EXCH2003 - Unable to delete user from security permissions.
I really hope that somebody could help me to solve the enigma... :
I'm trying to fix some misconfiguration made by somebody in the past on an
SBS 2003 R2.
This is the fact:
Every time I add a new user, cheking in the "Advanced Exchange Settings /
Mailbox Rights" there is ALWAYS another domain user present in the
permissions with some DENY settings inherited (checkbox greyed) including
the "Mailbox Full Access".
I need to remove that setting but I don't want to break the inherit
propagation.
Could you help me to understand why this happen and, more important, where I
need to check the settings to remove this issue ?
I enabled the Security tab for the object properties box of Exchange System
Manager following this kb:
http://go.microsoft.com/fwlink/?linkid=3052&kbid=264733).
Then I open EMS, selected the Organization Name security tab (that I think
is the top of the hierarchy) and that user is present with the same
permissions configuration (grayed).
Why ??? Where are the root settings for this user ?!?!?
I'm frustrated.... :-(
Thank you to everyone for support.
April 18th, 2011 11:37am
Any number of places it could be inherited on...
Properties of the domain, OU - you will have to look in ADUC with View Advanced Features enabled. Properties of the mailbox store, server, database etc.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2011 5:53pm
I have already look in every place I know... maybe there is some place I
don't know.... :-(
But there is no some tool that find the places where a user could be ???
Thank you
<Sembee> ha scritto nel messaggio
news:35494f6e-2892-475a-8b2e-4f54318057ab@communitybridge.codeplex.com...
> Any number of places it could be inherited on...
>
> Properties of the domain, OU - you will have to look in ADUC with View
> Advanced Features enabled. Properties of the mailbox store, server,
> database etc.
>
> Simon.
>
>
> --------------------------------------------------------------------------------
> Simon Butler, Exchange MVP
> Blog | Exchange Resources | In the UK? Hire Me.
>
April 19th, 2011 4:28am
There is no magic tool that will tell you, as it can be set in a number of different places. You just have to look through, to find where it is being inherited from.
Unless you state where you have looked, there is no way to know if I know of another place to look. I failed my long distance mind reading exam at school.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2011 7:25pm
<Sembee> ha scritto nel messaggio
news:d4b24519-e9fd-4d04-981d-975bf67a674b@communitybridge.codeplex.com...
> There is no magic tool that will tell you, as it can be set in a number of
> different places. You just have to look through, to find where it is being
> inherited from.
>
> Unless you state where you have looked, there is no way to know if I know
> of another place to look. I failed my long distance mind reading exam at
> school.
I know that permission inherit, follow the object root hierarchy, correct ?
I checked with ADUC the domain security settings and there is no evidence of
that user.
I checked too every object in the "Microsoft Exchange System Objects" ADUC
folder.
With EMS , selecting the Organization, the user is present with security
settings inherited.
My question is:
How it is possible that the user is not present in the domain top level of
the hierarchy, but is in the Exchange top level ?
In other words...: what (and where) are the levels upper than Exchange
organization accessible with ems ?
Thank you for support
April 21st, 2011 6:39am
Do you install any third-party software which collaborates with Exchange Server, such as BES server?
Try checking the
permission in ADSIEDIT tool, verify each level of the containers one by one:
Thanks,
Simon
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2011 9:57pm
<Simon_Wu> ha scritto nel messaggio
news:76c760c2-ca15-45b8-9934-eaf23abd58ab@communitybridge.codeplex.com...
> Do you install any third-party software which collaborates with Exchange
> Server, such as BES server?
The only thing I installed is Symantec Backup Exec System Recovery but is a
backup tool.
> Try checking the permission in ADSIEDIT tool, verify each level of the
> containers one by one:
I installed ADSIEDIT on the server.
Could you help me to understand where I need to check permissions and what
permission I need to find ?
I expanded the domain container and selected the user but there are a lot of
parameters and I don't understand which could be the right I need to edit.
Thank you for support
April 26th, 2011 9:06am
I would check the Exchange config partition as well in adsiedit.
1. start run, type adsiedit.msc
2. expand configuration, cn=services, cn=microsoft exchange, cn=org name, cn=admin groups, cn=Exchange admin group,cn=servers,cn=mailbox server,cn=information store,cn=storagegroup1,cn=mailboxdatabase.
3. right click cn=mailboxdatabase, properties, security tab. Do you see this user? If not repeat as below.
4. right click cn=storagegroup1, properties, security tab. Do you see this user? If not repeat.
5. right click cn=information store, properties, security tab. Do you see this user? If not repeat.
6. right click cn=mailbox server, properties, security tab. Do you see this user? If not repeat.
You get the point, keep going up the hiearchy until you find the user. Once you find the user, remove him from the security tab.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2011 9:41am
<Jamestechman> ha scritto nel messaggio
news:2b8beeb3-0aed-4740-991c-424aae1e52c4@communitybridge.codeplex.com...
>I would check the Exchange config partition as well in adsiedit.
> 1. start run, type adsiedit.msc
>
> 2. expand configuration, cn=services, cn=microsoft exchange, cn=org name,
> cn=admin groups, cn=Exchange admin group,cn=servers,cn=mailbox
> server,cn=information store,cn=storagegroup1,cn=mailboxdatabase.
>
> 3. right click cn=mailboxdatabase, properties, security tab. Do you see
> this user? If not repeat as below.
>
>
>
> 4. right click cn=storagegroup1, properties, security tab. Do you see this
> user? If not repeat.
>
> 5. right click cn=information store, properties, security tab. Do you see
> this user? If not repeat.
>
> 6. right click cn=mailbox server, properties, security tab. Do you see
> this user? If not repeat.
>
>
> You get the point, keep going up the hiearchy until you find the user.
> Once you find the user, remove him from the security tab.
Hi James...... you are great !!!! I found the user in the CN=Microsoft
Exchange !!!
I removed and all was ok !!! The user disappear !!!! You are my hero !!!
:-))
But how is it possible that the user was in that place ? I checked with EMS
and there was not.
I'm sure that nobody used adsiedit (it was not installed on the server).
I'm very curious.....
Thank you a lot for helping me
April 26th, 2011 10:08am
Great! Someone added it at one point probably your last admin.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2011 10:13am