Exchange 2010 SP2 - Wipes out Database Permissions
We recently installed Exchange 2010 SP2 and Rollup 1 for SP2. Shortly there after we found that service accounts and Administrator accounts that had GenericAll access on our Exchange 2010 databases no longer have the rights and are prompted when attempting to access the mailbox in an Exchange 2010 mailbox. Via MS case we troubleshooted and were only able to fix this for existing mailboxes. The case is still open and we are trying to fix the databases so that any new mailboxes inherit the permissions (like they did before SP2). Simply removing and reapplying permissions doesn't work. Unfortunately the case is still open, our existing databases are broken and this issue is holding up a couple thousand users from migrating. I post this to warn those that haven't upgraded to SP2 and also hopefully find someone that's run into this same issue. Microsoft Support noted this is an internally known side effect of the upgrade but so far no definitive solution. Thank you in advance for your help.
March 12th, 2012 1:34pm

Hello ExchangeGuru, Do you mean that you use this command "Get-MailboxDatabase -identity "Mailbox DB Name" | Add-ADPermission -User "Administrator" -AccessRights GenericAll "can only grant permission to the existing mailboxes, not to the new created mailboxes, right? I use this command to test in my lab (Exchange 2010 SP1 Rollup 6), it also cannot work for the new created mailboxes. Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2012 4:28am

Hello ExchangeGuru, Do you mean that you use this command "Get-MailboxDatabase -identity "Mailbox DB Name" | Add-ADPermission -User "Administrator" -AccessRights GenericAll "can only grant permission to the existing mailboxes, not to the new created mailboxes, right? I use this command to test in my lab (Exchange 2010 SP1 Rollup 6), it also cannot work for the new created mailboxes. Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support
March 13th, 2012 4:38am

Hi ExchangeGuru, Any updates on this issue? Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contacttngfb@microsoft.comEvan Liu TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2012 9:58pm

Hi ExchangeGuru, Any updates on this issue? Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contacttngfb@microsoft.comEvan Liu TechNet Community Support
March 13th, 2012 10:12pm

I am still working with Microsoft support and asked our TAM escalate. Removing and re-adding the GenericAll didn't work for existing mailboxes for the admin and service accounts. (fyi) I find it interesting that new mailboxes in SP1 RU6 exhibit the same issue. We installed RU6 2 weeks before SP2 and RU1 and don't believe the issue started there. I have a test environment that I'm going to check out for this issue to see what the results are there. It is a much earlier version. Thank you, -Matt
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2012 10:59am

I am still working with Microsoft support and asked our TAM escalate. Removing and re-adding the GenericAll didn't work for existing mailboxes for the admin and service accounts. (fyi) I find it interesting that new mailboxes in SP1 RU6 exhibit the same issue. We installed RU6 2 weeks before SP2 and RU1 and don't believe the issue started there. I have a test environment that I'm going to check out for this issue to see what the results are there. It is a much earlier version. Thank you, -Matt
March 15th, 2012 11:07am

I am unable to test in our test environment it needs to be rebuilt. If anyone else on SP2 is experiencing this issue please let me know and if you have found a fix. (I believe I've run into a bug.)
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2012 1:12pm

I am unable to test in our test environment it needs to be rebuilt. If anyone else on SP2 is experiencing this issue please let me know and if you have found a fix. (I believe I've run into a bug.)
March 15th, 2012 1:21pm

More to add.... Accessing the mailbox as a Secondary Mailbox in the Outlook profile works in both Outlook 2003 and Outlook 2010. So it appears permissions are indeed working as expected however when configuring a profile with just the target mailbox when logged in under the account that is supposed to have permissions still doesn't work. Still on with MS support.
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2012 2:49pm

More to add.... Accessing the mailbox as a Secondary Mailbox in the Outlook profile works in both Outlook 2003 and Outlook 2010. So it appears permissions are indeed working as expected however when configuring a profile with just the target mailbox when logged in under the account that is supposed to have permissions still doesn't work. Still on with MS support.
March 15th, 2012 2:57pm

This has been escalated to the MS bug team.
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2012 5:46pm

This has been escalated to the MS bug team.
March 15th, 2012 5:55pm

Hello, Thanks for your reply. I tested in Exchange 2010 and Exchange 2007 SP3, it also cannot work for new created mailboxes. Personally I think this may not a bug. let's wait for the reply from MS bug team. Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contacttngfb@microsoft.comEvan Liu TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 16th, 2012 6:51am

Hello, Thanks for your reply. I tested in Exchange 2010 and Exchange 2007 SP3, it also cannot work for new created mailboxes. Personally I think this may not a bug. let's wait for the reply from MS bug team. Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contacttngfb@microsoft.comEvan Liu TechNet Community Support
March 16th, 2012 6:59am

Hello, Any updates on this issue? Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contacttngfb@microsoft.comEvan Liu TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2012 2:43am

Hello, Any updates on this issue? Thanks, Evan Liu TechNet Subscriber Supportin forum If you have any feedback on our support, please contacttngfb@microsoft.comEvan Liu TechNet Community Support
March 20th, 2012 2:52am

Did you try giving these service and administrator accounts Receive-As permission on the databases? Get-MailboxDatabase TestDB | Add-ADPermission -user serviceAccount -AccessRights ExtendedRight -ExtendedRights Receive-As Per http://technet.microsoft.com/en-us/library/aa996343.aspx, this would allow the service account the ability to log onto all the mailboxes in that database.
Free Windows Admin Tool Kit Click here and download it now
March 30th, 2012 4:19pm

Did you try giving these service and administrator accounts Receive-As permission on the databases? Get-MailboxDatabase TestDB | Add-ADPermission -user serviceAccount -AccessRights ExtendedRight -ExtendedRights Receive-As Per http://technet.microsoft.com/en-us/library/aa996343.aspx, this would allow the service account the ability to log onto all the mailboxes in that database.
March 30th, 2012 4:27pm

I am also experiencing the same Issue here. We are running Exchange 2010 Enterprise SP2 Update Rollup 2. After the SP2 upgrade we lost the ability to log into all mailboxes as Administrator whereas we used to be able to. I have run the command against Exchange - Get-MailboxDatabase | Add-ADPermission -user "Exchange Database Administrators" -AccessRights GenericAll -InheritanceType All When checking any users mailbox - it shows this group having full access, but unfortunately, it doesn't work. I have also tried giving the User group -ExtendedRights of Recieve-As but still no joy. The only way I have got this to work is by using the Add-MailboxPermission command on all mailboxes - Get-Mailbox | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all This doesn't help with all new mailboxes created though. Basically have to run this command every once an a while to give Administrator full access to them.... Has there been any developments about this? Thanks
Free Windows Admin Tool Kit Click here and download it now
May 8th, 2012 12:06am

I am also experiencing the same Issue here. We are running Exchange 2010 Enterprise SP2 Update Rollup 2. After the SP2 upgrade we lost the ability to log into all mailboxes as Administrator whereas we used to be able to. I have run the command against Exchange - Get-MailboxDatabase | Add-ADPermission -user "Exchange Database Administrators" -AccessRights GenericAll -InheritanceType All When checking any users mailbox - it shows this group having full access, but unfortunately, it doesn't work. I have also tried giving the User group -ExtendedRights of Recieve-As but still no joy. The only way I have got this to work is by using the Add-MailboxPermission command on all mailboxes - Get-Mailbox | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all This doesn't help with all new mailboxes created though. Basically have to run this command every once an a while to give Administrator full access to them.... Has there been any developments about this? Thanks
May 8th, 2012 12:25am

Hi ExchangeGuru, please what is status about the issue? Thx.
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2012 5:37pm

Hi ExchangeGuru, please what is status about the issue? Thx.
June 26th, 2012 5:46pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics