Permission of Full Mailbox Access LOST after some hours for some user
Hello, During mailbox migration from exchange 2003 to exchange 2010. We are working well about migration. All users are working and always connected also with mobile. But there are some mailbox (generic mailbox like "administration") where I set full access for one or two users. All works fine for one or more hours but, for example...today after lunch, the 2 users call me telling that they have not the right to send for "administration" mailbox. I go on AD and the full rights on security tab for user "Administration" are missing !! What's the matter ? We have 3 domain controller but 1 of this is in a bad state.....we are working for a new domain controller..... I think that probably the domain controller in fault is the problem !! Can somebody confirm ?....I can run as soon as possible for change the domain controller that's probably the solution ? Thanks a lot. LucaLuca Targa Vecomp Software
June 14th, 2011 3:50pm

You said that you have moved mailbox's from 2003 to 2010, If yes then why you are giving permission from AD console. If mailbox is in 2010 server then you must use EMC or EMS to give full mailbox permission.Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2011 4:47pm

Yes, you have right, but the problem still exist. LucaLuca Targa Vecomp Software
June 14th, 2011 4:49pm

If you set full access permission from Security tab on AD user properties....then automatically the proper exchange permission is exactly shown on the full access permission dialog of exchange console....it's the same. The question is: why only the same 1 user is removed after some hour ?....others users still remain enabled for full access permission on the same mailbox. Thanks LucaLuca Targa Vecomp Software
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2011 5:00pm

Hi Luca According to my experience, it is due to AD replication error. I always meet AD account lose properties after AD replication. You can do the test. You can change domain control and grant account again. If the properties don’t lose in one month, it is AD error. If the properties still lose in one month, it is account erro of AD schema error. The best way is to delete and recreate the user account. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 15th, 2011 5:44am

Thanks Terence, I have 3 domain controller...but one is corrupt...so we are looking for replace the corrupt AD server with the third. If I set permission far a user I can see the new permission on every server (also on the corrupt)....but after one, two, or three hour the permission is removed (and we can see the missing permission on every server). So, we know that we have problem with SYSVOL replication. You think we can wait until the corrupt server is replaced o can I procede with recreate the single user ? Thanks LucaLuca Targa Vecomp Software
Free Windows Admin Tool Kit Click here and download it now
June 15th, 2011 11:30am

You mentioned that send as priveledges are gone, this is expected if the user is in any priveledges groups or nested into any priveledges groups. The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server http://support.microsoft.com/kb/907434James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
June 15th, 2011 8:24pm

We ran into a similar issue with some of our accounts that had elevated rights (Domain Admins, Account Operators). The operative word here is "had", because this even applied to some users that used to be in these groups, but had since been removed. Make sure the Inherit Permissions is checked on the AD Object. Hope this helps. Thanks, Karl
Free Windows Admin Tool Kit Click here and download it now
June 16th, 2011 9:19pm

Hi Karl, Now I'm trying chechink Inherit Permission on the AD Object. Wait for a response.....Hope on this for solution !! The problem is only for mailbox migrated from Exchange 2003 (we have coexisting server with Exchange 2010).....For the new mailbox created on Exchange 2010 there are no problems. Thanks LucaLuca Targa Vecomp Software
June 21st, 2011 11:39am

Hi Karl, unfortunatly it's not work !!!.....at this moment my account has been removed from the security of the interested account !! Have any other idea ? LucaLuca Targa Vecomp Software
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2011 11:41am

Hi Luca, how are you setting these permissions, using the shell, or in AD? Have you tried: Add-ADPermission mailboxname -User username -Extendedrights "Send As" where mailboxname is the name of the mailbox the user should have Send As permissions for, and username is the name of the user to be given access. Thanks, Karl
July 15th, 2011 12:05pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics