Domain Admins Schema Admins Enterprise Admins Cert Publishers Good luck, -aseigler
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2010 6:10pm
I would also check the AdminCount property on the users. It its anything but 0, check the AdminCount property of any groups they belong to. I've seen cases where a user created group has been added to protected group, and that goup and subsequently it's membership become protected, and that situation persisting even after the user created group was removed from the protected system group until the AdminCount property was manually reset to 0.
February 1st, 2010 7:07pm
I opened a support incident with Microsoft and we were able to solve the problem.
If you go into Active Directory Users and Computers, view the properties on one of the problematic accounts, click on the Security tab, click the Advanced button, the "Allow inheritable permissions..." checkbox needs to be checked. In our case, it
was not checked, so we need to check it. After doing that, we then needed to remove and add back the full access delegate permissions using the Exchange Management Console.
Thanks for everyone's suggestions.
--Greg
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2011 11:52am