I realize that this is an Exchange 2013 forum, but I think the answer should still apply.

We have an Exchange 2010 environment running on Win2008R2. I recently did some updates on our Exchange server that have caused the system/kernel to start utilizing excessively high CPU and disk I/O and degrading performance significantly. So, instead of wasting hours trying to figure out why and try to fix it, I decided that this would be as good a time as any to migrate off 2010. Unfortunately, the old server is not at SP3. So, I had to build an intermediate 2010 server that's on 2010 SP3 to get there (with the performance issues that the existing server is having, I seriously doubt that I would be able to install SP3 successfully). So, I have built and configured the new server and migrated almost all of the mailboxes (our journal is quite large and taking extra long because of the performance issues).

Here is the issue I have discovered.  In joining the new Exchange server to the system, I seem to have lost the ability for Domain Admins to mount/browse mailboxes...most notably the journal.  Prior to the upgrade (I suspect the ADPrep modified things), our domain admin credentials could attach any mailbox and view its folders.  Doing some research, I believe I have discovered the issue.  Using Powershell, I retrieved permissions for the journal mailbox:

PS C:\Windows> Get-Mailbox journal | Get-MailboxPermission | select User,AccessRights,Deny,IsInherited | ft -AutoSize

User                                         AccessRights                                                            Deny  IsInherited
----                                         ------------                                                            ----  -----------
NT AUTHORITY\SELF                            {FullAccess, SendAs, ReadPermission}                                    False       False
BUILTIN\Administrators                       {FullAccess}                                                            False       False
MYADDOMAIN\Domain Admins                     {FullAccess}                                                            True         True
MYADDOMAIN\Enterprise Admins                 {FullAccess}                                                            True         True
MYADDOMAIN\Organization Management           {FullAccess}                                                            True         True
MYADDOMAIN\ecadmin                           {FullAccess}                                                            True         True
MYADDOMAIN\Domain Admins                     {FullAccess}                                                            False        True
MYADDOMAIN\Enterprise Admins                 {FullAccess}                                                            False        True
MYADDOMAIN\Organization Management           {FullAccess}                                                            False        True
MYADDOMAIN\Exchange Servers                  {FullAccess}                                                            False        True
MYADDOMAIN\Exchange Domain Servers           {FullAccess}                                                            False        True
MYADDOMAIN\Organization Management           {ReadPermission}                                                        False        True
MYADDOMAIN\Public Folder Management          {ReadPermission}                                                        False        True
NT AUTHORITY\SYSTEM                          {FullAccess}                                                            False        True
NT AUTHORITY\NETWORK SERVICE                 {ReadPermission}                                                        False        True
MYADDOMAIN\Exchange Servers                  {ReadPermission}                                                        False        True
MYADDOMAIN\Exchange Domain Servers           {ReadPermission}                                                        False        True
MYADDOMAIN\Delegated Setup                   {ReadPermission}                                                        False        True
MYADDOMAIN\Organization Management           {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} False        True
MYADDOMAIN\Exchange Trusted Subsystem        {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} False        True
MYADDOMAIN\ecadmin                           {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} False        True
BUILTIN\Administrators                       {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} False        True
MYADDOMAIN\Enterprise Admins                 {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} False        True
MYADDOMAIN\Domain Admins                     {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner} False        True

In the output, you can see where Domain Admins (as well as Enterprise Admins and my ECADMIN domain admin account) are Denied Full Access, but lower in the list are allowed Full Access.  Since Deny trumps Allow, we cannot connect.  I suspect the Denies were added/updated during the ADPrep.

I have searched the web at length to figure out exactly where to change these settings, but I am not able to find where the Deny is being set.  Using ADSIEdit, I have found where the Allow for Domain Admins is being set (at the CN=Mailbox Database 0123456790 object), but I cannot find where the Deny is being set.  If it were being set in an upstream object, inheritance would show it being denied, but it isn't.  I don't see anywhere in ADSIEdit that Full Control is being denied.

I need to find out where the Denies are being set so that I can remove them.  If the Deny isn't at the DB level, but is at the mailbox level and is being inherited, then I am not sure where to look.  I don't know of anything between the two.

Any help would be immensely appreciated.

Thanks,

Eric 

• Edited by RedWingFan 17 hours 18 minutes ago readability change

Maybe so, but Organization Management is explicitly denied Full Access as well.  My Domain Admin account is in Domain Admins, Enterprise Admins, Organization Management as well as individually defined, all of which are explicitly denied Full Access at some level above the mailbox, yet not inherited by the database object (at least when viewed thru ADSIEdit). Where is it being defined if not at or above the database?

Eric

It's normal.  I'm not well versed enough in the permissions model to answer "why" questions.  Perhaps you might want to open a ticket with Microsoft Support if you want to audit your own settings.