I really hope that somebody could help me to solve the enigma... : I'm trying to fix some misconfiguration made by somebody in the past on an SBS 2003 R2. This is the fact: Every time I add a new user, cheking in the "Advanced Exchange Settings / Mailbox Rights" there is ALWAYS another domain user present in the permissions with some DENY settings inherited (checkbox greyed) including the "Mailbox Full Access". I need to remove that setting but I don't want to break the inherit propagation. Could you help me to understand why this happen and, more important, where I need to check the settings to remove this issue ? I enabled the Security tab for the object properties box of Exchange System Manager following this kb: http://go.microsoft.com/fwlink/?linkid=3052&kbid=264733). Then I open EMS, selected the Organization Name security tab (that I think is the top of the hierarchy) and that user is present with the same permissions configuration (grayed). Why ??? Where are the root settings for this user ?!?!? I'm frustrated.... :-( Thank you to everyone for support.

Any number of places it could be inherited on... Properties of the domain, OU - you will have to look in ADUC with View Advanced Features enabled. Properties of the mailbox store, server, database etc. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

I have already look in every place I know... maybe there is some place I don't know.... :-( But there is no some tool that find the places where a user could be ??? Thank you <Sembee> ha scritto nel messaggio news:35494f6e-2892-475a-8b2e-4f54318057ab@communitybridge.codeplex.com... > Any number of places it could be inherited on... > > Properties of the domain, OU - you will have to look in ADUC with View > Advanced Features enabled. Properties of the mailbox store, server, > database etc. > > Simon. > > > -------------------------------------------------------------------------------- > Simon Butler, Exchange MVP > Blog | Exchange Resources | In the UK? Hire Me. >

There is no magic tool that will tell you, as it can be set in a number of different places. You just have to look through, to find where it is being inherited from. Unless you state where you have looked, there is no way to know if I know of another place to look. I failed my long distance mind reading exam at school. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

<Sembee> ha scritto nel messaggio news:d4b24519-e9fd-4d04-981d-975bf67a674b@communitybridge.codeplex.com... > There is no magic tool that will tell you, as it can be set in a number of > different places. You just have to look through, to find where it is being > inherited from. > > Unless you state where you have looked, there is no way to know if I know > of another place to look. I failed my long distance mind reading exam at > school. I know that permission inherit, follow the object root hierarchy, correct ? I checked with ADUC the domain security settings and there is no evidence of that user. I checked too every object in the "Microsoft Exchange System Objects" ADUC folder. With EMS , selecting the Organization, the user is present with security settings inherited. My question is: How it is possible that the user is not present in the domain top level of the hierarchy, but is in the Exchange top level ? In other words...: what (and where) are the levels upper than Exchange organization accessible with ems ? Thank you for support

Do you install any third-party software which collaborates with Exchange Server, such as BES server? Try checking the permission in ADSIEDIT tool, verify each level of the containers one by one: Thanks, Simon

<Simon_Wu> ha scritto nel messaggio news:76c760c2-ca15-45b8-9934-eaf23abd58ab@communitybridge.codeplex.com... > Do you install any third-party software which collaborates with Exchange > Server, such as BES server? The only thing I installed is Symantec Backup Exec System Recovery but is a backup tool. > Try checking the permission in ADSIEDIT tool, verify each level of the > containers one by one: I installed ADSIEDIT on the server. Could you help me to understand where I need to check permissions and what permission I need to find ? I expanded the domain container and selected the user but there are a lot of parameters and I don't understand which could be the right I need to edit. Thank you for support

I would check the Exchange config partition as well in adsiedit. 1. start run, type adsiedit.msc 2. expand configuration, cn=services, cn=microsoft exchange, cn=org name, cn=admin groups, cn=Exchange admin group,cn=servers,cn=mailbox server,cn=information store,cn=storagegroup1,cn=mailboxdatabase. 3. right click cn=mailboxdatabase, properties, security tab. Do you see this user? If not repeat as below. 4. right click cn=storagegroup1, properties, security tab. Do you see this user? If not repeat. 5. right click cn=information store, properties, security tab. Do you see this user? If not repeat. 6. right click cn=mailbox server, properties, security tab. Do you see this user? If not repeat. You get the point, keep going up the hiearchy until you find the user. Once you find the user, remove him from the security tab.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

<Jamestechman> ha scritto nel messaggio news:2b8beeb3-0aed-4740-991c-424aae1e52c4@communitybridge.codeplex.com... >I would check the Exchange config partition as well in adsiedit. > 1. start run, type adsiedit.msc > > 2. expand configuration, cn=services, cn=microsoft exchange, cn=org name, > cn=admin groups, cn=Exchange admin group,cn=servers,cn=mailbox > server,cn=information store,cn=storagegroup1,cn=mailboxdatabase. > > 3. right click cn=mailboxdatabase, properties, security tab. Do you see > this user? If not repeat as below. > > > > 4. right click cn=storagegroup1, properties, security tab. Do you see this > user? If not repeat. > > 5. right click cn=information store, properties, security tab. Do you see > this user? If not repeat. > > 6. right click cn=mailbox server, properties, security tab. Do you see > this user? If not repeat. > > > You get the point, keep going up the hiearchy until you find the user. > Once you find the user, remove him from the security tab. Hi James...... you are great !!!! I found the user in the CN=Microsoft Exchange !!! I removed and all was ok !!! The user disappear !!!! You are my hero !!! :-)) But how is it possible that the user was in that place ? I checked with EMS and there was not. I'm sure that nobody used adsiedit (it was not installed on the server). I'm very curious..... Thank you a lot for helping me

Great! Someone added it at one point probably your last admin.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com