Inherited mailbox rights, where are they come from?
The problem comes when I was trying to extract a mailbox using ExMerge with built-in domain admin account "administrator". Got permission error when it tries to copy the mailbox (works ok under another user which has full permission). By checking the mailbox rights I found "administrator" account has incompleted full permission and cannot be changed since it inherited from "somewhere" (BTW, there is no option in Exchange Advanced tab to stop mailbox rights inheritence). I suppose these rights come from the infromation storage groups. But trace the rights in System Manger lead me to nowhere. They are all inherited from "Somewhere".Now my question is, where is the root of those inherited mailbox rights? Are they've been assigned to a service?
March 8th, 2007 3:41am

By default, mailboxes access is restricted to everyone other than the owner. The permissions are set at the organizational level and inherited all the way down to the mailbox stores. If youd like to grant authorized users such as Administrators access to mailboxes for ExMerge purposes, you have to set the DSACLs. http://support.microsoft.com/kb/273642/
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2007 9:33pm

Chris, thanks for the reply. The problem for me now is if there are any ways to modify the organizational level ACLs. In System Manager, the properties option of Organization object does not have option for "security".
March 10th, 2007 5:46am

Im not sure I really understand what you are trying to do. As you know, modifications to the default inheritance settings are not a common practice, especially at that a granular level because it can lead to many problems that are irreversible. I think its commonly referred to as the key to unlocking Pandoras box. Anyhow, unless there are significant changes to ACLs within the environment, Id assume the setting is at a default state. What you can do is create a group and add the appropriate permissions youd like with a non-built in account to insure a way out for testing. If you are looking to modify default ACL settings for inheritance at the directory level, you can delegate the appropriate ACLs to the AdminSDHolder container. Accounts that nest into BuiltIn groups have their security rights and inheritance stripped by the AdminSDHolder container. Information on this can be researched here: Description and update of the Active Directory AdminSDHolder Object http://support.microsoft.com/kb/232199/
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2007 12:03pm

CAUSE This behavior occurs because the account you are logged on as does not have Receive As and Send As permissions to the mailboxes on which ExMerge is exporting and importing messages. Even the Full Exchange administrator account does not have Receive As and Send As permissions by default. Back to the top RESOLUTION To resolve this issue, grant the account that you are using to run ExMerge Receive As and Send As permissions on the Mailbox store: 1. Start Exchange System Manager, and under Administrative Groups, locate the Mailbox store. 2. Right-click the Mailbox store, click Properties, and then click the Security tab. 3. On the Security tab, in the top pane click the account that you are logged on as, and in the bottom pane, click to select the Receive As and Send As check boxes to grant these permissions to that account. 4. Click OK. This account now has full permissions to log on to the mailbox store, and to export or import messages for every mailbox. 5. Grant Send As and Receive As permissions to this administrator account on all the mailbox stores against which you need to run ExMerge.Note When you are ready to process the data from the new stores, stop the SMTP service. By stopping the SMTP service, no new e-mail messages are delivered to the new stores while you are running ExMerge.After you grant these permissions, ExMerge runs successfully.
March 24th, 2007 9:18pm

i want to share a problem that is related the above said topic, all users can access other users mail boxes from thier outlook even they can add other users mail boxes, if i check the rightsfrom exchange advanced & mail box rights(active directory users & computers)i can see everyone havingread,change,take ownership & full mail box access to my mail box & theproperties is for allmail boxes, although icanlock outlooks by usinggroup policy, butstill i can add any mail box from coltrol penal, can any one help me to solve this assue !!! waiting for replay
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2007 3:09pm

Hi Chigrboy,You didn't read my question. Anyway I have finally sortted it out myself.The permission is assigned through ADSI Edit! Not Active Directory Users and Computers or Exchange System Manager.I just add myself onto container CN=Microsoft Exchange with full control. Now I have full permission to any objects in this container. And in AD users and computers or System Manager, it will look like inheritented from "Somewhere"! So the "CN=Microsoft Exchange" IS "somewhere".
May 18th, 2007 6:07am

hi i did not add any thing from ADSI & this is not only with administrator its with all for all, every one can open other users mail box from outlook, even i didn't edit any security setting not in domain controller nor in exchange server, as i have explained earler i have block this for outlook only by just costumerzing the group policy for outlook but still any one can add other use mail box from control penal. i think there is riteissues bcoz i install exchange on other then C drive, help me !!!!!!!!!!!!!
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2007 3:09pm

Hi aha_tom,I am having the same issue at the moment. Can you please tell me where CN=Microsoft Exchange is located under? I've clicked around inside ADSI Edit and can't find that particular container.Thanks!
April 3rd, 2008 8:34pm

In ADSIEDITConfiguration-Services--Microsoft ExchangeI am trying to figure out the inherited permissions for Exchange Advanced/Mailbox Rights, I have some users with one permission inherited and some with a different inherited permission for the same Admin user. I am very confused as to where the inherited perm is coming from on in the AD-Exchange Advanced-Mailbox Rights section. Any help would be a mind saver.
Free Windows Admin Tool Kit Click here and download it now
September 24th, 2008 7:37pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics