We have the affected users who are a member of Exchange Organization Management, Domain Admins, Domain Users. Now I try to logon to OL 2007 and it prompts me for credentials, OWA unable to logon. Later I go to EMC and get to the Manage full access permissions of the affected mailbox and add the Domain Admins group there and yes now we are able to access the mailbox successfully without even a promp for credentials and OWA works fine If i remove the Domain admins group from the Manage full access permissions of the affected mailbox I lose access to OL and OWA I created a test mailbox and made the account to be a member of the same 3 groups, Org management, Domain Admins and Domain users. Am able to access the mailbox without the Domain Admins group being added to the Manage full access permission of the affected mailbox Can Anyone post your advise on this ? Regards, Deepak Exchange Server 2003/2007/2010 <input id="aea3edce-c16e-4765-b8de-709afbe1f1ca_attachments" type="hidden" />

Don't use privileged accounts for e-mail. Create separate accounts for administration and e-mail. This is also a security best practice.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

On Sun, 4 Mar 2012 03:51:32 +0000, Ed Crowley wrote: >Don't use privileged accounts for e-mail. Create separate accounts for administration and e-mail. Being a member of a privileged group blocks inheritence. Exchange doesn't get the necessary security settings on the account. If you try to change the security on the account the AdminSDHolder thread takes them away wihthin an hour. >This is also a security best practice. Besides retaining your sanity. :-) --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hello Ed, Thank you for your reply. Well you mean to say that we cann have a domain account seperate and a mailbox account seperate ? So is it like if an account is a member of privilaged account we have to create another account for him to access his mailbox ? Regards, DeepakDeepak

Sure Rich, Thank you for the information however I have a question where I would seek your advise. This scenario happened on a mailbox that was working fine for a long time! so do you thinka Inheritence block will happen all of a sudden ? Regards, DeepakDeepak

On Wed, 7 Mar 2012 14:50:16 +0000, Deepak Siva Sankar wrote: >Thank you for the information however I have a question where I would seek your advise. > >This scenario happened on a mailbox that was working fine for a long time! so do you thinka Inheritence block will happen all of a sudden ? It isn't a question of when it will happen, it's a fact. It's possible the user account wasn't a member of a priviledge group before. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Thanks, Is there any article which explains this fact ? Because it was working fine in my Lab. I appreciate your reply. Regards,Deepak

Yes, use two separate accounts. The security benefit is that the account you use to log on to your workstation won't have rights to do dangerous stuff to the Internet should you get infected with spyware or some such. You're also less likely to do something accidentally.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

On Wed, 7 Mar 2012 19:29:37 +0000, Deepak Siva Sankar wrote: >Thanks, Is there any article which explains this fact ? That the inheritence will be blocked? That any permissions you assign to the account will be removed? http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx http://blogs.technet.com/b/exchange/archive/2009/09/23/3408362.aspx http://support.microsoft.com/kb/232199 etc. But you could have discovered all of that just by searching for "AdminSDHolder". >Because it was working fine in my Lab. I appreciate your reply. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Yes, use two separate accounts. The security benefit is that the account you use to log on to your workstation won't have rights to do dangerous stuff to the Internet should you get infected with spyware or some such. You're also less likely to do something accidentally.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

On Wed, 7 Mar 2012 19:29:37 +0000, Deepak Siva Sankar wrote: >Thanks, Is there any article which explains this fact ? That the inheritence will be blocked? That any permissions you assign to the account will be removed? http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx http://blogs.technet.com/b/exchange/archive/2009/09/23/3408362.aspx http://support.microsoft.com/kb/232199 etc. But you could have discovered all of that just by searching for "AdminSDHolder". >Because it was working fine in my Lab. I appreciate your reply. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP