Has anyone seen this sort of output for the AccessRights, specifically the number?This can be related to several other issues we had in regards to 3rd party AD management software. get-mailboxpermisson -identity 'user' | ft user,accessrightsOUTPUTUser Access Rights---- -------------NT AUTHORITY\SELF {FullAccess, DeleteItem, ReadPermission}domain\name {1179648}domain\name {2031617}domain\name {1179649}domain\name {2031617}domain\name {2031617}I also noticed that in some cases the SELF has AccessRights listed as a number. User Access Rights---- -------------NT AUTHORITY\SELF {1179649}In these i issued the command Remove-MailboxPermission -Identity 'username' -User 'SELF' -AccessRights "FullAccess,ReadPermission,ExternalAccount" Remove-MailboxPermission : Cannot remove ACE on object "userFQDN" for account "NT AUTHORITY\SELF" because it is not present. When i manually remove SELF, then re-add self with correct permission and run the get-mailbox command the output is nowUser Access Rights---- -------------NT AUTHORITY\SELF {FullAccess, DeleteItem, ReadPermission}again this could be due to the third party AD mgmt software, thought this might also be from migrated account from legacy domains??anyone see this before??? reminds me of UAC for user.

It certainly looks as if you have nonstandard permissions settings going on there.-- Ed Crowley MVP"There are seldom good technological solutions to behavioral problems.". "mviton" wrote in message news:75318c00-a3b2-47a1-a306-43d7da82d9a5...Has anyone seen this sort of output for the AccessRights, specifically the number?This can be related to several other issues we had in regards to 3rd party AD management software. get-mailboxpermisson -identity 'user' | ft user,accessrightsOUTPUTUser Access Rights---- -------------NT AUTHORITY\SELF {FullAccess, DeleteItem, ReadPermission}domain\name {1179648}domain\name {2031617}domain\name {1179649}domain\name {2031617}domain\name {2031617}I also noticed that in some cases the SELF has AccessRights listed as a number. User Access Rights---- -------------NT AUTHORITY\SELF {1179649}In these i issued the command Remove-MailboxPermission -Identity 'username' -User 'SELF' -AccessRights "FullAccess,ReadPermission,ExternalAccount" Remove-MailboxPermission : Cannot remove ACE on object "userFQDN" for account "NT AUTHORITY\SELF" because it is not present.When i manually remove SELF, then re-add self with correct permission and run the get-mailbox command the output is nowUser Access Rights---- -------------NT AUTHORITY\SELF {FullAccess, DeleteItem, ReadPermission}again this could be due to the third party AD mgmt software, thought this might also be from migrated account from legacy domains??anyone see this before??? reminds me of UAC for user. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Does the symptom occur on the mailbox for migrated account after being modified by the third-party management? Does the symptom never occur on the mailbox for migrated account when managed only by EMS? I think the answers of the questions above can confirm if the issue is related to that third-party toolJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

As of now we believe it is caused by third party tool. we are not to pleased about it. first issue this has caused: in the account object in the third party mmc, we cannot see the mailbox permissions without going to the advanced permissions tab and individual selecting edit per user listed in the mailbox permissions. Next issue: when the user 'SELF' is showing mailboxpermissions of a number, not the standard string format, the free busy is not being published. Only for outlook 2007/owa users (all exch 2007 environment) becausing it is killing the AS connectivity for the user. also noticed that when cannot remove the user SELF thru remove-mailboxpermission because it does not see the user 'SELF'. I can add 'SELF' via add-mailboxpermission. Then when i run get-mailboxpermission i have to entries for self, one with the number and one with a string for AccessRights. I can only remove the 'invalid' self manually. As soon as add the valid self user and permission, whether manually or thru shell, the AS connectivity is re-established immediately. Who knows what other issues will popup Niiice huh

Yeah, the SELF showing a GUID would indicate that it has an account from a domain for which a trust has been broken or something like that. You'll see that when you've done a lot of migrations, for example.-- Ed Crowley MVP"There are seldom good technological solutions to behavioral problems.". "mviton" wrote in message news:8d53ab8f-aba8-4aea-919e-2e3745fc5b6f... As of now we believe it is caused by third party tool. we are not to pleased about it. first issue this has caused: in the account object in the third party mmc, we cannot see the mailbox permissions without going to the advanced permissions tab and individual selecting edit per user listed in the mailbox permissions. Next issue: when the user 'SELF' is showing mailboxpermissions of a number, not the standard string format, the free busy is not being published. Only for outlook 2007/owa users (all exch 2007 environment) becausing it is killing the AS connectivity for the user. also noticed that when cannot remove the user SELF thru remove-mailboxpermission because it does not see the user 'SELF'. I can add 'SELF' via add-mailboxpermission. Then when i run get-mailboxpermission i have to entries for self, one with the number and one with a string for AccessRights. I can only remove the 'invalid' self manually. As soon as add the valid self user and permission, whether manually or thru shell, the AS connectivity is re-established immediately. Who knows what other issues will popup Niiice huh Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Then, please contact the support of that third party management software for the issue. Well, I guess you have already been doing thatJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

As of now we believe it is caused by third party tool. we are not to pleased about it. first issue this has caused: in the account object in the third party mmc, we cannot see the mailbox permissions without going to the advanced permissions tab and individual selecting edit per user listed in the mailbox permissions. Next issue: when the user 'SELF' is showing mailboxpermissions of a number, not the standard string format, the free busy is not being published. Only for outlook 2007/owa users (all exch 2007 environment) becausing it is killing the AS connectivity for the user. also noticed that when cannot remove the user SELF thru remove-mailboxpermission because it does not see the user 'SELF'. I can add 'SELF' via add-mailboxpermission. Then when i run get-mailboxpermission i have to entries for self, one with the number and one with a string for AccessRights. I can only remove the 'invalid' self manually. As soon as add the valid self user and permission, whether manually or thru shell, the AS connectivity is re-established immediately. Who knows what other issues will popup Niiice huh Same problem here. Can you elaborate on how you are removing the 'invalid' self manually? Can anyone share the third party AD management tools they are using, and whether the vendor has acknowledge the issue?

contact me outside of this forum and i can elaborate more. I dont believe the forum is the particular place to discuss particular tools of particular companies.

BTW, we resolved the issue with the third party AD management tool. It had to do with permissions and how rights were pushed thru from the user.