So our environment is basically we have an Exchange 2003 server, and we're attempting to move to Exchange 2010 gradually, and move to new hardware while we're at it. So our first step was obviously to get Exchange 2010 installed on the new box. However, after running the domainprep steps listed in http://technet.microsoft.com/en-us/library/bb125224.aspx (including PrepareLegacyExchangePermissions) our mailbox permissions get messed up. Normally, we have an AD security group for Exchange Administrators that allows anyone in that group to view all folders inside any user's mailbox. However, now, this functionality is gone and our Exchange Admins can't access anyone's mailboxes. We'd like to get this functionality back if we could. Thanks

How did you grant those permissions? If those users are Domain Admins then the permissions may well be revoked. That is the standard behaviour now - a user account with domain admin rights cannot have access to all mailboxes. That is also the best practise. You would have to change the permissions back, or start to get used to have separate accounts - user level accounts and a separate domain admin account - again that is best practise and how the world is moving. Either your Exchange 2003 server wasn't fully patched, or you had changed the permissions structure which has been "corrected". As a side issue, I have never had, nor asked for, full access to all mailboxes by default. It is not a permission I want. If I need access then I grant the permission as required, and then remove it. I don't want the headache of denying I accessed a mailbox when content is removed, leaked etc, when auditing can prove I didn't have permissions at the time. The days of an admin having access to everything in email are long gone, particularly with the increased privacy legislation in most locations. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Permissions were set up like that before I came to this organization. Domain admins are specifically the group I'm referencing that needs access. We're also running a skeleton outfit so we do need to get our available administrators access to these accounts as well. There seems to be some fix I remember from a while back when we attempted this before regarding editing AD directly using ADSIEdit but I cannot seem to find the KB article again. Thanks

I don't believe the fix for Exchange 2003 works with the later versions. AdminDSHolder is the issue. The fact that it was setup like that before doesn't mean it was correct. When I take on a network I presume the previous admin was an idiot who didn't know what he was doing. Being blunt, the split permission model is how everything is being pushed now. While you can try and work against it, it will be an uphill battle, as things will be corrected by patches and updates. The sooner you move to that model the easier you will find things are. A permissions model from 5 or more years ago doesn't really cut it these days. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Unfortunately I know this doesn't mean its correct, but due to the politics of where I work, "that's the way things are" and there's no real point in attempting to tell anyone that that's not the way its supposed to be done (just grounds for being ignored). Our goal was to move gradually into RBAC systems once we got ourselves comfortable with Exchange 2010, but as of right now, support tickets are piling up in our queue and users are getting agitated, which means managers are too. So bandaid over a bullet-wound I know, but I need to get this issue fixed. I hate to sound whiny and obstinate but as of right now, this is where I sit.

Just grant the permissions as required. You do not need to have access to all mailboxes to get access. As long as you don't attempt to access the mailbox before granting the permissions the old permissions will not be cached. It takes less than 30 seconds to make the change. The most common reason why people don't do this is because of the permission caching issue. They access the account, find they cannot, change the permissions, but still cannot access the mailbox until the permissions cache has expired (two hours by default). Presume you do NOT have permissions and check, then you will not have the problem. Its unfortunate that bad practises come along and bite people when an updated version is implemented. I have been there myself, and it can cause pain. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Hi tearman, Sembee gave some good information. Regards! Gavin