Strange thing is happening. One of the users can't access his mailbox since yesterday. Permissions set on his mailbox are just like his neighbors', who don't have such a problem. But if access for Domain Admins group is allowed on his mailbox, he logs on without a problem (he is member of Domain Admins). What could cause such a glitch ?

I would check permission inheritance is configured correctly. That is the usual reason for something like that. Cause - hard to say. Particularly for a single user issue. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

I would check permission inheritance is configured correctly. Maybe it's a silly question, but how do i do this ?

ADUC on the security tab. It isn't an Exchange setting, but the domain. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

On Thu, 11 Nov 2010 14:37:32 +0000, Tigger4 wrote: > > >Strange thing is happening. One of the users can't access his mailbox since yesterday. Permissions set on his mailbox are just like his neighbors', who don't have such a problem. But if access for Domain Admins group is allowed on his mailbox, he logs on without a problem (he is member of Domain Admins). What could cause such a glitch ? Domain Admins are denied the "Send As" and "Receive As" permissions on mailboxes. Create another account for him that's in the Domain Admin's group and remove his "normal" account from any privileged groups. Then remove the "adminCount" property from his "normal" account and enable permission inheritence on that account. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Create another account for him that's in the Domain Admin's group and remove his "normal" account from any privileged groups. Then remove the "adminCount" property from his "normal" account and enable permission inheritence on that account. As far as i understand, this means he will never use his "normal" account for administrative purposes anymore ?

Solved the problem. Just explicitly deleted the unneeded permissions through PS instead of EMC. Source of the problem: When EMC is removing permissions, actually it executes two commands: 1) Actually removing the permission, 2) Setting it back with -deny key. Do i need to say that the second step here is completely unneeded ? So, what's the picture: 1) We set the full access permission for Domain Admins through EMC 2) We remove it, and EMC reverses it to deny state 3) We already have such a permission that is inherited, so we don't see what has just been set Voila ! How to fix: Execute something like "Remove-MailboxPermission -Identity CONTOSO\User -AccessRights FullAccess -User 'CONTOSO\Domain admins' -Deny", and be happy: what is inherited will remain where it is, and what was added manually will be removed. Worked out for me.

On Fri, 12 Nov 2010 12:43:23 +0000, Tigger4 wrote: >>Create another account for him that's in the Domain Admin's group and remove his "normal" account from any privileged groups. Then remove the "adminCount" property from his "normal" account and enable permission inheritence on that account. >As far as i understand, this means he will never use his "normal" account for administrative purposes anymore ? That's as it should be. You haven't had fun until one of your admin accounts opens an infected e-mail. :-( --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP