Hello, I am having problems getting access to a mailbox from the administrator account. I have logged in as administrator, opened outlook and then when I add the mailbox to my Outlook profile I get a error 'cannot expand folder' I then look at the full access permission and the administrator has permission. I then go into powershell and run the following cmdlet Get-MailboxPermission at command pipeline position 1 Supply values for the following parameters: Identity: sfoxley Identity User AccessRights IsInherited Deny -------- ---- ------------ ----------- ---- PI.local/PRECP/Si... PI\administrator {FullAccess} False True PI.local/PRECP/Si... NT AUTHORITY\SELF {FullAccess, Rea... False False PI.local/PRECP/Si... PI\Domain Admins {FullAccess} False False PI.local/PRECP/Si... PI\filesave {FullAccess} True False PI.local/PRECP/Si... PI\besadmin {FullAccess} True False PI.local/PRECP/Si... PI\3LW7T4J$ {ReadPermission} True False PI.local/PRECP/Si... PI\filesave {ReadPermission} True False PI.local/PRECP/Si... PI\besadmin {ReadPermission} True False PI.local/PRECP/Si... PI\Exchange Servers {FullAccess} True True PI.local/PRECP/Si... PI\Domain Admins {FullAccess} True True PI.local/PRECP/Si... PI\Enterprise Admins {FullAccess} True True PI.local/PRECP/Si... PI\Exchange Organ... {FullAccess} True True PI.local/PRECP/Si... PI\administrator {FullAccess} True True PI.local/PRECP/Si... PI\Exchange Servers {FullAccess} True False PI.local/PRECP/Si... PI\Exchange Publi... {ReadPermission} True False PI.local/PRECP/Si... NT AUTHORITY\NETW... {ReadPermission} True False PI.local/PRECP/Si... PI\Exchange Servers {ReadPermission} True False PI.local/PRECP/Si... PI\Exchange View-... {ReadPermission} True False PI.local/PRECP/Si... PI\Exchange Organ... {FullAccess, Del... True False PI.local/PRECP/Si... PI\administrator {FullAccess, Del... True False PI.local/PRECP/Si... PI\Enterprise Admins {FullAccess, Del... True False PI.local/PRECP/Si... PI\Domain Admins {FullAccess, Del... True False If you look at the top line it states that the PI\administrator has deny rights over the mailbox. This is the only line I can see which is different to when I run this on a mailbox I can open and view. I cannot see how I can remove this and not deny the administrator access. Can anyone help with this? Luke

How long ago did you change the permissions? Exchange caches permissions and therefore it can take a while before a permission change is fully effective. By default Administrator has a deny permission on all mailboxes as a security measure. Ideally you should use another account for access to the mailboxes, not the administrator account. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Simon, Thanks for your reply. To clear things up, I have added the domain admins group to have full access of the mailboxes not the administrator itself but the administrator is a member. The administrator does not appear in the full access permission window. With the security matrix above, the first line is the only thing different to the other users and I am assuming this is why I cannot view the mailbox. I have added the administrator user to have full access and then remove it again to try and refresh the security but to no avail. I did all this yesterday so I would that the change would have filtered through. How long do the changes usually become effective? Have you any other ideas? Cheers! Luke

Domain Admins has the same problem as Administrator. An explicit deny. Deny overrides allow. You shouldn't use any of the privileged accounts for full permissions - so Administrator, Administrators, Domain Admins or any members of those groups as they will be denied. It is possible to remove those permissions, but it is not something that is recommended. The permissions cache flushes in about two hours, or when the information store service is restarted (which will kick everyone out of Outlook). Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Hi Luke, By default, the permission of PI\administrator on mailbox is : PI.local/PRECP/Si... PI\administrator {FullAccess} True True PI.local/PRECP/Si... PI\administrator {FullAccess, Del... True False If you want to give the full access permission to the administator using EMC->"Manage Full Access Permision", there will be additional ACE: PI.local/PRECP/Si... PI\administrator {FullAccess} False False, then the administrator can open user's mailbox. If you remove the full access permission using EMC, the ACE will be changed to PI.local/PRECP/Si... PI\administrator {FullAccess} False True : the one is same as yours. Please give the full access permission to administrator again. Frank Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Luke, Any updates on your issue?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Frank, What you said above is correct. If I remove the full access permission using EMC, the ACE is changed to PI.local/PRECP/Si... PI\administrator {FullAccess} False True : the one is same as yours. However, here is the strange thing. If I compare two users (Simon and Steve). They both have the same entries in the full access permission window in EMC. These are PI\besadmin (blackberry server access) PI\domain admins PI\filesave (backup server access) NT AUTHORITY\SELF If I run the get-mailboxpermission command from powershell I get the following STEVE Identity User AccessRights IsInherited Deny -------- ---- ------------ ----------- ---- PI.local/PRECP/St... NT AUTHORITY\SELF {FullAccess, Rea... False False PI.local/PRECP/St... PI\Domain Admins {FullAccess} False False PI.local/PRECP/St... PI\filesave {FullAccess} True False PI.local/PRECP/St... PI\besadmin {FullAccess} True False PI.local/PRECP/St... PI\3LW7T4J$ {ReadPermission} True False PI.local/PRECP/St... PI\filesave {ReadPermission} True False PI.local/PRECP/St... PI\besadmin {ReadPermission} True False PI.local/PRECP/St... PI\Exchange Servers {FullAccess} True True PI.local/PRECP/St... PI\Domain Admins {FullAccess} True True PI.local/PRECP/St... PI\Enterprise Admins {FullAccess} True True PI.local/PRECP/St... PI\Exchange Organ... {FullAccess} True True PI.local/PRECP/St... PI\administrator {FullAccess} True True PI.local/PRECP/St... PI\Exchange Servers {FullAccess} True False PI.local/PRECP/St... PI\Exchange Publi... {ReadPermission} True False PI.local/PRECP/St... NT AUTHORITY\NETW... {ReadPermission} True False PI.local/PRECP/St... PI\Exchange Servers {ReadPermission} True False PI.local/PRECP/St... PI\Exchange View-... {ReadPermission} True False PI.local/PRECP/St... PI\Exchange Organ... {FullAccess, Del... True False PI.local/PRECP/St... PI\administrator {FullAccess, Del... True False PI.local/PRECP/St... PI\Enterprise Admins {FullAccess, Del... True False PI.local/PRECP/St... PI\Domain Admins {FullAccess, Del... True False SIMON Identity User AccessRights IsInherited Deny -------- ---- ------------ ----------- ---- PI.local/PRECP/Si... PI\administrator {FullAccess} False True PI.local/PRECP/Si... NT AUTHORITY\SELF {FullAccess, Rea... False False PI.local/PRECP/Si... PI\Domain Admins {FullAccess} False False PI.local/PRECP/Si... PI\filesave {FullAccess} True False PI.local/PRECP/Si... PI\besadmin {FullAccess} True False PI.local/PRECP/Si... PI\3LW7T4J$ {ReadPermission} True False PI.local/PRECP/Si... PI\filesave {ReadPermission} True False PI.local/PRECP/Si... PI\besadmin {ReadPermission} True False PI.local/PRECP/Si... PI\Exchange Servers {FullAccess} True True PI.local/PRECP/Si... PI\Domain Admins {FullAccess} True True PI.local/PRECP/Si... PI\Enterprise Admins {FullAccess} True True PI.local/PRECP/Si... PI\Exchange Organ... {FullAccess} True True PI.local/PRECP/Si... PI\administrator {FullAccess} True True PI.local/PRECP/Si... PI\Exchange Servers {FullAccess} True False PI.local/PRECP/Si... PI\Exchange Publi... {ReadPermission} True False PI.local/PRECP/Si... NT AUTHORITY\NETW... {ReadPermission} True False PI.local/PRECP/Si... PI\Exchange Servers {ReadPermission} True False PI.local/PRECP/Si... PI\Exchange View-... {ReadPermission} True False PI.local/PRECP/Si... PI\Exchange Organ... {FullAccess, Del... True False PI.local/PRECP/Si... PI\administrator {FullAccess, Del... True False PI.local/PRECP/Si... PI\Enterprise Admins {FullAccess, Del... True False PI.local/PRECP/Si... PI\Domain Admins {FullAccess, Del... True False If you notice the first line on Simon's permission matrix it states that administrator has deny access to the mailbox. Yet Steve's does not. With these settings in place, I cannot access the mailbox. Are you saying that Simon's permissions are set as they should, if so why are they different? Luke

Hi Luke, Could you please clarify me(Suggest you create two test users as well): You add the "Domain admins" group to the two users(STEVE & SIMON) using EMC, after that, you can open the two uses' mailbox using the PI\administrator's mailbox. Then you decide to add the PI\administrator to the SIMON, one ACE added(and you still can access the mailbox): PI.local/PRECP/Si... PI\administrator {FullAccess} False False, Then if you remove it to SIMON, the ACE will be chang to: PI.local/PRECP/Si... PI\administrator {FullAccess} False True. But at the moment, PI\administrator cannot access SIMON's mailbox ? As you can see, they both have the same entries in the full access permission window in EMC. "why are they different?": I guess if you add the security description(e.g. PI\administrator, PI\Exchange Servers) existed in the ACL, then remove it, the ACE will not be removed. Instead of, the deny list is changed. Frank Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.