Unable to change members of AD security groups who have access to shared mailboxes

I have an exchange 2013 running for over a year now and never had any problems with it. Until recently.

A request came in to make a new shared mailbox. So I did just that and gave rights to a security (not mail enabled) AD group. Just like I Always do. Everything worked fine. A few hours later I did exactly the same for another request and then the people could not access the shared mailbox. So I added my regular user to the AD group and I also couldn't (I tested it with OWA and Outlook). I tried to remove myself of one of my own shared mailboxes and the permissions wouldn't stick. When I removed the entire group then the permissions were gone(and I could not access the shared mailbox). When I added it back I had my permissions back but still wasn't in the group. Then I tried adding a distribution group with the same result.

It seems when I add normal users directly to the permissions everything works.

When I had to restart the server a few days later. All changes were applied but I could not change it again.

i'm a bit stumped on this one. i'm out of options.

February 25th, 2015 11:17pm

Hi Jelle,

group permissions are written on your kerberos ticket - dig you logoff/logon again?

did you check there was a AD discovery event on your Active Directory Service in exchange?

did you check the change was available on a global cataloge in the Exchange site as well as on your logon site?

If your site does not know, you will not have it on your ticket. If you add a user directly to the resource, your users object is assigned directly to the ACL, so there is no dependency like ticket (as your SID is always on your ticket).

Please verify.

Regards,
Martin

Free Windows Admin Tool Kit Click here and download it now
February 25th, 2015 11:59pm

Hi martin,

thx for responding.

I did log off multiple times. Even over a period of several days the permissions would not change

How can I check this? When I used an exchange distribution group to test it. I made the changes in exchange and I tested it in OWA. The distributiongroup was working but not the rights to the shared mailbox. When I tested it with normal security groups I did the changes on the server which is also global cataloge

How can I check this?

Regards,

Jelle

February 26th, 2015 12:07am

Hi Jelle,

"I did exactly the same for another request and then the people could not access the shared mailbox.", I would like to verify if you give the same Security Group rights to multiple shared mailboxes.

If the security group members can't have access to all the shared mailboxes they have rights, you can recreate a security group and grant permissions to shared mailboxes one by one to check the result.

Hope this can be helpful to you.

Best regards,

Free Windows Admin Tool Kit Click here and download it now
February 27th, 2015 10:22am

Hi Amy,

But they have access to other shared mailboxes. Just not the one I just created for them. When I reboot the exchange server the access is ok. But it even goes the other way around. When I delete someone from a security group(that has access to the shared mailbox) the rights do not go away. They continue to have access to the shared mailbox (even through owa so it is not because of caching)

Best regards,

Jelle

February 27th, 2015 10:42am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics