Can't use the Add-ADPermission cmdlet in Exchange 2007
I'm trying to use the command : Code Snippet "Add-ADPermission -Identity "Mailbox Store" -User "Trusted User" -ExtendedRights Receive-As"The problem is, when I run that command, I get the following error:"The operation could not be performed because object <my mailbox database> could not be found on domain controller <my DC>"I have confirmed that my Exchange 2007 server can communicate with the DC in question. I've checked all DNS entries and they look fine. The Exchange server has no problem retrieving user information from the AD database.We just migrated from Exchange 5.5 to 2007, so the connection between Exchange and AD is new for me. Is this error trying to tell me that there should be some sort of Mailbox Database object (or at least a reference) somewhere in Active Directory? If so, where should I be able to find it?Also, at what point during the migration would it have been placed in AD? I recall right after I finished migrating from 5.5 to 2003 that I had to go in and remove the deny rights for admins on mailboxes in 2003. It seems like that was in AD. However, the only mentions of Exchange I see in AD now that I've moved to 2007 are the new Exchange security groups.Any help is greatly appreciated.Max.
April 26th, 2007 7:34pm

OK, well I finally found a way to do what I wanted to do. It's not pretty, and it completely circumvents the security MS wanted to be there to disallow admins from doing things in others' mailboxes, but I can do my job again, which is all that matters to me. Here's the scoop: First, install the ADSI Editor from your Windows Server CD. http://technet2.microsoft.com/windowsserver/en/library/ebca3324-5427-... Next, open adsiedit.msc and drill down as follows: Expand CN=Configuration,DC=example,DC=com, expand CN=Services, expand CN=Microsoft Exchange, and then expand CN=OrganizationName (where OrganizationName is the name of your Exchange organization). Expand Administrative Groups (if administrative groups are enabled), expand your administrative group (for example, expand CN=First Administrative Group), expand CN=Servers, expand CN=ExchangeServerName (where ExchangeServerName is the name of your Exchange server), expand CN=InformationStore, and then click CN=StorageGroupName (where StorageGroupName is the name of the storage group that hosts the database that you want to move. (Above info found at http://support.microsoft.com/kb/822676) In the right pane, you should see the mailbox database object. Double click on it. In the Mailbox Database properties window, click the Security tab. In the security tab, you'll see a lot of security groups. Some of them will be Domain Admins, Enterprise admins, etc. The admin groups that once had the ability to alter all mailboxes now have specific "Deny" attributes set. This is where you get rid of those. Select the security object you want to grant rights to (like domain admins) and click on the Advanced button. In the Advanced Security Settings window, uncheck the box to Inherit permissions from the parent. Accept the conditions of this actions in the pop up window. Now go through and Remove all of the Deny permissions and click OK. You may get a warning message about changing X number of permissions. Click OK. Back at the security window, make sure the security group you just edited has Full Control rights set to Allow. Click OK and then sync your domain servers. After I did that, I noticed that some users' mailboxes would open for me in Outlook and some would not. It turns out that the problem was that I had created profiles for some users in Outlook before my Exchange server upgrade. When I'd click File / Open / Other User's Folder apparently Outlook was trying to use something from those profiles to open the folder and would tell me that the mailbox could not be found. After I went in and deleted the profiles of the users I couldn't access I could immediately access their mailbox. It took me almost a week to piece this information together. I hope it helps someone.
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2007 5:17pm

I run into the same issue.The above mentioned solution worked, but the Add-ADPermission -Identity "Mailbox Store" -User "Trusted User" -ExtendedRights Send-As is also working if the mailbox store is identified with its distinguish name and not as the "ExchangeServer\Storage group\Storage"
February 1st, 2008 7:18pm

Can you check the AD scope in EMC when you ran the command ? Whether it was set for entire forest ? Run $AdminSessionAdSettings on EMC and confirm if ViewEntireForest is set to True. If not run $AdminSessionAdSettings.ViewEntireForest = True http://blogs.technet.com/b/evand/archive/2007/02/14/adminsessionadsettings-and-you.aspx
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 6:57am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics