Hello,I'm working on an Exchange 2007 server where a "svcacct" account/mailbox needs full access permissions to the contents of all the other mailboxes on the Exchange server. There are around 100 mailboxes on this Exchange server. So, using the Exchange Management Shell, I run the following command: get-mailbox | add-mailboxpermission -user svcacct -AccessRights FullAccess I wait two hours for Exchange's cache to expire, and the "svcacct" can now access around 1/3 of the mailboxes. However, the "svcacct" still cannot accesaround 2/3of the mailboxes. Ilogged into Outlook Web Access as the "svcacct", and I am able to open up some of the mailboxes okay. However, for the other mailboxes, when I try to open them,I get the error message "You do not have permission to open this mailbox. For access or for more information, contact technical support for your organization."This Exchange server has three storage groups, and one mailbox database per storage group. The permissions problem is not specific toany mailbox database. There are mailboxesthe"svcacct" canand cannot access in each mailbox database.Searching online, I found and tried running these additional commands: get-mailbox | add-adpermission -user svcacct -accessrights ExtendedRight -ExtendedRights "send as" get-mailbox | add-adpermission -user svcacct -accessrights GenericAll -ExtendedRights Receive-As, Send-As, ms-Exch-Store-Admin get-mailboxdatabase | add-adpermission -user svcacct -extendedrights Receive-As get-mailboxdatabase | add-adpermission -user svcacct -accessrights GenericAll -ExtendedRights Receive-As, Send-As, ms-Exch-Store-Admin I wait anothertwo hours for Exchange's cache to expire, and the "svcacct" is still unable toaccess (the same) around2/3 of the mailboxes. Does anyone have any ideas what permission settings I might be missing? Any help would be greatly appreciated. This is a real show stopper for us; our application that automatically synchronizes our CRM database with the contacts, tasks, and appointments in Exchange (via Exchange Web Services)will not work until we can resolve this permissions problem. --Greg

Here are the ACL entries for one of the mailboxes the svcacct cannot open up via Outlook Web Access:Here is theoutput of running get-mailboxpermission "Doe, John" AccessRights : {FullAccess, SendAs, ReadPermission} Deny : False InheritanceType : All User : NT AUTHORITY\SELF Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : False IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : False InheritanceType : All User : MYDOMAIN\administrator Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : False IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : False InheritanceType : All User : MYDOMAIN\svcacct Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : False IsValid : True ObjectState : Unchanged AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : MYDOMAIN\svcacct Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : False InheritanceType : All User : MYDOMAIN\besadmin Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : MYDOMAIN\EX01$ Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : MYDOMAIN\besadmin Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : True InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : True InheritanceType : All User : MYDOMAIN\Domain Admins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : True InheritanceType : All User : MYDOMAIN\Exchange Organization Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : True InheritanceType : All User : MYDOMAIN\Enterprise Admins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : True InheritanceType : All User : MYDOMAIN\administrator Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : False InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : False InheritanceType : All User : MYDOMAIN\Exchange Domain Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : MYDOMAIN\Exchange Public Folder Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : NT AUTHORITY\NETWORK SERVICE Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : MYDOMAIN\Exchange Domain Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : MYDOMAIN\Exchange View-Only Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : MYDOMAIN\Exchange Organization Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : MYDOMAIN\administrator Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : MYDOMAIN\Enterprise Admins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : MYDOMAIN\Domain Admins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John IsInherited : True IsValid : True ObjectState : Unchanged And here is theoutput of running get-adpermission "Doe, John" User : NT AUTHORITY\Authenticated Users Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {GenericRead} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\SYSTEM Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {GenericAll} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : BUILTIN\Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\Domain Admins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\Enterprise Admins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\svcacct Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {GenericAll} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Enterprise Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ListChildren} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : Everyone Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ExtendedRight} ExtendedRights : {User-Change-Password} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\SELF Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ExtendedRight} ExtendedRights : {User-Change-Password} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\SELF Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ReadProperty, WriteProperty, ExtendedRight} ExtendedRights : {Private-Information} IsInherited : False Properties : {Private-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : S-1-5-32-554 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {General-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : S-1-5-32-554 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {RAS-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : S-1-5-32-554 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {User-Logon} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : S-1-5-32-554 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {GenericRead} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : S-1-5-32-560 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {Token-Groups-Global-And-Universal} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : S-1-5-32-561 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ReadProperty, WriteProperty} ExtendedRights : IsInherited : False Properties : {Terminal-Server} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : S-1-5-32-561 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ReadProperty, WriteProperty} ExtendedRights : IsInherited : False Properties : {Terminal-Server-License-Server} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\Cert Publishers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ReadProperty, WriteProperty} ExtendedRights : IsInherited : False Properties : {X509-Cert} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\svcacct Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ExtendedRight} ExtendedRights : {Send-As} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\svcacct Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ExtendedRight} ExtendedRights : {Receive-As} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\svcacct Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ExtendedRight} ExtendedRights : {ms-Exch-Store-Admin} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Enterprise Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ReadProperty, WriteProperty} ExtendedRights : IsInherited : False Properties : {Display-Name} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Enterprise Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ReadProperty, WriteProperty} ExtendedRights : IsInherited : False Properties : {Public-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Enterprise Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, John Deny : False AccessRights : {ReadProperty, WriteProperty} ExtendedRights : IsInherited : False Properties : {Personal-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All

And FWIW, here are the ACL entries for one of the mailboxes the svcacctis able toopen okayvia Outlook Web Access:Here is theoutput of running get-mailboxpermission "Doe, Jane" AccessRights : {FullAccess, ReadPermission} Deny : False InheritanceType : All User : NT AUTHORITY\SELF Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : False IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : False InheritanceType : All User : MYDOMAIN\svcacct Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : False IsValid : True ObjectState : Unchanged AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : MYDOMAIN\svcacct Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : False InheritanceType : All User : MYDOMAIN\besadmin Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : MYDOMAIN\EX01$ Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : MYDOMAIN\besadmin Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : True InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : True InheritanceType : All User : MYDOMAIN\Domain Admins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : True InheritanceType : All User : MYDOMAIN\Exchange Organization Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : True InheritanceType : All User : MYDOMAIN\Enterprise Admins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : True InheritanceType : All User : MYDOMAIN\administrator Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : False InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess} Deny : False InheritanceType : All User : MYDOMAIN\Exchange Domain Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : MYDOMAIN\Exchange Public Folder Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : NT AUTHORITY\NETWORK SERVICE Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : MYDOMAIN\Exchange Domain Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {ReadPermission} Deny : False InheritanceType : All User : MYDOMAIN\Exchange View-Only Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : MYDOMAIN\Exchange Organization Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : MYDOMAIN\administrator Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : MYDOMAIN\Enterprise Admins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged AccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} Deny : False InheritanceType : All User : MYDOMAIN\Domain Admins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane IsInherited : True IsValid : True ObjectState : Unchanged And here is theoutput of running get-adpermission "Doe, Jane" User : NT AUTHORITY\SELF Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericRead} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\Authenticated Users Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadControl} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\SYSTEM Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericAll} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : S-1-5-32-548 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericAll} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\Domain Admins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericAll} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\svcacct Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericAll} ExtendedRights : IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : Everyone Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ExtendedRight} ExtendedRights : {User-Change-Password} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\SELF Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty, WriteProperty} ExtendedRights : IsInherited : False Properties : {Email-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\SELF Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty, WriteProperty} ExtendedRights : IsInherited : False Properties : {Web-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\SELF Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty, WriteProperty} ExtendedRights : IsInherited : False Properties : {Personal-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\SELF Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ExtendedRight} ExtendedRights : {Receive-As} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\SELF Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ExtendedRight} ExtendedRights : {Send-As} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\SELF Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ExtendedRight} ExtendedRights : {User-Change-Password} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\Authenticated Users Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {Web-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\Authenticated Users Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {Personal-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\Authenticated Users Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {General-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : NT AUTHORITY\Authenticated Users Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {Public-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : S-1-5-32-560 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {Token-Groups-Global-And-Universal} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : S-1-5-32-561 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty, WriteProperty} ExtendedRights : IsInherited : False Properties : {Terminal-Server-License-Server} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : S-1-5-32-561 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty, WriteProperty} ExtendedRights : IsInherited : False Properties : {Terminal-Server} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\Cert Publishers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty, WriteProperty} ExtendedRights : IsInherited : False Properties : {X509-Cert} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\RAS and IAS Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {Membership} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\RAS and IAS Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {User-Logon} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\RAS and IAS Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {RAS-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\RAS and IAS Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : False Properties : {User-Account-Restrictions} ChildObjectTypes : InheritedObjectType : InheritanceType : None User : MYDOMAIN\svcacct Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ExtendedRight} ExtendedRights : {ms-Exch-Store-Admin} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\svcacct Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ExtendedRight} ExtendedRights : {Receive-As} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\svcacct Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ExtendedRight} ExtendedRights : {Send-As} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\besadmin Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ExtendedRight} ExtendedRights : {Send-As} IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\HelpDesk Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {CreateChild, DeleteChild} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : {User} InheritedObjectType : InheritanceType : All User : MYDOMAIN\besadmin Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty, GenericExecute} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\HelpDesk Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericAll} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\RTCUniversalUserReadOnlyGroup Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {User-Account-Restrictions} ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\RTCUniversalUserReadOnlyGroup Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {General-Information} ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\RTCUniversalUserReadOnlyGroup Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {Public-Information} ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\RTCUniversalUserReadOnlyGroup Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {RTCPropertySet} ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\RTCUniversalUserReadOnlyGroup Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {RTCUserSearchPropertySet} ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\RTCUniversalUserReadOnlyGroup Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {Personal-Information} ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\RTCUniversalUserAdmins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty, DeleteTree} ExtendedRights : IsInherited : True Properties : {Proxy-Addresses} ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\RTCUniversalUserAdmins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty, DeleteTree} ExtendedRights : IsInherited : True Properties : {RTCPropertySet} ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\RTCUniversalUserAdmins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty, DeleteTree} ExtendedRights : IsInherited : True Properties : {RTCUserSearchPropertySet} ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ExtendedRight} ExtendedRights : {User-Change-Password} IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {Exchange-Personal-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {Canonical-Name} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {User-Account-Control} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {Exchange-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {Is-Member-Of-DL} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {Garbage-Coll-Period} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Proxy-Addresses} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Show-In-Address-Book} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Exchange-Personal-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Admin-Display-Name} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Group-Type} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Enterprise Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Group-Type} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {ms-Exch-Mailbox-Security-Descriptor} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {ms-Exch-UM-Server-Writable-Flags} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Display-Name} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Enterprise Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Display-Name} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Enterprise Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Public-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {ms-Exch-User-Culture} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Display-Name-Printable} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {E-mail-Addresses} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {ms-Exch-Mobile-Mailbox-Flags} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {X509-Cert} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Enterprise Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Personal-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Text-Encoded-OR-Address} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Exchange-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Enterprise Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Exchange-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {ms-Exch-Public-Delegates} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {ms-Exch-Public-Delegates} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {ms-Exch-UM-Spoken-Name} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Garbage-Coll-Period} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {ms-Exch-UM-Pin-Checksum} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {WriteProperty} ExtendedRights : IsInherited : True Properties : {Legacy-Exchange-DN} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericAll} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : {ms-Exch-Dynamic-Distribution-List} InheritedObjectType : InheritanceType : All User : NT AUTHORITY\Authenticated Users Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {RTCUserSearchPropertySet} ChildObjectTypes : InheritedObjectType : inetOrgPerson InheritanceType : Descendents User : NT AUTHORITY\Authenticated Users Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {RTCUserSearchPropertySet} ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : NT AUTHORITY\Authenticated Users Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {RTCUserSearchPropertySet} ChildObjectTypes : InheritedObjectType : Contact InheritanceType : Descendents User : MYDOMAIN\Exchange Enterprise Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericRead} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : MYDOMAIN\Exchange Enterprise Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericRead, WriteDacl} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : Group InheritanceType : Descendents User : S-1-5-32-554 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericRead} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : Group InheritanceType : Descendents User : S-1-5-32-554 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericRead} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : User InheritanceType : All User : NT AUTHORITY\NETWORK SERVICE Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {Exchange-Personal-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : NT AUTHORITY\Authenticated Users Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty} ExtendedRights : IsInherited : True Properties : {Exchange-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : NT AUTHORITY\SELF Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ReadProperty, WriteProperty, ExtendedRight} ExtendedRights : {Private-Information} IsInherited : True Properties : {Private-Information} ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Enterprise Servers Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ListChildren} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Exchange Recipient Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericRead} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : MYDOMAIN\Enterprise Admins Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {GenericAll} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : S-1-5-32-554 Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {ListChildren} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All User : BUILTIN\Administrators Identity : internal.mydomain.local/ouAccounts/ouUsers/Doe, Jane Deny : False AccessRights : {CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner} ExtendedRights : IsInherited : True Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All

Using get-mailbox, I noticed a difference in the ProtocolSettings; I was wondering if that might have anything to do with the permissions problems?For John Doe,a mailbox svcacctcan't access: ProtocolSettings : {HTTP11, OWA1}For Jane Doe, a mailbox svcacct can access: ProtocolSettings : {}--Greg

I learned that, in the Exchange Management Console, if you view the properties of a mailbox, goto the mailbox features tab, you can control the HTTP/OWA protocol settings by enabling or disabling OWA. The first number will be 1 if its enable or 0 if its disabled. Since the HTTP/OWA is enabled (first number is 1) for the John Doe account , I don't believe that particular setting is what is causing our problem.Interestingly, if I log into OWA as the svcacct and try to open up another mailbox where HTTP/OWA has been disabled, I get the error message "Microsoft Outlook Web Access is currently disabled for user smtp:<user's email ID>". However, the svcacct can still access the HTTP/OWA disabled mailbox okay via Exchange Web Services.I still have not had any luck figuring this problem out.--Greg

FWIW, just a few other details that might be relevant:(1) I found the following post that mentioned problems with "send-as" when you started off using Exchange 5.5 and then migrated to 2003 and then 2007, and thought maybe that might be related to our "full-access" problem. However, I learned the Exchange enviornment I'm working with never used Exchange 5.5. It started with Exchange 2003 and then was migrated to 2007.http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/39be2ec3-5208-4f36-b950-99368e1a6da4(2) Our svcacct originally was a domain administrator and Exchange administrator, and out of concern that the default denies might be cauisng problems; we created a new svcacct2 that was not a domain adminstrator and not an Exchange administrator (only belongs to the domain users group), and we still get the same permissions problem.(3) To ensure nothing got stuck in Exchange's in-memory cache, we rebooted the Exhcange server, but still have the same permssions problem.--Greg

Are there any orphan permissions on those mailboxes? I've seen those cause some weird problems.

What do you mean by orphan permisisons? How could I tell if there are orphan permissions?Thanks,Greg

They will only display as a SID. MAPI permissions aren't removed automatically if the security principal they were assigned to is removed, so if a user or group is given permission to a mailbox, and then that group or user is deleted it leaves behind an "orphan" ACE that can't be resolved to a name anymore, so it just diplays the SID.

They will only display as a SID. MAPI permissions aren't removed automatically if the security principal they were assigned to is removed, so if a user or group is given permission to a mailbox, and then that group or user is deleted it leaves behind an "orphan" ACE that can't be resolved to a name anymore, so it just diplays the SID. Hi.We have almost the identical problem in our environment. It looks like the MAPI permissions are GONE. And the SID is the only thing that remains (and that on a few mailboxes only). Is it possible to add these permissions again, somehow?

Hello, Our client does have orphan permissions on both mailboxes where "full access" works and mailboxes where "full access" doesn't work. But we haven't had a chance yet to try removing the orphan permissions. Thanks for the tip. We contacted Microsoft support and they said the "Allow inheritable permissions from parent to propagate to the object" option needs to be checked, for each user with a mailbox. Go into Active Directory Users and Computers, make sure view -> Advanced Features is selected, choose properties on one of the users, click on the Security tab, click the Advanced button, click on the Permissions tab, and make sure the "Allow inheritable permissions from parent to propagate to the object" option is checked. I don't know if that would add back your missing permissions, but maybe it might solve the "full access" not working. We haven't heard back yet from our client on whether that solved their "full access" permissions problem. --Greg

@Greg:I've checked the inheritable permissions and they all look just fine. The weird thing is that the orphaned account(s) still appears on new mailboxes after a couple of hours (or maybe when I stop and start the Information Store), not really sure. Anyways, it seems that I can open all the mailboxes correctly from OWA now when logged in as Administrator.We are also using another a third-party CRM software called SuperOffice to link SO (SuperOffice) data and Exchange mailbox data, but when we run the link from within SO it says that the current user doesn't have rights to open mailboxes.It looks like the SO connects fine to the Exchange server via MAPI as the user mailboxes gets extracted and displayed in SO.Any thoughts? :)

Possibly related?http://blogs.utexas.edu/glenmark/2009/09/28/setting-delegates-on-mailboxes-that-are-not-your-own/

The mailbox security descriptors look fine. The NT security descriptors are where the major differences lie. The John account has no inherited permissions, at all, whereas the Jane account has tons of appropriate ACL entries. Futhermore, the John account's NT security descriptor is nearly bare, except for some minimum defaults that look suspiciously similar to the default ACL on the AdminSDHolder object... So, I would suggest checking and comparing the group membership of the John/Jane accounts. Specifically, make sure John is not a member of any of the protected groups below, nor is a member of any other groups that are members of these protected groups (from KB817433): Administrators Account Operators Server Operators Print Operators Backup Operators Domain Admins Schema Admins Enterprise Admins Cert Publishers Good luck, -aseigler

I would also check the AdminCount property on the users. It its anything but 0, check the AdminCount property of any groups they belong to. I've seen cases where a user created group has been added to protected group, and that goup and subsequently it's membership become protected, and that situation persisting even after the user created group was removed from the protected system group until the AdminCount property was manually reset to 0.

I opened a support incident with Microsoft and we were able to solve the problem. If you go into Active Directory Users and Computers, view the properties on one of the problematic accounts, click on the Security tab, click the Advanced button, the "Allow inheritable permissions..." checkbox needs to be checked. In our case, it was not checked, so we need to check it. After doing that, we then needed to remove and add back the full access delegate permissions using the Exchange Management Console. Thanks for everyone's suggestions. --Greg