Scenario: Two way trust exist between 2 forests and is working. Each forest have multiple Exc 2010 SP2 servers, and multiple DC 2003/2008 servers. I create new linked mailbox in resource forest, link to Master account in user forest and mailbox create sucesfully. But logging into Outlook or OWA with user forest username, resource Exchange server log: The user has not been granted the requested logon type at this machine. Status: 0xc000015b Sub Status: 0x0

Have you followed this - http://technet.microsoft.com/en-us/library/bb123524.aspxSukh

Yes the process do complete succesfully. User account is created as disabled user in resource forest where exchange is in. Can create user in EMC or PS, same success result. But after trying to access mailbox, this error gets loggend in Exc server security eventlog Account Name" user resource domain\username The user has not been granted the requested logon type at this machine. Status: 0xc000015b Sub Status: 0x0

And you have setup the trusts between th forests?Sukh

What about Network Logon, is that allowed, also, as you're checking the local Policy are you sure there's no Domain policy overriding this? Check a GPResults and look at the right and see who is allowed to do what.Sukh

Yes trusts are in place Can validate two way trust on DC's of both forests When creating the resource mailbox, can browse to user forest domain and select user for master account. GPO -> Security Settings -> Local Policies -> User rights assigments -> can edit for example Allow logon locally and select user forest domain and browse for users

What about Network Logon, is that allowed, also, as you're checking the local Policy are you sure there's no Domain policy overriding this? Check a GPResults and look at the right and see who is allowed to do what.Sukh

Thank you Allowed "user forest\domain users" into network login. Also allowed Kerberos-Sec TCP and LDAP GC between Dc's for above to work. Outlook and OWA now login succesfully

hello, i have the same issue. where do you exactly allow "user forest\domain users' into network login? on the CAS servers's local security policy?