We are upgrading from Exchange 2003 to Exchange 2007. However there are a few accounts which the Exchange environment can not see in the AD environment. We have seen this in their environment in the past, and it relates to account permissions. I am looking for the account (Service, or other) or the group, that provides for this function to ensure that they are added to the Domain Administrators account. Thank you, Steve Lazzara

Please check these articles Upgrading to Exchange 2007 http://technet.microsoft.com/en-us/library/bb124008(EXCHG.80).aspx Common Mistakes When Upgrading Exchange 2000/2003 To a Exchange 2007 http://support.microsoft.com/kb/555854

If this were a simple upgrade, these would be helpful. However, this is not an issue with the upgrade, but rather an ACL issue on the AD objects themselves. What I am looking for is the underlying account which the services, API or otherwise are running on to "see" into the AD environment with in order to ensure that they have the rights to see these accounts. Thank you

Can you elaborate more on “there are a few accounts which the Exchange environment can not see in the AD environment” What accounts are you talking about? Where do you see these accounts? Inside Exchange? Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.

These are general user objects (ie. a user account) in the AD environment. Which then has an e-mail that is associated with it. ie. John Smith with e-mail of jsmith@domain.com and the mailbox associated with jsmith@domain.com I can see this in Exchange 2003, and in the AD domain logged in with an account that has Domain Administrator rights. If I attempt to view these accounts (like doing an LDAP look up, or open the ADUC with a non-domain administrator account) I do not see these accounts. We now have a new Exchange 2007 HUB/CAS server. External mail flow is now going through this server. However, these accounts appear to be invisible, and is giving a non-deliverable error because it says that these accounts do not exist.

Steve- The lookups are done in the context of the computer accounts of your Exchange servers. It sounds like someone has mucked with the default permissions and/or inheritance. I'd look at the ACLs on these problem users and see if they're inheriting permissions. There's also a Permission Inheritance check in the ExBPA you might want to un.Active Directory, 4th Edition - www.briandesmond.com/ad4/